Re: [NSE] samba-vuln-cve-2017-7494.nse: Script to detect CVE-2017-7494

[Wong Wai Tuck <wongwaituck () gmail com>]

Hey all,

The script has been committed to trunk as of revision 36802. Thank you all
for the help!

Wai Tuck


On Thu, Jun 8, 2017 at 7:51 AM Wong Wai Tuck <wongwaituck () gmail com> wrote:

> Hi everyone,
>
> The script has more or less been finalized. It would be greatly
> appreciated if you could look through the script in the pull request [1],
> and if there are any issues, do flag them out to me soon! I will be
> committing it in a few days if there are no issues.
>
> Thank you!
>
> [1]: https://github.com/nmap/nmap/pull/893
>
> Wai Tuck
>
> On Sat, May 27, 2017 at 6:53 PM Wong Wai Tuck <wongwaituck () gmail com>
> wrote:
>
> > Hi Dan
> >
> > Thanks for pointing out the NSE check script! It will be a very useful
> > companion for the summer.
> >
> > I have made the modifications as required and made a pull request on
> > Github [1].
> >
> > Do review and let me know what needs changing!
> >
> > [1]: https://github.com/nmap/nmap/pull/893
> >
> >
> > Wai Tuck
> >
> >
> > On Sat, May 27, 2017 at 3:37 AM Daniel Miller <bonsaiviking () gmail com>
> > wrote:
> >
> > > Wai Tuck,
> > >
> > > Thanks for this really useful script! I see a couple things that could
> > > be changed, though:
> > >
> > > 1. On line 189 you check for "share['anonynmous_can_write'])" but that
> > > is misspelled. It should be 'anonymous_can_write'
> > >
> > > 2. It seems like the last few conditions involving nt_pipe_support could
> > > be combined and possibly even worked into the loop just before the `break`
> > > statement. I'm sure it works fine as-is, but it seems like it could be a
> > > little cleaner.
> > >
> > > 3. There are a few bugs that the NSE check script will catch, mostly
> > > missing `local` declarations:
> > > https://secwiki.org/w/Nmap/Code_Standards#Tools_to_help
> > >
> > > Looking forward to seeing this in Nmap!
> > >
> > > Dan
> > >
> > > On Fri, May 26, 2017 at 10:40 AM, Wong Wai Tuck <wongwaituck () gmail com>
> > > wrote:
> > >
> > > > Hey all,
> > > >
> > > > I've been working on the vulnerability detection script [1] since
> > > > yesterday and would like to share what I've done so far. I have attached
> > > > the script in this email as well.
> > > >
> > > > The script currently checks for the following before determining
> > > > whether it is vulnerable:
> > > >   1) whether the service running is the correct version of Samba
> > > >   2) whether there exists writable shares for the execution of the
> > > > script
> > > >   3) whether the workaround (disabling of named pipes, i.e. nt pipe
> > > > support = no) was applied
> > > >
> > > > You can see it in action here [2].
> > > >
> > > > Really grateful for my mentor, George, who pointed out the
> > > > vulnerability to me when it was released, and who patiently gave me prompt
> > > > feedback as I wrote the script. I made reference to the Metasploit module
> > > > as it was being developed, so really grateful for the discussion there [3].
> > > >
> > > > We will be polishing the script over the weekend and we're thinking
> > > > about adding a more concrete check, i.e. actually writing a file into the
> > > > share and accessing it. We would appreciate any feedback on this and any
> > > > help to test the script against other targets!
> > > >
> > > > Thanks and have a great weekend all!
> > > >
> > > > [1]:
> > > > https://gist.github.com/wongwaituck/62c863ba7aa28a2d22d0fe9cbe14a18b
> > > > [2]: https://www.youtube.com/watch?edit=vd&v=JuPZc7um8x4
> > > > [3]: https://github.com/rapid7/metasploit-framework/pull/8450
> > > >
> > > > With Regards
> > > > Wai Tuck
> > > >
> > > > _______________________________________________
> > > > Sent through the dev mailing list
> > > > https://nmap.org/mailman/listinfo/dev
> > > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/