Jump to content

Infecting an SMB share


sinsi

Recommended Posts

We have a Ubuntu server running a samba share for our Windows workstations. The share is not browseable.

All file access is done by a .NET program which uses \\server\share\filename.ext to get a file and no share is mapped to a drive.

The question is, can a virus infect the share from one of the Windows computers even though the share isn't mapped?

 

Link to post
Share on other sites

On 5/30/2021 at 9:12 PM, sinsi said:

The question is, can a virus infect the share from one of the Windows computers even though the share isn't mapped?

One can have a Universal Naming Convention (UNC) Share exist.  It is up to a Client OS to determine if a Drive Letter is to be assigned by that Client OS.  Whether a UNC is mapped to a Drive Letter or not, it is an Open Service and has the propensity to be affected by malware.  There are many BOTs and Internet Worms that can exploit a Network Share using Server Message Blocks (aka; SMB Share) hosted through some adaptation of a Network File System (NFS).  It is function of that NFS implementation to have proper security constructs enabled to mitigate malicious exploitation and for that appliance hosting NFS to be properly maintained and patched to keep malicious exploitation attempts from being effective.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
  • Like 1
Link to post
Share on other sites

On 6/2/2021 at 11:59 AM, AdvancedSetup said:

If a User can access and Modiy so can malware. The same applies in most Cloud infrastructure too

The user doesn't directly use the share, the program does a fileopen(\\server\share\file.ext).

 

19 hours ago, David H. Lipman said:

One can have a Universal Naming Convention (UNC) Share exist.  It is up to a Client OS to determine if a Drive Letter is to be assigned by that Client OS.  Whether a UNC is mapped to a Drive Letter or not, it is an Open Service and has the propensity to be affected by malware.  There are many BOTs and Internet Worms that can exploit a Network Share using Server Message Blocks (aka; SMB Share) hosted through some adaptation of a Network File System (NFS).  It is function of that NFS implementation to have proper security constructs enabled to mitigate malicious exploitation and for that appliance hosting NFS to be properly maintained and patched to keep malicious exploitation attempts from being effective.

The user has to have an account on the server, but that's no defense when it's their machine connecting.

 

Doing a registry search, the share appears quite often so any malware program could easily get any current or previous shares...

The question was to find out if using a url instead of a mapped drive might prevent a virus from infecting the shared documents (e.g. ransomware).

So I guess the answer to my original question is "Yes. Yes it can".

 

Cheers,

sinsi

Link to post
Share on other sites

6 hours ago, sinsi said:

The user doesn't directly use the share, the program does a fileopen(\\server\share\file.ext).

Moot point.

6 hours ago, sinsi said:

The question was to find out if using a url instead of a mapped drive might prevent a virus from infecting the shared documents (e.g. ransomware).

So I guess the answer to my original question is "Yes. Yes it can".

Yepper.

There is little difference between a URI and their associated protocol (FTP, GOPHER, HTTP/HTTPS, NNTP, LDAP, TELNET, etc) and a UNC and its associated protocols.

Underlying syntactic constructs are network protocols using UDP and TCP and existing in the OSI Model.  At any point malware may take advantage of a loaded Daemon (Service) and attempt to exploit a software vulnerability, a configuration mistake or vulnerability of a poorly secured implementation.

When one uses NET USE or SUBST to assign a Drive Letter to UNC or not the service exists and can be exploited,  Take a Ransomware.  It may be written such that when a PC becomes compromised, it may search Drive Letters to see if there are Read+Write+Modify privileges on each data store associated with a Drive Letter and attempt to Encrypt data on that data volume.  However such malware can also be written to see systems sharing data and use direct network protocol attempts at ingress.  The question may be at what OSI Model level is the exploitation attempt going to be made.  It is a matter of how that Daemon is loaded and configured and how it is serving up;  SMB, WebDAV, HTTPS, etc.

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.