ID CVE-2004-0600
Summary Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.
References
Vulnerable Configurations
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Trustix Secure Linux 1.5
    cpe:2.3:o:trustix:secure_linux:1.5
  • Trustix Secure Linux 2.0
    cpe:2.3:o:trustix:secure_linux:2.0
  • Trustix Secure Linux 2.1
    cpe:2.3:o:trustix:secure_linux:2.1
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Samba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit. CVE-2004-0600. Remote exploit for linux platform
id EDB-ID:364
last seen 2016-01-31
modified 2004-07-22
published 2004-07-22
reporter Noam Rathaus
source https://www.exploit-db.com/download/364/
title Samba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_SAMBA_304_4.NASL
    description The following package needs to be updated: ja-samba
    last seen 2016-09-26
    modified 2004-07-22
    plugin id 13656
    published 2004-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13656
    title FreeBSD : Multiple Potential Buffer Overruns in Samba (173)
  • NASL family Web Servers
    NASL id SWAT_OVERFLOW.NASL
    description The remote host is running SWAT - a web-based administration tool for Samba. There is a buffer overflow condition in the remote version of this software which might allow an attacker to execute arbitrary code on the remote host by sending a malformed authorization request (or any malformed base64 data).
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 13660
    published 2004-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13660
    title Samba SWAT HTTP Basic Auth base64 Overflow
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-207-01.NASL
    description New samba packages are available for Slackware 8.1, 9.0, 9.1, 10.0 and -current to fix security issues.
    last seen 2019-02-21
    modified 2013-06-01
    plugin id 18774
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18774
    title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : new samba packages (SSA:2004-207-01)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-071.NASL
    description A vulnerability was discovered in SWAT, the Samba Web Administration Tool. The routine used to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. This same code is also used to internally decode the sambaMungedDial attribute value when using the ldapsam passdb backend, and to decode input given to the ntlm_auth tool. This vulnerability only exists in Samba versions 3.0.2 or later; the 3.0.5 release fixes the vulnerability. Systems using SWAT, the ldapsam passdb backend, and tose running winbindd and allowing third- party applications to issue authentication requests via ntlm_auth tool should upgrade immediately. (CVE-2004-0600) A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. This bug is present in Samba 3.0.0 and later, as well as Samba 2.2.X (CVE-2004-0686) This update also fixes a bug where attempting to print in some cases would cause smbd to exit with a signal 11.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14170
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14170
    title Mandrake Linux Security Advisory : samba (MDKSA-2004:071)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2DE14F7ADAD911D8B59A00061BC2AD93.NASL
    description Evgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected. Another buffer overflow bug has been found in the code used to support the 'mangling method = hash' smb.conf option. The default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 37185
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37185
    title FreeBSD : Multiple Potential Buffer Overruns in Samba (2de14f7a-dad9-11d8-b59a-00061bc2ad93)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2004_022.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2004:022 (samba). The Samba Web Administration Tool (SWAT) was found vulnerable to a buffer overflow in its base64 code. This buffer overflow can possibly be exploited remotely before any authentication took place to execute arbitrary code. The same piece of vulnerable code was also used in ldapsam passdb and in the ntlm_auth tool. This vulnerability only exists on Samba 3.0.2 to 3.0.4. Another buffer overflow was found in Samba 3.0.0 and later, as well as in Samba 2.2.x. This overflow exists in the hash code of the mangling method (smb.conf: mangling method = hash), the default uses hash2 which is not vulnerable. There is no temporary workaround known. The first proof-of-concept exploits were seen on public mailing lists. After the installation was successfully completed please restart the samba daemon. /usr/sbin/rcsmb restart SWAT is called by inetd/xinetd. Therefore it is sufficient to kill all running instances of SWAT only. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.
    last seen 2019-02-21
    modified 2010-10-06
    plugin id 13838
    published 2004-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13838
    title SUSE-SA:2004:022: samba
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-259.NASL
    description Updated samba packages that fix buffer overflows, as well as other various bugs, are now available. Samba provides file and printer sharing services to SMB/CIFS clients. Evgeny Demidov discovered a flaw in the internal routine used by the Samba Web Administration Tool (SWAT) in Samba versions 3.0.2 through 3.0.4. When decoding base-64 data during HTTP basic authentication, an invalid base-64 character could cause a buffer overflow. If the SWAT administration service is enabled, this flaw could allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0600 to this issue. Additionally, the Samba team discovered a buffer overflow in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0686 to this issue. This release includes the updated upstream version 3.0.4 together with backported security patches to correct these issues as well as a number of post-3.0.4 bug fixes from the Samba subversion repository. The most important bug fix allows Samba users to change their passwords if Microsoft patch KB 828741 (a critical update) had been applied. All users of Samba should upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 13658
    published 2004-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13658
    title RHEL 3 : samba (RHSA-2004:259)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200407-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-200407-21 (Samba: Multiple buffer overflows) Evgeny Demidov found a buffer overflow in SWAT, located in the base64 data decoder used to handle HTTP basic authentication (CAN-2004-0600). The same flaw is present in the code used to handle the sambaMungedDial attribute value, when using the ldapsam passdb backend. Another buffer overflow was found in the code used to support the 'mangling method = hash' smb.conf option (CAN-2004-0686). Note that the default Samba value for this option is 'mangling method = hash2' which is not vulnerable. Impact : The SWAT authentication overflow could be exploited to execute arbitrary code with the rights of the Samba daemon process. The overflow in the sambaMungedDial handling code is not thought to be exploitable. The buffer overflow in 'mangling method = hash' code could also be used to execute arbitrary code on vulnerable configurations. Workaround : Users disabling SWAT, not using ldapsam passdb backends and not using the 'mangling method = hash' option are not vulnerable.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 14554
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14554
    title GLSA-200407-21 : Samba: Multiple buffer overflows
  • NASL family Misc.
    NASL id SAMBA_3_0_5.NASL
    description According to its banner, the version of Samba running on the remote host is between 3.0.2 and 3.0.4, inclusive. An error exists in the base64 decoding functions, which can result in a buffer overflow.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17720
    published 2011-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17720
    title Samba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow
oval via4
accepted 2013-04-29T04:14:05.944-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.
family unix
id oval:org.mitre.oval:def:11445
status accepted
submitted 2010-07-09T03:56:16-04:00
title Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.
version 23
packetstorm via4
data source https://packetstormsecurity.com/files/download/33855/sambaPoC.txt
id PACKETSTORM:33855
last seen 2016-12-05
published 2004-07-23
reporter Noam Rathaus
source https://packetstormsecurity.com/files/33855/sambaPoC.txt.html
title sambaPoC.txt
redhat via4
advisories
rhsa
id RHSA-2004:259
refmap via4
bugtraq
  • 20040722 SWAT PreAuthorization PoC
  • 20040722 Samba 3.x swat preauthentication buffer overflow
  • 20040722 Security Release - Samba 3.0.5 and 2.2.10
  • 20040722 TSSA-2004-014 - samba
  • 20040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba)
conectiva
  • CLA-2004:851
  • CLA-2004:854
gentoo GLSA-200407-21
mandrake MDKSA-2004:071
suse SUSE-SA:2004:022
trustix 2004-0039
xf samba-swat-base64-bo(16785)
Last major update 17-10-2016 - 22:46
Published 27-07-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top