CVE-2021-31800

Advisory

Impacket 0.9.23 fixes Path Traversal vulnerability in 'smbserver.py'. See CVE-2021-31800.
https://github.com/SecureAuthCorp/impacket/commit/99bd29e3995c254e2d6f6c2e3454e4271665955a

Affected package

Affected versions

Fixed versions

Vulnerability changelog

1. Library improvements
* Support connect timeout with SMBTransport (vruello)
* Speeding up DcSync (mohemiv)
* Fixed Python3 issue when serving SOCKS5 requests (agsolino)
* Moved docker container to Python 3.8 (mgallo)
* Added basic GitHub Actions workflow (mgallo)
* Fixed Path Traversal vulnerabilities in `smbserver.py` - CVE-2021-31800 (omriinbar AppSec Researcher at CheckMarx)
* Fixed POST request processing in `httprelayserver.py` (Rcarnus)
* Added cat command to `smbclient.py` (mxrch)
* Added new features to the LDAP Interactive Shell to facilitate AD exploitation (AdamCrosser)
* Python 3.9 support (meeuw and cclauss)

2. Examples improvements
* [addcomputer.py](examples/addcomputer.py):
* Enable the machine account created via SAMR (0xdeaddood)
* [getST.py](examples/getST.py):
* Added exploit for CVE-2020-17049 - Kerberos Bronze Bit attack (jakekarnes42)
* Compute NTHash and AESKey for the Bronze Bit attack automatically (snovvcrash)
* [ntlmrelayx.py](examples/ntlmrelayx.py):
* Fixed target parsing error (0xdeaddood)
* [wmipersist.py](examples/wmipersist.py):
* Fixed `filterBinding` error (franferrax)
* Added PowerShell option for semi-interactive shells in `dcomexec.py`, `smbexec.py`
and `wmiexec.py` (snovvcrash)
* Added new parameter to select `COMVERSION` in `dcomexec.py`, `wmiexec.py`,
`wmipersist.py` and `wmiquery.py` (zexusx26)

3. New examples
* [Get-GPPPassword.py](examples/Get-GPPPassword.py): This example extracts and decrypts
Group Policy Preferences passwords using streams for treating files instead of mounting
shares. Additionally, it can parse GPP XML files offline (ShutdownRepo and p0dalirius)
* [smbpasswd.py](examples/smbpasswd.py): This script is an alternative to `smbpasswd` tool and
intended to be used for changing expired passwords remotely over SMB (MSRPC-SAMR) (snovvcrash)

As always, thanks a lot to all these contributors that make this library better every day (since last version):

mpgn vruello mohemiv jagotu jakekarnes42 snovvcrash zexusx26 omriinbar Rcarnus nuschpl mxrch ShutdownRepo p0dalirius AdamCrosser franferrax meeuw and cclauss

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31800
• https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2008
• https://github.com/SecureAuthCorp/impacket/releases
• https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L876
• https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L2958
• https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f
• https://github.com/SecureAuthCorp/impacket/blob/cb6d43a677c338db930bc4e9161620832c1ec624/impacket/smbserver.py#L3485
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UF56LYB27LHEIFJTFHU3M75NMNNK2SCG/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/IPXDPWCAPVX3UWYZ3N2T5OLBSBBUHJP6/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KRV2C5DATXBHG6TF6CEEX54KZ75THQS3/