Samba Badlock Vulnerability - Nessus

High   Plugin ID: 90509

---

This page contains detailed information about the Samba Badlock Vulnerability Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 90509
Name: Samba Badlock Vulnerability
Filename: samba_badlock.nasl
Vulnerability Published: 2016-03-23
This Plugin Published: 2016-04-13
Last Modification Time: 2019-11-20
Plugin Version: 1.8
Plugin Type: remote
Plugin Family: General
Dependencies: samba_detect.nasl
Required KB Items [?]: SMB/name, SMB/samba, SMB/transport

Vulnerability Information

---

Severity: High
Vulnerability Published: 2016-03-23
Patch Published: 2016-04-12
CVE [?]: CVE-2016-2118
CPE [?]: cpe:/a:samba:samba
In the News: True

Synopsis

An SMB server running on the remote host is affected by the Badlock vulnerability.

Description

The version of Samba, a CIFS/SMB server for Linux and Unix, running on the remote host is affected by a flaw, known as Badlock, that exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services.

Solution

Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later.

Public Exploits

---

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available

Here's the list of publicly known exploits and PoCs for verifying the Samba Badlock Vulnerability vulnerability:

1. GitHub: https://github.com/nickanderson/cfengine-CVE-2016-2118
   [CVE-2016-2118: An example detection and remediation policy.]
2. GitHub: https://github.com/trend-anz/Deep-Security-Open-Patch
   [CVE-2016-2118]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2016-2118
CVSS V2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C

CVSS Base Score:	6.8 (Medium)
Impact Subscore:	6.4
Exploitability Subscore:	8.6
CVSS Temporal Score:	5.0 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	5.0 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CVSS Base Score:	7.5 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.6
CVSS Temporal Score:	6.5 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.5 (Medium)

Go back to menu.

Plugin Source

---

This is the samba_badlock.nasl nessus plugin source code. This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90509);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2016-2118");
  script_bugtraq_id(86002);
  script_xref(name:"CERT", value:"813296");

  script_name(english:"Samba Badlock Vulnerability");
  script_summary(english:"Detects if the Badlock patch has been applied.");

  script_set_attribute(attribute:"synopsis", value:
"An SMB server running on the remote host is affected by the Badlock
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Samba, a CIFS/SMB server for Linux and Unix, running on
the remote host is affected by a flaw, known as Badlock, that exists
in the Security Account Manager (SAM) and Local Security
Authority (Domain Policy) (LSAD) protocols due to improper
authentication level negotiation over Remote Procedure Call (RPC)
channels. A man-in-the-middle attacker who is able to able to
intercept the traffic between a client and a server hosting a SAM
database can exploit this flaw to force a downgrade of the
authentication level, which allows the execution of arbitrary Samba
network calls in the context of the intercepted user, such as viewing
or modifying sensitive security data in the Active Directory (AD)
database or disabling critical services.");
  script_set_attribute(attribute:"see_also", value:"http://badlock.org");
  script_set_attribute(attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2016-2118.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2118");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("samba_detect.nasl");
  script_require_keys("SMB/samba", "SMB/name", "SMB/transport");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("misc_func.inc");
include("global_settings.inc");

# DCERPC reject status codes
PROTO_ERROR = 0x1c01000b;
RING_ERROR = 0x1c010002;

appname = "Samba";
get_kb_item_or_exit("SMB/samba");
name = kb_smb_name();
port = kb_smb_transport();

###
# Binds to one of the typically available pipes
# @return a fd to the pipe
##
function bind_to_pipe()
{
  local_var fid = bind_pipe (pipe:"\unixinfo", uuid:"9c54e310-a955-4885-bd31-78787147dfa6", vers:0);
  if (!isnull(fid)) return fid;

  fid = bind_pipe (pipe:"\spoolss", uuid:"12345678-1234-abcd-ef00-0123456789ab", vers:1);
  if (!isnull(fid)) return fid;

  fid = bind_pipe (pipe:"\lsarpc", uuid:"12345778-1234-abcd-ef00-0123456789ab", vers:0);
  if (!isnull(fid)) return fid;

  # if samba_detect.nasl is successful than we should never be able to
  # hit here since we know it successfully bound to a pipe.
  audit(AUDIT_RESP_BAD, port);
}

if (get_kb_item("Host/scanned") && !get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

# establish a connection
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

# start the session and try to connect to the share
session_init(socket:soc, hostname:name);
if (NetUseAdd(share:"IPC$") != 1) audit(AUDIT_SHARE_FAIL, "IPC");

# We need to bind to a pipe. We know samba_detect did so try
# the known pipes
bound_pipe = bind_to_pipe();

# Make a ping request (this should be unexpected)
data = raw_word(w:0);
data = dce_rpc_pipe_request(fid:bound_pipe, code:0x3f, data:data, type:1);
smb_close (fid:bound_pipe);
NetUseDel();

if (!data || (strlen(data) < 28)) audit(AUDIT_RESP_BAD, port, "the RPC pipe request");
   
# Type should be fault (3)
if (get_byte (blob:data, pos:2) != 3) audit(AUDIT_RESP_BAD, port, "the type examination");

# Check against the two known errors; any third type will be flagged as a bad resp.
error = get_dword (blob:data, pos:24);
if (error == PROTO_ERROR) audit(AUDIT_INST_VER_NOT_VULN, appname);
else if (error != RING_ERROR) audit(AUDIT_RESP_BAD, port, "the error code check");

report = '\nNessus detected that the Samba Badlock patch has not been applied.\n';
security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/samba_badlock.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\samba_badlock.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/samba_badlock.nasl

Go back to menu.

How to Run

---

Here is how to run the Samba Badlock Vulnerability as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select General plugin family.
6. On the right side table select Samba Badlock Vulnerability plugin ID 90509.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl samba_badlock.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a samba_badlock.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - samba_badlock.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state samba_badlock.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 86002

CERT | Computer Emergency Response Team:

• 813296

See also:

• https://www.tenable.com/plugins/nessus/90509
• https://www.samba.org/samba/security/CVE-2016-2118.html
• http://badlock.org
• https://vulners.com/nessus/SAMBA_BADLOCK.NASL

Similar and related Nessus plugins:

• 90510 - MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) (uncredentialed check)
• 90508 - Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)
• 90440 - MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock)
• 122056 - Samba < 2.2.8a Remote Code Execution Vulnerability
• 25217 - Samba < 3.0.25 Multiple Vulnerabilities
• 29253 - Samba < 3.0.28 send_mailslot Function Remote Buffer Overflow
• 17720 - Samba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow
• 47036 - Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption
• 55733 - Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities
• 82580 - Samba 3.0.0 'SamrChangePassword' RCE
• 69276 - Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS
• 132023 - Samba 4.x < 4.9.17 / 4.10.x < 4.10.11 / 4.11.x < 4.11.3 Multiple Vulnerabilities
• 133210 - Samba 4.x < 4.9.18 / 4.10.x < 4.10.12 / 4.11.x < 4.11.5 Multiple Vulnerabilities
• 81485 - Samba 3.5.x < 3.5.22 / 3.6.x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x < 4.1.17 TALLOC_FREE() RCE
• 138223 - Samba 4.x < 4.10.17 / 4.11.x < 4.11.11 / 4.12.x < 4.12.4 Multiple Vulnerabilities
• 142419 - Samba 3.6.x < 4.11.15 / 4.12.x < 4.12.9 / 4.13.x < 4.13.1 Multiple Vulnerabilities
• 149699 - Samba 4.12.x < 4.12.14 / 4.13.x < 4.13.7 / 4.14.x < 4.14.2 Multiple DoS
• 149350 - Samba 3.6.x < 4.12.15 / 4.13.x < 4.13.8 / 4.14.x < 4.14.4 Unauthorized File Access
• 155620 - Samba 4.13.x < 4.13.14 / 4.14.x < 4.14.10 / 4.15.x < 4.15.2 Multiple Vulnerabilities
• 157360 - Samba 4.13.x < 4.13.17 / 4.14.x < 4.14.12 / 4.15.x < 4.15.5 Multiple Vulnerabilities
• 100388 - Samba 3.5.x < 4.4 / 4.4.x < 4.4.14 / 4.5.x < 4.5.10 / 4.6.x < 4.6.4 Shared Library RCE
• 103535 - Samba 4.4.x < 4.4.16 / 4.5.x < 4.5.14 / 4.6.x < 4.6.8 Multiple Vulnerabilities
• 108378 - Samba 4.5.x < 4.5.16 / 4.6.x < 4.6.14 / 4.7.x < 4.7.6 Multiple Vulnerabilities
• 130628 - Samba 4.5.x / 4.6.x / 4.7.x / 4.8.x / 4.9.x < 4.9.15 / 4.10.x < 4.10.10 / 4.11.x < 4.11.2 Password Complexity Check Bypass (CVE-2019-14833)
• 130629 - Samba 4.x < 4.9.15 / 4.10.x < 4.10.10 AD DC LDAP Server Denial of Service (CVE-2019-14847)
• 11398 - Samba < 2.2.8 Multiple Vulnerabilities
• 25216 - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
• 58662 - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows
• 44406 - Samba Symlink Traversal Arbitrary File Access (unsafe check)
• 11442 - Samba TNG < 0.3.1 Multiple Remote Vulnerabilities
• 11523 - Samba < 2.2.8a / 3.0.0 Multiple Remote Overflows
• 11168 - Samba Encrypted Password String Conversion Decryption Overflow

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file samba_badlock.nasl version 1.8. For more plugins, visit the Nessus Plugin Library.

Go back to menu.