- État Fermée
- Pourcentage achevé
- Type Anomalie
- Catégorie Services locaux
- Assignée à Personne
- Système d'exploitation Freebox Server V6 (Révolution)
- Sévérité Critique
- Priorité Très Basse
- Basée sur la version 1.0.1
- Due pour la version Non décidée
-
Échéance
Non décidée
- Votes
- Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par giant jack - 26/01/2011
Ouverte par giant jack - 26/01/2011
FS#4684 - Faille de sécurité dans Samba
Bonjour,
N’étant pas un vrai pro dans le domaine, je me permet juste de faire suivre ce lien qui pointe une faille qui semble critique (et vieille) dans samba.
http://phil-secu.over-blog.net/article-freebox-6-et-la-securite-65489551.html
Cordialement
Chargement...
Activer les raccourcis clavier
- Alt + ⇧ Shift + l Se connecter/Se déconnecter
- Alt + ⇧ Shift + a Ouvrir une tâche
- Alt + ⇧ Shift + m Mes recherches
- Alt + ⇧ Shift + t Rechercher par ID de tâche
Liste des tâches
- o Ouvrir la tâche sélectionnée
- j Déplacer le curseur vers le bas
- k Déplacer le curseur vers le haut
Détails de la tâche
- n Tâche suivante
- p Tâche précédente
- Alt + ⇧ Shift + e ↵ Enter Modifier cette tâche
- Alt + ⇧ Shift + w Surveiller
- Alt + ⇧ Shift + y Fermer cette tâche
Édition de la tâche
- Alt + ⇧ Shift + s Enregistrer la tâche
nmap -p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.0.254
Warning: You are not root – using TCP pingscan rather than ICMP
Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-27 00:10 CET
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 00:10
Scanning 192.168.0.254 [6 ports]
Completed Ping Scan at 00:10, 1.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:10
Completed Parallel DNS resolution of 1 host. at 00:10, 0.03s elapsed
Initiating Connect Scan at 00:10
Scanning 192.168.0.254 [65535 ports]
Discovered open port 554/tcp on 192.168.0.254
Discovered open port 80/tcp on 192.168.0.254
Discovered open port 139/tcp on 192.168.0.254
Discovered open port 21/tcp on 192.168.0.254
Discovered open port 445/tcp on 192.168.0.254
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 10.89% done; ETC: 00:13 (0:02:36 remaining)
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 23.87% done; ETC: 00:13 (0:01:52 remaining)
Discovered open port 8090/tcp on 192.168.0.254
Discovered open port 8095/tcp on 192.168.0.254
Connect Scan Timing: About 52.42% done; ETC: 00:12 (0:00:59 remaining)
Discovered open port 8091/tcp on 192.168.0.254
Discovered open port 9091/tcp on 192.168.0.254
Discovered open port 54242/tcp on 192.168.0.254
Completed Connect Scan at 00:12, 104.70s elapsed (65535 total ports)
Initiating Service scan at 00:12
Scanning 10 services on 192.168.0.254
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 40.00% done; ETC: 00:12 (0:00:17 remaining)
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.00% done; ETC: 00:13 (0:00:07 remaining)
Stats: 0:02:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.00% done; ETC: 00:13 (0:00:07 remaining)
Stats: 0:02:54 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.00% done; ETC: 00:13 (0:00:08 remaining)
Completed Service scan at 00:13, 83.65s elapsed (10 services on 1 host)
NSE: Script scanning 192.168.0.254.
NSE: Starting runlevel 1 scan
Initiating NSE at 00:13
Completed NSE at 00:13, 5.05s elapsed
NSE: Starting runlevel 2 scan
Initiating NSE at 00:13
Stats: 0:03:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 0.00% done
Completed NSE at 00:14, 40.01s elapsed
NSE: Script Scanning completed.
Host 192.168.0.254 is up (0.00035s latency).
Interesting ports on 192.168.0.254:
Not shown: 65521 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Freebox ftpd
80/tcp open http?
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
554/tcp open rtsp Freebox rtspd 1.2
5678/tcp closed unknown
6600/tcp closed unknown
8090/tcp open unknown
8091/tcp open unknown
8095/tcp open tcpwrapped
9091/tcp open unknown
54242/tcp open unknown
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port80-TCP:V=5.00%I=7%D=1/27%Time=4D40AA62%P=i686-pc-linux-gnu%r(GetReq
SF:uest,98,”HTTP/1\.1\x20302\x20Moved\x20Temporarily\r\nServer:\x20nginx\r
SF:\nDate:\x20Wed,\x2026\x20Jan\x202011\x2023:12:34\x20GMT\r\nContent-Type
SF::\x20text/html\r\nConnection:\x20close\r\nLocation:\x20/login\.php\r\n\
SF:r\n”)%r(HTTPOptions,137,”HTTP/1\.1\x20405\x20Not\x20Allowed\r\nServer:\
SF:x20nginx\r\nDate:\x20Wed,\x2026\x20Jan\x202011\x2023:12:34\x20GMT\r\nCo
SF:ntent-Type:\x20text/html\r\nContent-Length:\x20166\r\nConnection:\x20cl
SF:ose\r\n\r\n
\r\n”)%r(
SF:RTSPRequest,A6,”
\r\n
SF:”)%r(X11Probe,A6,”
\r
SF:\n”)%r(FourOhFourRequest,131,”HTTP/1\.1\x20404\x20Not\x20Found\r\nServe
SF:r:\x20nginx\r\nDate:\x20Wed,\x2026\x20Jan\x202011\x2023:12:34\x20GMT\r\
SF:nContent-Type:\x20text/html\r\nContent-Length:\x20162\r\nConnection:\x2
SF:0close\r\n\r\n
\r\n”)%r(R
SF:PCCheck,A6,”
\r\n”)%r
SF:(DNSVersionBindReq,A6,”
\r\n”);
NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port8090-TCP:V=5.00%I=7%D=1/27%Time=4D40AA67%P=i686-pc-linux-gnu%r(GetR
SF:equest,170,”HTTP/1\.1\x20302\x20Moved\x20Temporarily\r\nServer:\x20ngin
SF:x\r\nDate:\x20Wed,\x2026\x20Jan\x202011\x2023:12:39\x20GMT\r\nContent-T
SF:ype:\x20text/html\r\nContent-Length:\x20154\r\nConnection:\x20close\r\n
SF:Location:\x20http://192\.168\.0\.254:8090/freebox_conn_problem\.html\r\
SF:n\r\n
\r\n”)%r(HTTPOptions,170,”HTTP/1\
SF:.1\x20302\x20Moved\x20Temporarily\r\nServer:\x20nginx\r\nDate:\x20Wed,\
SF:x2026\x20Jan\x202011\x2023:12:39\x20GMT\r\nContent-Type:\x20text/html\r
SF:\nContent-Length:\x20154\r\nConnection:\x20close\r\nLocation:\x20http:/
SF:/192\.168\.0\.254:8090/freebox_conn_problem\.html\r\n\r\n
\r\n”)%r(RTSPRequest,A6,”
\r\n”)%r(RPCCheck,A6,”
\r\n”)%r(DNSVersionBindReq,A6,”
\r\n”)%r(DNSStatusRequest,A6,”<htm
SF:l>\r\n<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x20bgc
SF:olor=\”white\”>\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<
SF:hr><center>nginx</center>\r\n</body>\r\n</html>\r\n”)%r(Help,A6,”
\r\n”);
NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port8091-TCP:V=5.00%I=7%D=1/27%Time=4D40AA67%P=i686-pc-linux-gnu%r(GetR
SF:equest,173,”HTTP/1\.1\x20302\x20Moved\x20Temporarily\r\nServer:\x20ngin
SF:x\r\nDate:\x20Wed,\x2026\x20Jan\x202011\x2023:12:39\x20GMT\r\nContent-T
SF:ype:\x20text/html\r\nContent-Length:\x20154\r\nConnection:\x20close\r\n
SF:Location:\x20http://192\.168\.0\.254:8091/freebox_access_filtered\.html
SF:\r\n\r\n
\r\n”)%r(HTTPOptions,173,”HTTP SF:/1\.1\x20302\x20Moved\x20Temporarily\r\nServer:\x20nginx\r\nDate:\x20We
SF:d,\x2026\x20Jan\x202011\x2023:12:39\x20GMT\r\nContent-Type:\x20text/htm
SF:l\r\nContent-Length:\x20154\r\nConnection:\x20close\r\nLocation:\x20htt
SF:p://192\.168\.0\.254:8091/freebox_access_filtered\.html\r\n\r\n
\r\n”)%r(RTSPRequest,A6,”
\r\n”)%r(RPCCheck,A6,”
\r\n”)%r(DNSVersionBindReq,A6,”
\r\n”)%r(DNSStatusRequest,A6
SF:,”
\r\n”)%r(Help,A6,” SF:
\r\n”);
NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port9091-TCP:V=5.00%I=7%D=1/27%Time=4D40AA67%P=i686-pc-linux-gnu%r(GetR
SF:equest,131,”HTTP/1\.1\x20403\x20Forbidden\r\nServer:\x20nginx\r\nDate:\
SF:x20Wed,\x2026\x20Jan\x202011\x2023:12:39\x20GMT\r\nContent-Type:\x20tex
SF:t/html\r\nContent-Length:\x20162\r\nConnection:\x20close\r\n\r\n
\r\n”)%r(HTTPOptions,137,”HTTP/1\.1\x
SF:20405\x20Not\x20Allowed\r\nServer:\x20nginx\r\nDate:\x20Wed,\x2026\x20J
SF:an\x202011\x2023:12:39\x20GMT\r\nContent-Type:\x20text/html\r\nContent-
SF:Length:\x20166\r\nConnection:\x20close\r\n\r\n
\r\n”)%r(RTSPRequest,A6,”
\r\n”)%r(RPCCheck,A6,”
\r\n”)%r(DNSVersionBindReq,A6,”
\r\n”)%r(DNSStatusRequest,A
SF:6,”
\r\n”)%r(Help,A6,
SF:”
\r\n”)%r(SSLSession
SF:Req,A6,”
\r\n”);
NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port54242-TCP:V=5.00%I=7%D=1/27%Time=4D40AA62%P=i686-pc-linux-gnu%r(Get
SF:Request,122,”HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20text/
SF:html\r\nContent-Length:\x200\r\nAccept-Ranges:\x20bytes\r\nConnection:\
SF:x20close\r\nDATE:\x20Wed,\x2026\x20Jan\x202011\x2023:12:34\x20GMT\r\nco
SF:ntentFeatures\.dlna\.org:\x20\r\nEXT:\r\nServer:\x20Linux/2\.6\.35\.9-f
SF:bxgw1r_bank1_1\.0\.1-01474-g004e6f1,\x20UPnP/1\.0,\x20Free\x20UPnP\x20E
SF:ntertainment\x20Service/0\.655\r\n\r\n”)%r(HTTPOptions,92,”HTTP/1\.0\x2
SF:0200\x20OK\r\nContent-Length:\x200\r\nServer:\x20Linux/2\.6\.35\.9-fbxg
SF:w1r_bank1_1\.0\.1-01474-g004e6f1,\x20UPnP/1\.0,\x20Free\x20UPnP\x20Ente
SF:rtainment\x20Service/0\.655\r\n\r\n”)%r(FourOhFourRequest,122,”HTTP/1\.
SF:0\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nContent-Lengt
SF:h:\x200\r\nAccept-Ranges:\x20bytes\r\nConnection:\x20close\r\nDATE:\x20
SF:Wed,\x2026\x20Jan\x202011\x2023:13:11\x20GMT\r\ncontentFeatures\.dlna\.
SF:org:\x20\r\nEXT:\r\nServer:\x20Linux/2\.6\.35\.9-fbxgw1r_bank1_1\.0\.1-
SF:01474-g004e6f1,\x20UPnP/1\.0,\x20Free\x20UPnP\x20Entertainment\x20Servi
SF:ce/0\.655\r\n\r\n”);
Service Info: Device: media device
Host script results:
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 234.86 seconds
faille: http://www.samba.org/samba/security/CVE-2009-2813.html
Une faille vraiment _vieille_ ...
Une màj dans “l’urgence” est vraiment à prévoir.
Additionally, Samba 3.0.37, 3.2.15, 3.3.8 and 3.4.2 have been issued
as security releases to correct the defect.
ràs ..
Désolé je re re édite mes messages, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0926
Vulnerable software and versions
Nav control image Configuration 1
spacer Nav control image OR
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.9
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.8
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.7
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.6
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.5
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.4
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.3
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.2
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.10
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.1
spacer spacer Nav control image * cpe:/a:samba:samba:3.3.0
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.5
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.4
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.3
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.2
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.1
spacer spacer Nav control image * cpe:/a:samba:samba:3.4.0
spacer spacer Nav control image * cpe:/a:samba:samba:3.5.0
La version de samba implémenter dans la freebox v6 server est bien vuln, désolé n’ayant pas le temps de tester l’exploit@locale, et ayant pas mal de travail, je fais de mon mieux.
NB: C’est quand même dommage qu’on ne peut éditer les messages qu’on a postés.
Je re édite, la version implémenter par la freebox v6 server n’est PAS vuln. ca serait bien de supprimer mes anciens messages, merci.
La version (1.01 en tout cas) est tout à fait vulnérable.
Voici ma freebox
smb: \test\> ls
smb: \test\etc\> get passwd
getting file \test\etc\passwd of size 171 as passwd (83.5 KiloBytes/sec) (average 83.5 KiloBytes/sec)
smb: \test\etc\> !
smb: \test\etc\> !cat passwd
root:find_this_openfreebox:0:0:root:/root:/bin/sh
freebox:ABCDEFGHIJK:4242:4242:freebox:/media/.freebox/:/bin/sh
nobody:ABCDEFGHIJK:4242:4242:nobody:/var/empty:/bin/false
find this open freebox?
Bon ben voila, c’est trouvé :)
Alors, des détails croustillants?
La vulnérabilité a été corrigée dans le firmware 1.0.2. Que les freenautes en 1.0.1 récupèrent le maximum avant que leur freebox ne soit patchée ;)
y a rien de special a recuperer en meme temps :) bref, ca peut être fermer maintenant