Nmap Development mailing list archives
Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494
From: Wong Wai Tuck <wongwaituck () gmail com>
Date: Wed, 07 Jun 2017 23:51:24 +0000
Hi everyone, The script has more or less been finalized. It would be greatly appreciated if you could look through the script in the pull request [1], and if there are any issues, do flag them out to me soon! I will be committing it in a few days if there are no issues. Thank you! [1]: https://github.com/nmap/nmap/pull/893 Wai Tuck On Sat, May 27, 2017 at 6:53 PM Wong Wai Tuck <wongwaituck () gmail com> wrote:
Hi Dan Thanks for pointing out the NSE check script! It will be a very useful companion for the summer. I have made the modifications as required and made a pull request on Github [1]. Do review and let me know what needs changing! [1]: https://github.com/nmap/nmap/pull/893 Wai Tuck On Sat, May 27, 2017 at 3:37 AM Daniel Miller <bonsaiviking () gmail com> wrote:Wai Tuck, Thanks for this really useful script! I see a couple things that could be changed, though: 1. On line 189 you check for "share['anonynmous_can_write'])" but that is misspelled. It should be 'anonymous_can_write' 2. It seems like the last few conditions involving nt_pipe_support could be combined and possibly even worked into the loop just before the `break` statement. I'm sure it works fine as-is, but it seems like it could be a little cleaner. 3. There are a few bugs that the NSE check script will catch, mostly missing `local` declarations: https://secwiki.org/w/Nmap/Code_Standards#Tools_to_help Looking forward to seeing this in Nmap! Dan On Fri, May 26, 2017 at 10:40 AM, Wong Wai Tuck <wongwaituck () gmail com> wrote:Hey all, I've been working on the vulnerability detection script [1] since yesterday and would like to share what I've done so far. I have attached the script in this email as well. The script currently checks for the following before determining whether it is vulnerable: 1) whether the service running is the correct version of Samba 2) whether there exists writable shares for the execution of the script 3) whether the workaround (disabling of named pipes, i.e. nt pipe support = no) was applied You can see it in action here [2]. Really grateful for my mentor, George, who pointed out the vulnerability to me when it was released, and who patiently gave me prompt feedback as I wrote the script. I made reference to the Metasploit module as it was being developed, so really grateful for the discussion there [3]. We will be polishing the script over the weekend and we're thinking about adding a more concrete check, i.e. actually writing a file into the share and accessing it. We would appreciate any feedback on this and any help to test the script against other targets! Thanks and have a great weekend all! [1]: https://gist.github.com/wongwaituck/62c863ba7aa28a2d22d0fe9cbe14a18b [2]: https://www.youtube.com/watch?edit=vd&v=JuPZc7um8x4 [3]: https://github.com/rapid7/metasploit-framework/pull/8450 With Regards Wai Tuck _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Wong Wai Tuck (May 26)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Paulino Calderon (May 26)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Daniel Miller (May 26)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Wong Wai Tuck (May 27)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Wong Wai Tuck (Jun 07)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Wong Wai Tuck (Jun 11)
- Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494 Wong Wai Tuck (May 27)