First of all you should have a samba server running to be vulnerable to this bug which you don't have.
This vulnerability already has been patched, its CVE-ID is: "CVE-2017-7494":
Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
So what you should do is a system upgrade if you didn't have done it already, then you are safe to go.
Check your apt's
"history logs" to see if your Ubuntu recently received any upgrade for samba or its libraries .
grep -B10 samba- /var/log/apt/history.log
to make sure you've got last updates use:
sudo apt update
sudo apt upgrade
Also use:
apt changelog samba
or aptitude changelog samba
if you are running an older version Ubuntu to get a list of last changes in this package, and if you pay attention you will see:
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium
* SECURITY UPDATE: remote code execution from a writable share
- debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
slash inside in source3/rpc_server/srv_pipe.c.
- CVE-2017-7494
Pay attention to the version: "2:4.3.11+dfsg-0ubuntu0.16.04.7", Then use:
$ dpkg -l samba* | awk "( !(/none/) && /^ii/ )"
ii samba-libs:amd64 2:4.3.11+dfsg-0ubuntu0.16.04.7 amd64 Samba core libraries
to see if you have patched version installed or not.
Extra steps
If you're really paranoia, grab a copy of source code, e.g:
apt source --download samba-libs
it will download the corresponding source code and all patches, extracts the source and apply the patches.
then go to:
head /path-to-extract/samba-4.3.11+dfsg/debian/changelog
You'll see the same stuff, as apt changelog samba
. you can even look for patch itself:
cat /home/ravexina/samba-4.3.11+dfsg/debian/patches/CVE-2017-7494.patch
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
or even compile and install it, if you wish.
If you're carious, you can see a proof of concept for cve-2017-7494 here.
Best Answer
You're not vulnerable to the specific attack, but the approach is very interesting. The vulnerabilities used are already fixed.
I've been chatting with Jon Larimer since I heard about his presentation at Shmoo. The defeat of ASLR takes quite a while (Larimer is brute-forcing it on an NX-emu 32bit system -- a relatively easy target -- and for the demo he disabled ASLR to show it more quickly), and at the time hadn't found a workable way to bypass AppArmor (which he also turned off for the demo), so this speaks pretty well to the proactive defenses in Ubuntu. Using 64bit would have made the attack unfeasible.
Regardless, we took the opportunity to ask the Desktop team to find a way to disable auto-mounting when the screen is locked to avoid this kind of "local but unauthenticated" attack, and have been reviewing improvements to the other thumbnailers (adding ASLR and AppArmor profiles).
I've actually written about it here for people interested in more details.