exploit the possibilities
Showing 1 - 15 of 15 RSS Feed

CVE-2007-2447

Status Candidate

Overview

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

Related Files

Samba "username map script" Command Execution
Posted Feb 17, 2010
Authored by jduck | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in Samba versions 3.0.0 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

tags | exploit, arbitrary, shell
advisories | CVE-2007-2447
MD5 | 46bfc03e288419f9bc5b3e7317a34c3b
VMware Security Advisory 2007-0006
Posted Sep 20, 2007
Authored by VMware | Site vmware.com

VMware Security Advisory - Updates have been released for arbitrary code execution, denial of service, and other various vulnerabilities in VMware.

tags | advisory, denial of service, arbitrary, vulnerability, code execution
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-0494, CVE-2007-2442, CVE-2007-2443, CVE-2007-2798, CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, CVE-2007-4059, CVE-2007-4155, CVE-2007-4496, CVE-2007-4497, CVE-2007-1856, CVE-2006-1174, CVE-2006-4600, CVE-2004-0813, CVE-2007-1716
MD5 | 75a1ac8862ee8690edac336336695646
HP Security Bulletin 2007-14.24
Posted Jul 11, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with Samba provided with HP Internet Express for Tru64 UNIX (IX) v 6.6. The potential vulnerabilities could be exploited by a remote, unauthenticated user to execute arbitrary commands or by a local, unauthorized user to gain privilege elevation.

tags | advisory, remote, arbitrary, local, vulnerability
systems | unix
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 0991bc3f4f0c48427f55531db4ac65ea
HP Security Bulletin 2007-14.24
Posted Jun 7, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with HP-UX running CIFS Server (Samba). The vulnerabilities could be exploited remotely to execute arbitrary code.

tags | advisory, arbitrary, vulnerability
systems | hpux
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | 1010e4187ccb67453b634b5c0cf3e5b8
Debian Linux Security Advisory 1291-4
Posted Jun 7, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-4 - The samba security update for CVE-2007-2446 introduced a regression, which broke connection to domain member servers in some scenarios. This update fixes this regression.

tags | advisory
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 6a69c9a77344d1a0be464f58f6388bf1
Mandriva Linux Security Advisory 2007.104
Posted May 30, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-2444
MD5 | 03c7517049bd8ddbff5b953a0ff86565
Debian Linux Security Advisory 1291-3
Posted May 22, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-3 - The security update for CVE-2007-2444 introduced a regression in the handling of the "force group" share parameter if the forced group is a local Unix group for domain member servers. This update fixes this regression.

tags | advisory, local
systems | linux, unix, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 1ff6e301b3553e7c9b79d510fead0938
OpenPKG Security Advisory 2007.12
Posted May 21, 2007
Authored by OpenPKG Foundation | Site openpkg.com

OpenPKG Security Advisory - Multiple vulnerabilities were found in the CIFS/SMB server implementation Samba.

tags | advisory, vulnerability
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-2453, CVE-2007-2454
MD5 | ebff442b732d771ea800fb993d82fdaa
Debian Linux Security Advisory 1291-2
Posted May 21, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-2 - Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

tags | advisory, remote
systems | linux, debian
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | bd00f0426584818823ae786c91fe45a4
Ubuntu Security Notice 460-1
Posted May 17, 2007
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 460-1 - Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker could send specially crafted MS-RPC requests that could overwrite heap memory and execute arbitrary code. It was discovered that Samba did not correctly escape input parameters for external scripts defined in smb.conf. Remote authenticated users could send specially crafted MS-RPC requests and execute arbitrary shell commands.

tags | advisory, remote, arbitrary, shell, root
systems | linux, ubuntu
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 476081583b5fad8dc1a8e0b09b69c66f
Debian Linux Security Advisory 1291-1
Posted May 17, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-1 - Several issues have been identified in Samba, the SMB/CIFS file and print server implementation for GNU/Linux. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution

tags | advisory, remote, local, root, protocol
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | abe8236f5ffb6e401b46583bc92e37e5
Gentoo Linux Security Advisory 200705-15
Posted May 17, 2007
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200705-15 - Samba contains a logical error in the smbd daemon when translating local SID to user names (CVE-2007-2444). Furthermore, Samba contains several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). Lastly, Samba fails to properly sanitize remote procedure input provided via Microsoft Remote Procedure Calls (CVE-2007-2447). Versions less than 3.0.24-r2 are affected.

tags | advisory, remote, local
systems | linux, gentoo
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
MD5 | 65698138a6ca1abe5ee01f4f35c2a8eb
Mandriva Linux Security Advisory 2007.104
Posted May 15, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447
MD5 | 3eec7b3218dacabfa577cc59717b5c64
iDEFENSE Security Advisory 2007-05-14.1
Posted May 15, 2007
Authored by iDefense Labs | Site idefense.com

Remote exploitation of a command injection vulnerability within Samba Project's Samba could allow an attacker to execute arbitrary code with nobody privileges. The vulnerability exists within the code responsible for updating a user's password in the SAM database. Unfiltered user input is passed to "/bin/sh". This allows an attacker to execute arbitrary shell commands with the privileges of the nobody user. iDefense has confirmed the existence of this vulnerability in Samba version 3.0.24. Previous versions of Samba release 3 may be vulnerable. Release version 2 and below did not have this feature.

tags | advisory, remote, arbitrary, shell
advisories | CVE-2007-2447
MD5 | 629add6846a069a66788467f82a3a333
smb-inject.txt
Posted May 15, 2007
Site samba.org

In Samba versions 3.0.0 through 3.0.25rc3, unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

tags | advisory, remote
advisories | CVE-2007-2447
MD5 | a928f773292067758093af90d525a248
Page 1 of 1
Back1Next

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close