Good morning/day/night to all! After moving all my infrastructure to Debian9, changed my ADDC from Win2K12 to Samba4 scanning my network I found the following: -------------------------------------------------------------------------------------------------------------------------------- koratsuki at happyharry:~$ nmap --script smb-vuln-ms08-067.nse -p445 smb-addc.tld Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-18 08:14 CDT Nmap scan report for smb-addc.tld Host is up (0.00073s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-vuln-ms08-067: | VULNERABLE: | Microsoft Windows system vulnerable to remote code execution (MS08-067) | State: LIKELY VULNERABLE | IDs: CVE:CVE-2008-4250 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | code via a crafted RPC request that triggers the overflow during path canonicalization. | | Disclosure date: 2008-10-23 | References: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds -------------------------------------------------------------------------------------------------------------------------------- Now, I wonder... Why is happening that? That server is installed with samba 4.8.2, lastest stable release, Debian 9.4, and the compile chain is: ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-debug --enable-selftest --cross-answers --cross-execute --disable-cups --disable-iprint --sbindir=/usr/sbin --mandir=/usr/share/man -j4 --enable-selftest --without-systemd I´am doing something wrong or need more stuff in the smb.conf? The smb.conf is using the default config... Can someone point me on the right direction in order to fix this? Best regards. -- /************************************************ * Téc. Leslie León Sinclair * Administrador de Redes - AzumatHB * Another happy Slackware & Debian GNU/Linux user * Blog: https://admlinux.cubava.cu * Proud GNU/Linux User #445535 * ☎ +49-170-7683042 *************************************************/
On Mon, 2018-06-18 at 09:14 -0400, Leslie León via samba wrote:> Good morning/day/night to all! > > After moving all my infrastructure to Debian9, changed my ADDC from > Win2K12 to Samba4 scanning my network I found the following: > > -------------------------------------------------------------------------------------------------------------------------------- > > koratsuki at happyharry:~$ nmap --script smb-vuln-ms08-067.nse -p445 > smb-addc.tld > > Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-18 08:14 CDT > Nmap scan report for smb-addc.tld > Host is up (0.00073s latency). > > PORT STATE SERVICE > 445/tcp open microsoft-ds > > Host script results: > > smb-vuln-ms08-067: > > VULNERABLE: > > Microsoft Windows system vulnerable to remote code execution (MS08-067) > > State: LIKELY VULNERABLE > > IDs: CVE:CVE-2008-4250 > > The Server service in Microsoft Windows 2000 SP4, XP SP2 and > > SP3, Server 2003 SP1 and SP2, > > Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows > > remote attackers to execute arbitrary > > code via a crafted RPC request that triggers the overflow > > during path canonicalization. > > > > Disclosure date: 2008-10-23 > > References: > > https://technet.microsoft.com/en-us/library/security/ms08-067.aspx > > _ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 > > Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds > > -------------------------------------------------------------------------------------------------------------------------------- > > Now, I wonder... Why is happening that? That server is installed with > samba 4.8.2, lastest stable release, Debian 9.4, and the compile chain is: > > ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc > --localstatedir=/var --enable-debug --enable-selftest --cross-answers > --cross-execute --disable-cups --disable-iprint --sbindir=/usr/sbin > --mandir=/usr/share/man -j4 --enable-selftest --without-systemd > > I´am doing something wrong or need more stuff in the smb.conf? The > smb.conf is using the default config... Can someone point me on the > right direction in order to fix this?The implementation of the test in Nessus is incorrect. Here are the two (yes, for silly reasons) implementations in Samba: WERROR _srvsvc_NetPathCompare(struct pipes_struct *p, struct srvsvc_NetPathCompare *r) { p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; return WERR_NOT_SUPPORTED; } /* srvsvc_NetPathCompare */ static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, struct srvsvc_NetPathCompare *r) { DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } As you can see from https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse Any fault code is assumed to mean a vulnerable server, the RNG_ERROR (yet another way to say not implemented) included. Hopefully this is enough to assist you, if you need to assuage an auditor then I suggest submitting a patch implementing it. This won't be hard, the clue is in the implementation note: https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116 <116> Section 3.1.4.31: The server does a standard C string comparison on the canonicalized path names and returns the result. <117> Section 3.1.4.31: No security restrictions are imposed by Windows-based server implementations on the caller. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Thanks for the info. Best regards :D> The implementation of the test in Nessus is incorrect. > > Here are the two (yes, for silly reasons) implementations in Samba: > > WERROR _srvsvc_NetPathCompare(struct pipes_struct *p, > struct srvsvc_NetPathCompare *r) > { > p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; > return WERR_NOT_SUPPORTED; > } > > /* > srvsvc_NetPathCompare > */ > static WERROR dcesrv_srvsvc_NetPathCompare(struct dcesrv_call_state > *dce_call, TALLOC_CTX *mem_ctx, > struct srvsvc_NetPathCompare *r) > { > DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); > } > > As you can see from > https://svn.nmap.org/nmap/scripts/smb-vuln-ms08-067.nse > > Any fault code is assumed to mean a vulnerable server, the RNG_ERROR > (yet another way to say not implemented) included. > > Hopefully this is enough to assist you, if you need to assuage an > auditor then I suggest submitting a patch implementing it. > > This won't be hard, the clue is in the implementation note: > https://msdn.microsoft.com/en-us/library/cc247297.aspx#Appendix_A_116 > > <116> > Section 3.1.4.31: The server does a standard C string comparison on the > canonicalized path names and returns the result. > > <117> > Section 3.1.4.31: No security restrictions are imposed by Windows-based > server implementations on the caller. > > I hope this helps, > > Andrew Bartlett-- /************************************************ * Téc. Leslie León Sinclair * Administrador de Redes - AzumatHB * Another happy Slackware & Debian GNU/Linux user * Blog: https://admlinux.cubava.cu * Proud GNU/Linux User #445535 * ☎ +49-170-7683042 *************************************************/