exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 15 of 15 RSS Feed

CVE-2007-2447

Status Candidate

Overview

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

Related Files

Samba "username map script" Command Execution
Posted Feb 17, 2010
Authored by jduck | Site metasploit.com

This Metasploit module exploits a command execution vulnerability in Samba versions 3.0.0 through 3.0.25rc3 when using the non-default "username map script" configuration option. By specifying a username containing shell meta characters, attackers can execute arbitrary commands. No authentication is needed to exploit this vulnerability since this option is used to map usernames prior to authentication!

tags | exploit, arbitrary, shell
advisories | CVE-2007-2447
SHA-256 | b289ab34ef82c72ff59a32cde7bdb820e7678c2f9076832f19327938ba6cf263
VMware Security Advisory 2007-0006
Posted Sep 20, 2007
Authored by VMware | Site vmware.com

VMware Security Advisory - Updates have been released for arbitrary code execution, denial of service, and other various vulnerabilities in VMware.

tags | advisory, denial of service, arbitrary, vulnerability, code execution
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-0494, CVE-2007-2442, CVE-2007-2443, CVE-2007-2798, CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, CVE-2007-4059, CVE-2007-4155, CVE-2007-4496, CVE-2007-4497, CVE-2007-1856, CVE-2006-1174, CVE-2006-4600, CVE-2004-0813, CVE-2007-1716
SHA-256 | f186f94a09bad9dba4b82b1daa59265b1954d193e8533587d0fe2348c1f58bec
HP Security Bulletin 2007-14.24
Posted Jul 11, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with Samba provided with HP Internet Express for Tru64 UNIX (IX) v 6.6. The potential vulnerabilities could be exploited by a remote, unauthenticated user to execute arbitrary commands or by a local, unauthorized user to gain privilege elevation.

tags | advisory, remote, arbitrary, local, vulnerability
systems | unix
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | 23966da5584e9e4ffa5a6283e67cdaa9ec6d2cadc2a87dcce5814921d76779b2
HP Security Bulletin 2007-14.24
Posted Jun 7, 2007
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential vulnerabilities have been identified with HP-UX running CIFS Server (Samba). The vulnerabilities could be exploited remotely to execute arbitrary code.

tags | advisory, arbitrary, vulnerability
systems | hpux
advisories | CVE-2007-2446, CVE-2007-2447
SHA-256 | ad6a1b5d098b8eecd63cfedf8a874e5b4d3cc46528fe36eb85934ab4e10e0e8b
Debian Linux Security Advisory 1291-4
Posted Jun 7, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-4 - The samba security update for CVE-2007-2446 introduced a regression, which broke connection to domain member servers in some scenarios. This update fixes this regression.

tags | advisory
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | ca183405f2b1680ff8eecc3e3bd42583d58d4b5c42ab6cf1c4eff0b8c06ee585
Mandriva Linux Security Advisory 2007.104
Posted May 30, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447, CVE-2007-2444
SHA-256 | 86de3c706857ded99d56047efb47ebe3e745af47ea791c8e0aae3aed6d2adbc6
Debian Linux Security Advisory 1291-3
Posted May 22, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-3 - The security update for CVE-2007-2444 introduced a regression in the handling of the "force group" share parameter if the forced group is a local Unix group for domain member servers. This update fixes this regression.

tags | advisory, local
systems | linux, unix, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | 50bf3c3fe92af9a400e90d59ec1d9b9b6598883bf6761140638087496f609883
OpenPKG Security Advisory 2007.12
Posted May 21, 2007
Authored by OpenPKG Foundation | Site openpkg.com

OpenPKG Security Advisory - Multiple vulnerabilities were found in the CIFS/SMB server implementation Samba.

tags | advisory, vulnerability
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-2453, CVE-2007-2454
SHA-256 | 9c9c5ff7ea80d2352d3c98caf5ce202df67d9f7bcb059cafc04b46c14805b953
Debian Linux Security Advisory 1291-2
Posted May 21, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-2 - Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

tags | advisory, remote
systems | linux, debian
advisories | CVE-2007-2446, CVE-2007-2447
SHA-256 | 2a94188debaeed0271961988ceea32ed5ed4f3714d8e7a86579742a77ad85a4a
Ubuntu Security Notice 460-1
Posted May 17, 2007
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 460-1 - Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker could send specially crafted MS-RPC requests that could overwrite heap memory and execute arbitrary code. It was discovered that Samba did not correctly escape input parameters for external scripts defined in smb.conf. Remote authenticated users could send specially crafted MS-RPC requests and execute arbitrary shell commands.

tags | advisory, remote, arbitrary, shell, root
systems | linux, ubuntu
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | 6914e4ef57d5cba14b131afee51e340df9513c0e417dc92314448e89e764889f
Debian Linux Security Advisory 1291-1
Posted May 17, 2007
Authored by Debian | Site debian.org

Debian Security Advisory 1291-1 - Several issues have been identified in Samba, the SMB/CIFS file and print server implementation for GNU/Linux. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution

tags | advisory, remote, local, root, protocol
systems | linux, debian
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | 2c5900e1912afd8808c8d32a8f51cf028a1f8f9945e52bcc70856e6f69c1562f
Gentoo Linux Security Advisory 200705-15
Posted May 17, 2007
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200705-15 - Samba contains a logical error in the smbd daemon when translating local SID to user names (CVE-2007-2444). Furthermore, Samba contains several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). Lastly, Samba fails to properly sanitize remote procedure input provided via Microsoft Remote Procedure Calls (CVE-2007-2447). Versions less than 3.0.24-r2 are affected.

tags | advisory, remote, local
systems | linux, gentoo
advisories | CVE-2007-2444, CVE-2007-2446, CVE-2007-2447
SHA-256 | 11828015d844fd7596084722c8d3906387cfbfabeefee3497ff0cdd5165a5763
Mandriva Linux Security Advisory 2007.104
Posted May 15, 2007
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh. Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user.

tags | advisory, remote, overflow, arbitrary, local, root
systems | linux, mandriva
advisories | CVE-2007-2446, CVE-2007-2447
SHA-256 | 6c83583361b6eac643ad28ec00b69b37e84140638e39e45f6f79b68236618c56
iDEFENSE Security Advisory 2007-05-14.1
Posted May 15, 2007
Authored by iDefense Labs | Site idefense.com

Remote exploitation of a command injection vulnerability within Samba Project's Samba could allow an attacker to execute arbitrary code with nobody privileges. The vulnerability exists within the code responsible for updating a user's password in the SAM database. Unfiltered user input is passed to "/bin/sh". This allows an attacker to execute arbitrary shell commands with the privileges of the nobody user. iDefense has confirmed the existence of this vulnerability in Samba version 3.0.24. Previous versions of Samba release 3 may be vulnerable. Release version 2 and below did not have this feature.

tags | advisory, remote, arbitrary, shell
advisories | CVE-2007-2447
SHA-256 | 09d8dddb1bdf4c327afcf8233bd530bb69472f703ec593e9e88197895baafe67
smb-inject.txt
Posted May 15, 2007
Site samba.org

In Samba versions 3.0.0 through 3.0.25rc3, unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

tags | advisory, remote
advisories | CVE-2007-2447
SHA-256 | 9e82fbe530a6ed212e4491072b4a99d5bc21489dc265219a522241d11631d74c
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close