Vulnerability CVE-2007-2446


Published: 2007-05-14   Modified: 2012-02-12

Description:
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

See advisories in our WLB2 database:
Topic
Author
Date
High
Samba 3.0.0 - 3.0.25rc3: Multiple Heap Overflows Allow Remote Code Execution
Brian Schafer
17.05.2007

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: Samba
Product: Samba 
Version:
3.0.2a
3.0.25
3.0.24
3.0.23d
3.0.23c
3.0.23b
3.0.23a
3.0.23
3.0.22
3.0.21c
3.0.21b
3.0.21a
3.0.21
3.0.20b
3.0.20a
3.0.20
3.0.2
3.0.19
3.0.18
3.0.17
3.0.16
3.0.15
3.0.14a
3.0.14
3.0.13
3.0.12
3.0.11
3.0.10
3.0.1
3.0.0

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.kb.cert.org/vuls/id/773720
http://www.securityfocus.com/archive/1/archive/1/468542/100/0/threaded
http://www.samba.org/samba/security/CVE-2007-2446.html
https://issues.rpath.com/browse/RPL-1366
http://xforce.iss.net/xforce/xfdb/34316
http://xforce.iss.net/xforce/xfdb/34314
http://xforce.iss.net/xforce/xfdb/34312
http://xforce.iss.net/xforce/xfdb/34311
http://xforce.iss.net/xforce/xfdb/34309
http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
http://www.zerodayinitiative.com/advisories/ZDI-07-032.html
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html
http://www.zerodayinitiative.com/advisories/ZDI-07-030.html
http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
http://www.vupen.com/english/advisories/2008/0050
http://www.vupen.com/english/advisories/2007/3229
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/2281
http://www.vupen.com/english/advisories/2007/2210
http://www.vupen.com/english/advisories/2007/2079
http://www.vupen.com/english/advisories/2007/1805
http://www.ubuntu.com/usn/usn-460-1
http://www.trustix.org/errata/2007/0017/
http://www.securitytracker.com/id?1018050
http://www.securityfocus.com/bid/24198
http://www.securityfocus.com/bid/24197
http://www.securityfocus.com/bid/24196
http://www.securityfocus.com/bid/24195
http://www.securityfocus.com/bid/23973
http://www.securityfocus.com/archive/1/archive/1/468680/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/468675/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/468674/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/468673/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/468672/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/468670/100/0/threaded
http://www.redhat.com/support/errata/RHSA-2007-0354.html
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
http://www.mandriva.com/security/advisories?name=MDKSA-2007:104
http://www.debian.org/security/2007/dsa-1291
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906
http://security.gentoo.org/glsa/glsa-200705-15.xml
http://secunia.com/advisories/25270
http://secunia.com/advisories/25259
http://secunia.com/advisories/25257
http://secunia.com/advisories/25256
http://secunia.com/advisories/25255
http://secunia.com/advisories/25251
http://secunia.com/advisories/25246
http://secunia.com/advisories/25241
http://secunia.com/advisories/25232
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11415
http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768
http://docs.info.apple.com/article.html?artnum=306172
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdf
http://www.securityfocus.com/bid/25159
http://www.osvdb.org/34732
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1
http://securityreason.com/securityalert/2702
http://secunia.com/advisories/28292
http://secunia.com/advisories/27706
http://secunia.com/advisories/26909
http://secunia.com/advisories/26235
http://secunia.com/advisories/25772
http://secunia.com/advisories/25675
http://secunia.com/advisories/25567
http://secunia.com/advisories/25289

Related CVE
CVE-2018-1057
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privi...
CVE-2018-1050
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls c...
CVE-2017-2619
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
CVE-2018-5764
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
CVE-2017-17433
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote atta...
CVE-2017-17434
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechan...
CVE-2017-15275
Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory.
CVE-2017-14746
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

Copyright 2018, cxsecurity.com

 

Back to Top