There is a vulnerability in SMBList.pl which allows an attacker (e.g. server administrator) to execute arbitrary commands on the system on which the script was executed.
Attack path 1:
Create a share which contains ' in the name in order to break out of the string in SMBList.pl line 121
my $smbclient_cmd = `timeout $inputMaxExec smbclient -N -A '$tempAuthFile' '$share' -c 'recurse;dir' 2>&1 > temporary_running_file.txt`;
**Samba config:**
[Data' -c 'exit';touch /tmp/oops;echo 'oops]
comment = My Partition
create mask = 0775
directory mask = 0775
browseable = yes
path = /asd asd
guest ok = yes
available = yes
public = yes
writable = yes
Run SMBHunt.pl and something like the following will be returned:
\\172.11.132.1\Data' -c 'exit';touch /tmp/oops;echo 'oops
Run SMBList.pl, a file (/tmp/oops) is now created. This can of course be changed to any command.
Fix: escape $share, such as via:
$share =~ s/'/'\''/g;
Attack path 2:
After indexing a fileshare, the name of the fileshare is used within perl's open() function. This may lead to an issue if
characters are used within the filename, which are however not allowed as part of linux filesystem (e.g. /) => script does not work
a directory exist within the same folder as the script which matches the name of a share previously scanned (e.g. 172.11.132.1_foo). In this case an attacker can use ../ to navigate through the local file system and under circumstances overwrite files. For example the share name \172.11.132.1\foo/../../../../../etc/passwd will be transformed to 172.11.132.1_foo../../../../../etc/passwd and passed to the open() function.
Excellent, thanks for the fixes. This is an example of a personal script I wrote where I personally judge the inputs to check for unsafe values before running it. Good fixes and I appreciate the merge request!
There is a vulnerability in SMBList.pl which allows an attacker (e.g. server administrator) to execute arbitrary commands on the system on which the script was executed.
Attack path 1:
my $smbclient_cmd = `timeout $inputMaxExec smbclient -N -A '$tempAuthFile' '$share' -c 'recurse;dir' 2>&1 > temporary_running_file.txt`;
Run SMBHunt.pl and something like the following will be returned:
\\172.11.132.1\Data' -c 'exit';touch /tmp/oops;echo 'oops
Run SMBList.pl, a file (/tmp/oops) is now created. This can of course be changed to any command.
Fix: escape $share, such as via: $share =~ s/'/'\''/g;
Attack path 2: After indexing a fileshare, the name of the fileshare is used within perl's open() function. This may lead to an issue if
Fix: replace / with -