Executive Summary
Summary | |
---|---|
Title | Samba "send_mailslot()" function buffer overflow |
Informations | |||
---|---|---|---|
Name | VU#438395 | First vendor Publication | 2008-02-20 |
Vendor | VU-CERT | Last vendor Modification | 2008-02-25 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#438395Samba "send_mailslot()" function buffer overflowOverviewThe Samba "send_mailslot()" function contains a stack-based buffer overflow vulnerability which could be exploited by a remote, unauthenticated attacker to execute arbitrary code.I. DescriptionSamba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). A stack-based buffer overflow exists in the send_mailslot() function due to the function's improper processing of SAMLOGON packets. By sending a SAMLOGON domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string, an attacker could then overflow the stack to exploit the vulnerability.II. ImpactBy sending a specially crafted SAMLOGON domain logon packet, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code.III. SolutionThis vulnerability is addressed in Samba version 3.0.28. Patches are also available to address this vulnerability in Samba version 3.0.27a. Samba is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates.The vulnerability requires that the "domain logons" be enabled. Therefore, an effective workaround to this vulnerability would be to disable the "domain logons" option.
References
This vulnerability was discovered by Alin Rad Pop of Secunia Research. This document was written by Joseph Pruszynski.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/438395 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11572 | |||
Oval ID: | oval:org.mitre.oval:def:11572 | ||
Title: | Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. | ||
Description: | Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-6015 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17746 | |||
Oval ID: | oval:org.mitre.oval:def:17746 | ||
Title: | USN-556-1 -- samba vulnerability | ||
Description: | Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-556-1 CVE-2007-6015 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | samba |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18457 | |||
Oval ID: | oval:org.mitre.oval:def:18457 | ||
Title: | DSA-1427-1 samba - buffer overflow | ||
Description: | Alin Rad Pop discovered that Samba, a LanManager-like file and printer server for Unix, is vulnerable to a buffer overflow in the nmbd code which handles GETDC mailslot requests, which might lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1427-1 CVE-2007-6015 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | samba |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21715 | |||
Oval ID: | oval:org.mitre.oval:def:21715 | ||
Title: | ELSA-2007:1114: samba security and bug fix update (Critical) | ||
Description: | Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:1114-01 CVE-2007-6015 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | samba |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:5605 | |||
Oval ID: | oval:org.mitre.oval:def:5605 | ||
Title: | HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code | ||
Description: | Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-6015 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X 10.5.2 Update / Mac OS X Security Update 2008-001 File : nvt/macosx_upd_10_5_2_secupd_2008-001.nasl |
2010-02-15 | Name : Solaris Update for Samba 114685-15 File : nvt/gb_solaris_114685_15.nasl |
2010-02-15 | Name : Solaris Update for Samba 114684-15 File : nvt/gb_solaris_114684_15.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-13 | Name : Solaris Update for Samba 119758-16 File : nvt/gb_solaris_119758_16.nasl |
2009-10-13 | Name : Solaris Update for Samba 119757-16 File : nvt/gb_solaris_119757_16.nasl |
2009-10-13 | Name : Solaris Update for Samba 114685-14 File : nvt/gb_solaris_114685_14.nasl |
2009-10-13 | Name : Solaris Update for Samba 114684-14 File : nvt/gb_solaris_114684_14.nasl |
2009-10-10 | Name : SLES9: Security update for Samba File : nvt/sles9p5018048.nasl |
2009-10-10 | Name : SLES9: Security update for Samba File : nvt/sles9p5013978.nasl |
2009-09-23 | Name : Solaris Update for Samba 119758-15 File : nvt/gb_solaris_119758_15.nasl |
2009-09-23 | Name : Solaris Update for Samba 119757-15 File : nvt/gb_solaris_119757_15.nasl |
2009-06-03 | Name : Solaris Update for Samba 119758-14 File : nvt/gb_solaris_119758_14.nasl |
2009-06-03 | Name : Solaris Update for Samba 114684-13 File : nvt/gb_solaris_114684_13.nasl |
2009-06-03 | Name : Solaris Update for Samba 119757-14 File : nvt/gb_solaris_119757_14.nasl |
2009-06-03 | Name : Solaris Update for Samba 114685-13 File : nvt/gb_solaris_114685_13.nasl |
2009-05-05 | Name : HP-UX Update for HP CIFS Server (Samba) HPSBUX02316 File : nvt/gb_hp_ux_HPSBUX02316.nasl |
2009-05-05 | Name : HP-UX Update for HP CIFS Server (Samba) HPSBUX02341 File : nvt/gb_hp_ux_HPSBUX02341.nasl |
2009-04-09 | Name : Mandriva Update for samba MDKSA-2007:244 (samba) File : nvt/gb_mandriva_MDKSA_2007_244.nasl |
2009-03-23 | Name : Ubuntu Update for samba vulnerability USN-556-1 File : nvt/gb_ubuntu_USN_556_1.nasl |
2009-03-06 | Name : RedHat Update for samba RHSA-2007:1114-01 File : nvt/gb_RHSA-2007_1114-01_samba.nasl |
2009-02-27 | Name : Fedora Update for samba FEDORA-2007-4275 File : nvt/gb_fedora_2007_4275_samba_fc8.nasl |
2009-02-27 | Name : Fedora Update for samba FEDORA-2007-4269 File : nvt/gb_fedora_2007_4269_samba_fc7.nasl |
2009-02-27 | Name : CentOS Update for samba CESA-2007:1114 centos3 x86_64 File : nvt/gb_CESA-2007_1114_samba_centos3_x86_64.nasl |
2009-02-27 | Name : CentOS Update for samba CESA-2007:1114 centos3 i386 File : nvt/gb_CESA-2007_1114_samba_centos3_i386.nasl |
2009-02-27 | Name : CentOS Update for samba CESA-2007:1114-01 centos2 i386 File : nvt/gb_CESA-2007_1114-01_samba_centos2_i386.nasl |
2009-02-17 | Name : Fedora Update for samba FEDORA-2008-4679 File : nvt/gb_fedora_2008_4679_samba_fc8.nasl |
2009-02-16 | Name : Fedora Update for samba FEDORA-2008-10638 File : nvt/gb_fedora_2008_10638_samba_fc8.nasl |
2009-01-28 | Name : SuSE Update for samba SUSE-SA:2007:068 File : nvt/gb_suse_2007_068.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200712-10 (samba) File : nvt/glsa_200712_10.nasl |
2008-09-04 | Name : FreeBSD Ports: samba, samba3, ja-samba File : nvt/freebsd_samba13.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1427-1 (samba) File : nvt/deb_1427_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2007-344-01 samba File : nvt/esoft_slk_ssa_2007_344_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
39191 | Samba nmdb send_mailslot() Function GETDC mailslot Request Remote Overflow |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Samba send_mailslot buffer overflow attempt RuleID : 17661 - Revision : 10 - Type : SERVER-SAMBA |
2014-01-10 | Samba send_mailslot buffer overflow attempt RuleID : 13291 - Revision : 11 - Type : SERVER-SAMBA |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-1114.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1117.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071210_samba_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12002.nasl - Type : ACT_GATHER_INFO |
2009-07-27 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2008-0003.nasl - Type : ACT_GATHER_INFO |
2008-02-12 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_2.nasl - Type : ACT_GATHER_INFO |
2008-02-12 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2008-001.nasl - Type : ACT_GATHER_INFO |
2007-12-19 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-556-1.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cifs-mount-4780.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ffcbd42da8c511dcbec202e0185f8d72.nasl - Type : ACT_GATHER_INFO |
2007-12-12 | Name : The remote openSUSE host is missing a security update. File : suse_cifs-mount-4777.nasl - Type : ACT_GATHER_INFO |
2007-12-12 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-244.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-1114.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2007-344-01.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200712-10.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2007-4275.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2007-4269.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1427.nasl - Type : ACT_GATHER_INFO |
2007-12-11 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-1114.nasl - Type : ACT_GATHER_INFO |
2007-12-10 | Name : The remote Samba server may be affected by a buffer overflow vulnerability. File : samba_3_0_28.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 114684-17 File : solaris9_114684.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 114685-17 File : solaris9_x86_114685.nasl - Type : ACT_GATHER_INFO |