what you don't know can hurt you
Showing 1 - 22 of 22 RSS Feed

CVE-2007-2446

Status Candidate

Overview

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Related Files

Samba lsa_io_trans_names Heap Overflow
Posted Oct 27, 2009
Authored by Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

tags | exploit, overflow
advisories | CVE-2007-2446
MD5 | 8f84f393fa7096a43ae30b92fc8df61d
VMware Security Advisory 2007-0006
Posted Sep 20, 2007
Authored by VMware | Site vmware.com

VMware Security Advisory - Updates have been released for arbitrary code execution, denial of service, and other various vulnerabilities in VMware.

tags | advisory, denial of service, arbitrary, vulnerability, code execution
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-0494, CVE-2007-2442, CVE-2007-2443, CVE-2007-2798, CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, CVE-2007-4059, CVE-2007-4155, CVE-2007-4496, CVE-2007-4497, CVE-2007-1856, CVE-2006-1174, CVE-2006-4600, CVE-2004-0813, CVE-2007-1716
MD5 | 75a1ac8862ee8690edac336336695646
lsa_transnames_heap-osx.rb.txt
Posted Jul 26, 2007
Authored by H D Moore, Ramon de C Valle, Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure. OSX version.

tags | exploit, overflow
systems | apple
advisories | CVE-2007-2446
MD5 | 1489b440c6e816a74e273d76060e724f
lsa_transnames_heap-solaris.rb.txt
Posted Jul 26, 2007
Authored by H D Moore, Ramon de C Valle, Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21 through 3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". Solaris version.

tags | exploit, overflow
systems | solaris
advisories | CVE-2007-2446
MD5 | 9f07c9cd8fd013c9608f103024c1c839
lsa_transnames_heap-linux.rb.txt
Posted Jul 26, 2007
Authored by H D Moore, Ramon de C Valle, Adriano Lima | Site risesecurity.org

This Metasploit module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21 through 3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2". Linux version.

tags | exploit, overflow
systems | linux
advisories | CVE-2007-2446
MD5 | 4f3d9021ab7aeab8ee51f9ee5605ad0c
HP Security Bulletin 2007-14.24
Posted Jul 11, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with Samba provided with HP Internet Express for Tru64 UNIX (IX) v 6.6. The potential vulnerabilities could be exploited by a remote, unauthenticated user to execute arbitrary commands or by a local, unauthorized user to gain privilege elevation.

tags | advisory, remote, arbitrary, local, vulnerability
systems | unix
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 0991bc3f4f0c48427f55531db4ac65ea
HP Security Bulletin 2007-14.24
Posted Jun 7, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with HP-UX running CIFS Server (Samba). The vulnerabilities could be exploited remotely to execute arbitrary code.

tags | advisory, arbitrary, vulnerability
systems | hpux
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | 1010e4187ccb67453b634b5c0cf3e5b8
Debian Linux Security Advisory 1291-4
Posted Jun 7, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-4 - The samba security update for CVE-2007-2446 introduced a regression, which broke connection to domain member servers in some scenarios. This update fixes this regression.

tags | advisory
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 6a69c9a77344d1a0be464f58f6388bf1
Mandriva Linux Security Advisory 2007.104
Posted May 30, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-2444
MD5 | 03c7517049bd8ddbff5b953a0ff86565
Debian Linux Security Advisory 1291-3
Posted May 22, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-3 - The security update for CVE-2007-2444 introduced a regression in the handling of the "force group" share parameter if the forced group is a local Unix group for domain member servers. This update fixes this regression.

tags | advisory, local
systems | linux, unix, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 1ff6e301b3553e7c9b79d510fead0938
OpenPKG Security Advisory 2007.12
Posted May 21, 2007
Authored by OpenPKG Foundation | Site openpkg.com

OpenPKG Security Advisory - Multiple vulnerabilities were found in the CIFS/SMB server implementation Samba.

tags | advisory, vulnerability
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-2453, CVE-2007-2454
MD5 | ebff442b732d771ea800fb993d82fdaa
Debian Linux Security Advisory 1291-2
Posted May 21, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-2 - Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

tags | advisory, remote
systems | linux, debian
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | bd00f0426584818823ae786c91fe45a4
Ubuntu Security Notice 460-1
Posted May 17, 2007
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 460-1 - Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker could send specially crafted MS-RPC requests that could overwrite heap memory and execute arbitrary code. It was discovered that Samba did not correctly escape input parameters for external scripts defined in smb.conf. Remote authenticated users could send specially crafted MS-RPC requests and execute arbitrary shell commands.

tags | advisory, remote, arbitrary, shell, root
systems | linux, ubuntu
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 476081583b5fad8dc1a8e0b09b69c66f
Zero Day Initiative Advisory 07-033
Posted May 17, 2007
Authored by Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the LSA RPC interface. When parsing a request to LsarLookupSids/LsarLookupSids2, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2007-2446
MD5 | 35687f97d20fbe66af1e1da1c5b0e9ab
Zero Day Initiative Advisory 07-032
Posted May 17, 2007
Authored by Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the SRVSVC RPC interface. When parsing a request to NetSetFileSecurity, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2007-2446
MD5 | f4fe06853dd941c84f9b054af34a737b
Zero Day Initiative Advisory 07-031
Posted May 17, 2007
Authored by Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the SPOOLSS RPC interface. When parsing a request to RFNPCNEX, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2007-2446
MD5 | f8dc71e8ab1c7c4c646b490428db484b
Zero Day Initiative Advisory 07-030
Posted May 17, 2007
Authored by Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the DFS RPC interface. When parsing a request to DFSEnum, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2007-2446
MD5 | d549778dfbb738edf585c7b51106b601
Zero Day Initiative Advisory 07-029
Posted May 17, 2007
Authored by Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the LSA RPC interface. When parsing a request to LsarAddPrivilegesToAccount, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2007-2446
MD5 | ce96031b28a8ba05deb2c066745918c9
Debian Linux Security Advisory 1291-1
Posted May 17, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-1 - Several issues have been identified in Samba, the SMB/CIFS file and print server implementation for GNU/Linux. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution

tags | advisory, remote, local, root, protocol
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | abe8236f5ffb6e401b46583bc92e37e5
Gentoo Linux Security Advisory 200705-15
Posted May 17, 2007
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200705-15 - Samba contains a logical error in the smbd daemon when translating local SID to user names (CVE-2007-2444). Furthermore, Samba contains several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). Lastly, Samba fails to properly sanitize remote procedure input provided via Microsoft Remote Procedure Calls (CVE-2007-2447). Versions less than 3.0.24-r2 are affected.

tags | advisory, remote, local
systems | linux, gentoo
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 65698138a6ca1abe5ee01f4f35c2a8eb
Mandriva Linux Security Advisory 2007.104
Posted May 15, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | 3eec7b3218dacabfa577cc59717b5c64
smb-exec.txt
Posted May 15, 2007
Site samba.org

In Samba versions 3.0.0 through 3.0.25rc3, various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.

tags | advisory
advisories | CVE-2007-2446
MD5 | 29d7d70512147589e6d1e472eab78920
Page 1 of 1
Back1Next

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close