|
 |
|
Samba Multiple Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA25232
|
|
|
Release Date:
|
2007-05-15
|
|
Last Update:
|
2007-07-31
|
|
|
Critical:
|

Moderately critical
|
|
Impact:
|
Privilege escalation System access
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Samba 3.x
|
| | CVE reference: | CVE-2007-2444 (Secunia mirror) CVE-2007-2446 (Secunia mirror) CVE-2007-2447 (Secunia mirror) CVE-2007-4044 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS! |
|
|
Description: Some vulnerabilities have been reported in Samba, which can be exploited by malicious users to perform certain actions with escalated privileges and to compromise a vulnerable system, and by malicious people to compromise a vulnerable system.
1) An error in smbd when translating SIDs to and from names can be exploited to issue SMB/CIFS protocol operations as the root user.
Successful exploitation requires a valid user session.
2) An input validation error when updating a user's password can be exploited to inject and execute arbitrary shell commands via a specially crafted MS-RPC call.
Successful exploitation of this vulnerability requires that the "username map script" option is set in smb.conf, which is not the default setting. In addition, to successfully exploit this vulnerability via remote printer and file share management, an attacker requires a valid user session.
3) Input validation errors exist in the parsing of RPC requests to the LSA RPC interface. This can be exploited to cause heap based buffer overflows via specially crafted requests to "LsarAddPrivilegesToAccount", "LsarLookupSids", or "LsarLookupSids2".
4) An input validation error exists in the parsing of RPC requests to the DFS RPC interface. This can be exploited to cause a heap based buffer overflow via a specially crafted request to "DFSEnum".
5) An input validation error exists in the parsing of RPC requests to the SPOOLSS RPC interface. This can be exploited to cause a heap based buffer overflow via a specially crafted request to "RFNPCNEX".
6) An input validation error exists in the parsing of RPC requests to the SRVSVC RPC interface. This can be exploited to cause a heap based buffer overflow via a specially crafted request to "NetSetFileSecurity".
Successful exploitation of vulnerabilities #3 through #6 allows execution of arbitrary code, but requires a valid user session.
Vulnerability #1 is reported in versions 3.0.23d through 3.0.25pre2. Vulnerabilities #2 through #6 are reported in versions 3.0.0 through 3.0.25rc3.
Solution: Apply patches or update to version 3.0.25.
Patches:
http://www.samba.org/samba/security/
Note: The patch for CVE-2007-2447 was updated on June 5, 2007 due to missing the "c" character in the list of allowed characters.
Samba 3.0.25:
http://us1.samba.org/samba/download/
Provided and/or discovered by: 1) The vendor credits Paul Griffith and Andrew Hogue.
2) Discovered by an anonymous person and reported via iDefense Labs.
3-6) Discovered by an anonymous person and reported via ZDI.
Changelog: 2007-05-16: Updated "Description" section and "Other References" with information from ZDI.
2007-07-31: Added note about updated patch in "Solution" section. Added CVE reference.
Original Advisory: Samba:
http://us1.samba.org/samba/security/CVE-2007-2444.html
http://us1.samba.org/samba/security/CVE-2007-2446.html
http://us1.samba.org/samba/security/CVE-2007-2447.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
http://www.zerodayinitiative.com/advisories/ZDI-07-030.html
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html
http://www.zerodayinitiative.com/advisories/ZDI-07-032.html
http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
Other References: US-CERT VU#268336:
http://www.kb.cert.org/vuls/id/268336
US-CERT VU#773720:
http://www.kb.cert.org/vuls/id/773720
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
15 Related Secunia Security Advisories, displaying 10
|
|
|
1. Samba "receive_smb_raw()" Buffer Overflow Vulnerability
|
|
2. Samba "send_mailslot()" Buffer Overflow Vulnerability
|
|
3. Samba Multiple Buffer Overflow Vulnerabilities
|
|
4. Samba "winbind nss info" Privilege Escalation Security Issue
|
|
5. Samba Denial of Service and Format String Vulnerability
|
|
6. Samba Winbind Library Buffer Overflow Vulnerabilities
|
|
7. Samba Multiple Share Connection Requests Denial of Service
|
|
8. Samba Exposure of Machine Account Credentials
|
|
9. Samba Security Descriptor Parsing Integer Overflow Vulnerability
|
|
10. Samba QFILEPATHINFO Request Handler Buffer Overflow Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|

|
 |
Secunia PSI Scan | Patch | Track Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|