How the Samba RCE Vulnerability (CVE‑2017‑7494) Works and How to Fix It

360 Analysis of Samba Remote Code Execution Vulnerability (CVE‑2017‑7494)

Overview

On May 24, 2017, Samba released version 4.6.4, which fixed a critical remote code execution vulnerability identified as CVE‑2017‑7494. The flaw affects all Samba versions from 3.5.0 up to 4.6.4/4.5.10/4.4.14. 360's security team quickly analyzed the issue and confirmed its severity, noting that it allows attackers to execute arbitrary code remotely.

Technical Analysis

The vulnerability can be exploited by obtaining a writable Samba share, which then enables privilege escalation to root because the Samba daemon runs as root by default.

In the patch, the function is_known_pipename mishandles pipe names containing path separators, leading to the issue.

The smb_probe_module function then loads the attacker‑uploaded DLL, allowing arbitrary code execution.

Attack Process

Craft a pipe or path name containing a '/' character, e.g., "/home/toor/cyg07.so".

Use the SMB protocol to force the server to return the corresponding file identifier (FID).

Subsequent requests to that FID trigger the malicious loading sequence.

The result is the server attempting to load the malicious shared object:

The malicious .so file contains code that calls the exported function samba_init_module during loading.

Finally, the exploit leaves a root‑owned file in /tmp/360sec confirming successful privilege escalation.

Solution

360 recommends the following actions for affected users:

Source‑installed Samba users should download the latest Samba version and manually update.

Users of binary packages (RPM, etc.) should run yum or apt‑get update to apply security updates immediately.

As a mitigation, add nt pipe support = no to the [global] section of smb.conf and restart the Samba service.

Vulnerability Details (CVE‑2017‑7494)

====================================================================
== Subject:     Remote code execution from a writable share.
==
== CVE ID#:     CVE-2017-7494
==
== Versions:   All versions of Samba from 3.5.0 onwards.
==
== Summary:    Malicious clients can upload and cause the smbd server
==              to execute a shared library from a writable share.
====================================================================

Description
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

Patch Availability
A patch addressing this defect has been posted to
http://www.samba.org/samba/security/

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

Workaround
Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

Credits
This problem was found by steelo <[email protected]>. Volker
Lendecke of SerNet and the Samba Team provided the fix