back to article Google ships WannaCrypt for Android, disguised as Samba app

Perhaps noticing the popularity of Samba apps for Android, Google's decided to plant its own flag in the space, and yesterday released its official Android Samba Client. It landed on Google Play here, and almost immediately users noticed something worrying. It only supports SMBv1 shares. SMBv1 is known to be exploitable ( …

  1. Captain DaFt

    Sigh

    Too accustomed to this type of tech fuck-up by companies that ought to know better to even muster the energy for a face palm.

    One day, we'll look back on this type of thing and laugh.

    It'll be the kind of laugh that rises in pitch and intensity until someone rushes in with a hypo of tranquilizer, but it'll be a laugh.

  2. JakeMS
    FAIL

    Why?

    Why on Google Earth would Google do this? I mean, I get it they want Samba.... but SMBv1 only?!

    Even more of a "?!" when you consider WannaCry.. what the heck are you doing Google?! Did they completely miss the whole WannaCry thing and numerous security concerns over the years?

    I'm not a religious person but I've got to say it:

    Jesus Christ!

    1. Dan 55 Silver badge

      Re: Why?

      The problem wasn't in the protocol but MS' implementation of it.

      Google have taken the code from Samba which it is to be hoped is less holey than MS' version.

      1. Roger Lipscombe

        Re: Why?

        The problem appears to be that this is a *client* that supports only SMBv1, which means -- if you want it to be useful -- you need to keep SMBv1 enabled on your server.

        And *that's* where you're going to get pwned.

        1. LDS Silver badge
          Joke

          Re: Why?

          Exactly, it's cunning plan from Google to force Windows admins to keep SMB1 enabled on servers...

        2. Hans 1 Silver badge

          Re: Why?

          You need to keep SMBv1 enabled on your server.

          Actually, most home servers are in fact ADSL routers with USB/eSATA ports running Linux, so they are immune to wannacry AND acessible from this app ... I am not saying it is good practice to use SMB, though.

          Last year, Redmond's Ned Pyle put it simply: Stop using SMBv1.

          Last year, Redmond's Ned Pyle put it simply: Stop using SMB!

          There, Ned, FTFY!

          1. j.bourne
            WTF?

            Re: Why?

            "most home servers are in fact ADSL routers with USB/eSATA ports running Linux"

            WTF?? The USB port is running Linux? My home server is an ADSL router?? (not)

            1. Wayland Bronze badge

              Re: Why? Home server routers

              If I can untangle what the OP is saying...

              Home routers are running Linux, you may not have known that. They often, as in the case of BT Home Hub and ASUS routers, have a USB socket which can take a hard drive or USB memory stick. This turns the router into a file server via it's SAMBA. Perhaps this is running SMBv1?

              If you want to check this then you may have noticed a share in your Networking attributed to your router. You may also note a media share too.

              Plenty of people would prefer the router to just be a router, firewall and hub for security reasons. However you've gotta admit it's tempting to use all that Linux goodness to provide a print server and any other server type things you can think of.

              That is where ClearOS came from. That used to be Clark Connect which was a router. I now use ClearOS without any routing functions, just as a server.

        3. Dan 55 Silver badge

          Re: Why?

          Well, I doubt a MIPS NAS server running Samba only available on the LAN is going to get pwned, and calling it WannaCry for Android is also a bit of an exaggeration seeing as it's a server-side exploit.

          Yes, it should be updated to SMBv2, and it probably will do when it breaks. Yay for support.

          No, I don't expect there's a need for Android to connect to SMB servers in businesses so SMB1 can be disabled and any complaints can be safely ignored.

      2. LDS Silver badge

        "Samba which it is to be hoped is less holey than MS' version"

        Samba security patches history:

        https://www.samba.org/samba/history/security.html

        Anyway SMB1 protocol is an outdated one with many unused functionalities and added layers that make it an house of cards.

        There are very good reason to obsolete and remove it ASAP.

    2. big_D Silver badge
      Facepalm

      Re: Why?

      @JakeMS maybe they should use Bing to search for things like this, before implementing them... Or maybe even google.com?

  3. NP-Hardass
    Alert

    Already fixed

    https://github.com/google/samba-documents-provider/pull/10

    Looks like they received and merged a PR to set the minimum SMB protocol to SMB2.

    They also have https://github.com/google/samba-documents-provider/issues/7 which looks like they are working to fix the issue of allowing manual selection of protocol version.

    1. LDS Silver badge

      Re: Already fixed

      That fix doesn't explain why the app refused to connect to SMB2 servers - even if SMB1 is enabled, clients should try the latest versions first, and then fallback to the oldest versions.

      The configuration fix just disables SMB1 client side, not allowing to fallback to anything below SMB2.

      With which version of Samba Android ships? The apps looks just a wrapper over the underlying OS Samba code.

  4. chuckufarley

    Google Devs Click >HERE< for your FREE* GIFT!

    It's a lifetime subscription to El Reg! Now you can stay on top of all the software vulns and learn what not to write!

    *Usage of FREE GIFT may require removal of head from ass and/or an internet connection. FREE GIFT not valid where bribes are required.

  5. jake Silver badge

    This is what happens ...

    ... when marketards run a so-called engineering firm.

    1. tfewster Silver badge
      Facepalm

      Re: This is what happens ...

      It's not as simple as that. Engineering would have to be pretty clueless and/or spineless to play along. And Marketing would be sensitive to PR own goals, so they must have been poorly advised. That said, I can imagine the conversation:

      Engineering manager: We have your demo of SMB ready

      Marketing: Cool, ship it

      Engineering manager: But it only supports SMBv1...

      Marketing: No worries, we'll sell SMBv2 support as an upgrade. We're hearing a lot of buzz about SMB, we need to be in that space right NOW.

      Engineering manager: $RESPONSE

      case $RESPONSE in

      "But" ) fire manager;;

      "I quit" ) while resistance from subordinates do (fire replacements);;

      "Yes|OK" ) sleep until PR disaster;fire manager;;

      esac

    2. theblackhand

      Re: This is what happens ...

      I'm not sure this is a marketard problem - the likelihood of Samba being a driver (let alone a big driver) for Android is close to zero, as maybe a few hundred thousand out of the supposed 2 billion Android devices at best.

      I suspect this was a developer trying to solve a problem they were personally experiencing, made it publicly available and a design decision from a few months ago (i.e. compatibility vs security) now looks completely wrong.

      While there are lessons in this around the level of understanding required when developing with common libraries to ensure current security standards are implemented, I'm not sure this is due to marketards.

  6. Dan 55 Silver badge

    Does this actually mount the drive on the filesystem?

    Or does it just show it in the file manager, in which case it's just the same thing that Explorer and so on already do.

  7. TReko

    Other options?

    Actually, the other three Samba servers (Samba Flesharing, Samba server and SambaDroid) that I've tried on Android all only support SMB v1.

    I guess they are all copying the same original codebase.

    Anyone know of an Android Samba server that supports SMB v2?

    1. Anonymous Coward
      Anonymous Coward

      Re: Other options?

      > (Samba Flesharing,

      My cat is called Samba and she does flesharing.

    2. Anonymous Coward
      Anonymous Coward

      Re: Other options?

      I read that as Samba Flesheating.

      It's Saturday night

      time=bed

  8. Anonymous South African Coward Silver badge
    Facepalm

    Thanks, but no thanks. I have no desire to be shafted sans vaseline.

    Kindly pass this poxy app over to somebody more deserving, kthanxbai.

  9. RyokuMas Silver badge
    Devil

    Call me a conspiracy theorist, but...

    What's the betting that, instead of fixing the app, Google release an Android patch that closes the vulnerability?

    Why? An app update could be applied at any time on any phone by the end user. But an OS update can be delayed - or even not delivered - by the handset providers...

    ... which would basically mean that Pixel phones would be protected almost immediately, allowing Google to claim that only their handsets have this level of security and make other providers look like the bad guys into the bargain.

    Wouldn't put it past Google to use this sort of marketing tactic...

    1. Hans 1 Silver badge
      WTF?

      Re: Call me a conspiracy theorist, but...

      Call me a conspiracy theorist

      Well, that would be one way of putting it, another would be more constructive: I think you need to learn about server-client paradigm, how this app is a client and wannacry attacks servers.

      Conspiracy theorists usually have no clue on the subject in question and love to make wild guesses that often sound like LSD-induced thoughts ...

  10. This post has been deleted by its author

  11. Joe Montana

    SMBv1

    It's not the SMBv1 protocol itself that's vulnerable, but rather specific bugs in Microsoft's implementation of it... A fully patched version isn't vulnerable even with smbv1 turned on, and other implementations of the protocol such as samba aren't vulnerable to the same attacks.

    That's not to say smb the protocol and the windows implementation specifically doesn't have some pretty stupid design flaws, but the newer versions aren't really any better either.

    1. LDS Silver badge

      "but the newer versions aren't really any better either"

      They are built exactly to eliminate the cruft accumulated by SMB1. That doesn't mean there won't be bugs, but under many aspects they are better. Up to the point Apple selected SMB as their default file sharing protocol - not NFS, which has its design flaws and issues as well.

  12. TrumpSlurp the Troll
    Paris Hilton

    Nice vector

    For future attacks.

    App only works with V1 and I assume simple to check for vulnerability on the servers.

    Any other supplier I would suspect vulnerability checking.

    Google, though?

    Damn, they fixed it.

    Just as well, this tinfoil hat was getting sweaty.

  13. Doctor Syntax Silver badge

    “I'll disable SMBv1 on my home server and try to connect to it again. Edit: Nope, it doesn't connect. Ugh.”

    The pre-requisite for this statement is that his home server was still running SMBv1. Why?

  14. Anonymous Coward
    Anonymous Coward

    Please explain

    I don't understand.

    Its Microsoft SMB that is broken, how is that googles fault in any way? Samba is secure.

    How is this "wanna cry for android'???? It seems to me that its not that at all...

  15. ScissorHands
    Mushroom

    Android suffers from SMB1-infection and it's because of Samba

    The Kodi community has been suffering from SMB1-only support in Android and now that most sane people have forcibly disabled SMB1 on their fileservers or NAS, Kodi can't connect (current fix: use an NFS export, hence nuclear icon).

    According to Kodi developer's it's Samba's newer code supporting SMB2 that has some kind of cross-platform compilation issue that just keeps it from working on Android. According to someone from Team Kodi on the Kodi forums, "courtesy of samba by changing build system to something incredibly broken for cross compiling. We're debating and working on upgrading samba on and off for a while now."

    Google could've a) added some compatibility shim to enable this cross-compiling to happen; 2) work with Samba to create a standard SMB2 library that worked in Android; 3) create their own SMB2 client implementation for Android.

    Silly me, just repack Samba's code and job's a good'un!

  16. Jeremy Allison

    Silly alarmist headline

    I expected better from you Richard.

    The facts:

    This code is based on Samba 4.6.x, which still has SMB1 as default for the *client* code only. The server code supports SMB2 of course and has since 3.6.x. The client code also supports SMB2 but the default was left at SMB1 for 4.6.x (which was released *before* WANNACRY) to keep all the regression tests working (which are run on every check-in to ensure code quality and protect against regressions).

    For 4.7.x (now in rc1) - being released *post* WANNACRY there has been a large effort put in to fix this and ensure everything works out of the box with SMB2+ by default in the client libraries.

    Samba has never been vulnerable to WANNACRY, this was a Microsoft-only implementation problem. Now we've had our fair share of our own horrible vulnerabilities of course (some of which I'm ashamed to say I caused), but associating WANNA-*anything* merely with SMB1 support is sloppy, amateurish journalism. Please check facts next time. It's not like my email address or contact details are a secret, is it.

    http://samba.org/~jra

  17. Alistair Silver badge
    Windows

    Umm

    ES File Manager? Anyone? Halooo?

    This is google stupidity is what it is ... SMB this SMB that -- SMB trending on twatter. Oh look - this does SMB put it in the market place...

    but - -then again -- I'm a techie nerd and know how to manage my techie shit.

  18. Jonathan 27 Bronze badge

    If you read the comments on the (linked) repository, they are working on SMB2 support. It will probably tip up in a few weeks.

  19. LionelHutz

    As pointed out in the comments that inspired this article...

    The problem is with Android itself. Android only supports SMBv1. Therefore all apps that support SMB on Android have this problem.

  20. Inventor of the Marmite Laser Silver badge

    "both leveraged insecure SMBv1 shares"

    Please, can we stop the reject HR consultant buzz-speak? Whats wrong with "both used insecure SMBv1 shares"?

  21. Anonymous Coward
    Anonymous Coward

    "Google ships WannaCrypt for Android ..."

    Did they really? Or is the Register so desperate for attention that it is descending to pure click bait? For shame!

  22. rmstock

    TheReg gets infected by Fake News

    The headline is Fake News #1 :

    "Google ships WannaCrypt for Android, disguised as Samba app"

    Google ships a SMB client for Android which does SMBv1. WannaCrypt should be called WannaCry, which is a Microsoft Windows only virus exploiting the EternalBlue, a zeroday exploit which only does Widows. Android is not a Windows platform OS.

    Lie# 2 :

    SMBv1 is known to be exploitable. (WannaCrypt and NotPetya both leveraged insecure SMBv1 shares to infect vulnerable Windows machines).

    SMBv1 is not vulnerable when running a Samba Server on Linux configured for SMBv1. The whole WannaCry news thread is a Microsoft Widows only exploitation.

    Lie# 3:

    "Last year, Redmond's Ned Pyle put it simply: Stop using SMBv1."

    Not when running a Samba Server on Linux configured for SMBv1. The problem is the SMBv1 implementation of Microsoft on its Windows platform.

  23. arobertson1

    I don't know what all the fuss is all about

    Go into settings, about phone, tap the build number until developer options are enabled

    Go into developer options and under "PwnMyPhone"

    Untick "Enable Googlebot Private Network Traversal"

    It's right next to "Mask Telnet" and "Index My Pics"

  24. razorfishsl

    disable SMB1 is not that simple.

    Many fuji/Xerox legacy equipment STILL use SMB1....

    Hmmm wonder why Fuji/Xerox have no downloadable software upgrades.

    Even the equipment is not EOL

  25. RonWheeler

    Many years ago

    We had to allow in on our Windows domain cos the Mandrake Linux guys w/couldn't support anything more modern SMB wise.

    So the 'this is a Windows problem' stick is a little unfair as often Windows only had it enabled to support other plaforms.

    .

  26. cutterman

    Ned Pyle

    "Last year, Redmond's Ned Pyle put it simply: Stop using SMBv1."

    Gee, thanks Ned. That is REALLY helpful, considering that my Win10/1703 can't browse my local network if I disable SMB1 - and there are MUCHO people like me. The Mac - no problem, Linux - no problem.

    Tell me Ned, 'ol chum, do you or your minions ever look at ytour soopa-doopa Feedback channel?

    Evidently NOT!

    YOU fix your firkin abominable O/S and I'll gladly disable SMB1.

    Sourpuss Mac

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019