Nmap Development mailing list archives
Re: New Samba remote root vuln (CVE-2012-1182) script idea
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Tue, 17 Apr 2012 22:20:51 +0200
Hi all, I've written a detection script for this vulnerability using the method I described earlier. I've attached a patch for msrpc.lua to add GetAliasMembership function used in the exploit. If you check the source, you'll notice that I didn't do any marshalling, and I'm building the packet myself. I'm not sure this is the right way to use the library, so any suggestion on how to improve that part. The script it self is very simple and if basically ZDI's PoC rewritten into Lua. I've tested this on vulnerable samba on fedora and fully patched ubuntu. I'd welcome any comments on improving this. Also , feel free to change the name of the script, as I'm not sure what the convention is. Regards, Aleksandar On Sat, Apr 14, 2012 at 1:21 AM, Paulino Calderon <paulino () calderonpale com>wrote:
Hi list, Here is the other set of reproducers I managed to download. The detection method proposed by Aleksandar sounds correct, if the instance is vulnerable, the active connection dies. Otherwise, the response varies according to the version but the connection is not closed. Cheers. On 04/13/2012 02:28 PM, Fyodor wrote:On Wed, Apr 11, 2012 at 12:02:48AM -0700, Fyodor wrote:Announcement: https://www.samba.org/samba/**security/CVE-2012-1182<https://www.samba.org/samba/security/CVE-2012-1182> Bugzilla entry, with proof of concept code: https://bugzilla.samba.org/**show_bug.cgi?id=8815<https://bugzilla.samba.org/show_bug.cgi?id=8815>It looks like they decided to remove the "reproducers" for some reason. So in case it helps anyone who is working on an NSE script, here is the reproducer I downloaded on the 11th: http://nmap.org/tmp/c/cve-**2012-1182/<http://nmap.org/tmp/c/cve-2012-1182/> There used to be several more reproducers, but I didn't download those while they were there. Cheers, Fyodor ______________________________**_________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
msrpc.patch
Description:
Attachment:
samba-vuln-cve-2012-1182.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- New Samba remote root vuln (CVE-2012-1182) script idea Fyodor (Apr 11)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Aleksandar Nikolic (Apr 11)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Fyodor (Apr 13)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Paulino Calderon (Apr 14)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Aleksandar Nikolic (Apr 17)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Patrik Karlsson (Apr 20)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Aleksandar Nikolic (Apr 20)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Patrik Karlsson (Apr 20)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Aleksandar Nikolic (Apr 20)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Patrik Karlsson (Apr 20)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Paulino Calderon (Apr 14)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Patrik Karlsson (Apr 21)
- Re: New Samba remote root vuln (CVE-2012-1182) script idea Aleksandar Nikolic (Apr 22)