ID CVE-2007-2444
Summary Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user.
References
Vulnerable Configurations
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
CVSS
Base: 7.2 (as of 15-05-2007 - 15:51)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-506.NASL
    description This release of Samba fixes some Serious security bugs : - CVE-2007-2444 - CVE-2007-2446 - CVE-2007-2447 Official upstream announcements here: http://www.samba.org/samba/security/CVE-2007-2444.html http://www.samba.org/samba/security/CVE-2007-2446.html http://www.samba.org/samba/security/CVE-2007-2447.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-20
    plugin id 25233
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25233
    title Fedora Core 5 : samba-3.0.24-5.fc5 (2007-506)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-507.NASL
    description This release of Samba fixes some Serious security bugs : - CVE-2007-2444 - CVE-2007-2446 - CVE-2007-2447 Official upstream announcements here: http://www.samba.org/samba/security/CVE-2007-2444.html http://www.samba.org/samba/security/CVE-2007-2446.html http://www.samba.org/samba/security/CVE-2007-2447.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-20
    plugin id 25234
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25234
    title Fedora Core 6 : samba-3.0.24-5.fc6 (2007-507)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-460-2.NASL
    description USN-460-1 fixed several vulnerabilities in Samba. The upstream changes for CVE-2007-2444 had an unexpected side-effect in Feisty. Shares configured with the 'force group' option no longer behaved correctly. This update corrects the problem. We apologize for the inconvenience. Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28060
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28060
    title Ubuntu 7.04 : samba regression (USN-460-2)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-134-01.NASL
    description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 25222
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25222
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / current : samba (SSA:2007-134-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-460-1.NASL
    description Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444) Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker could send specially crafted MS-RPC requests that could overwrite heap memory and execute arbitrary code. (CVE-2007-2446) It was discovered that Samba did not correctly escape input parameters for external scripts defined in smb.conf. Remote authenticated users could send specially crafted MS-RPC requests and execute arbitrary shell commands. (CVE-2007-2447). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28059
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28059
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : samba vulnerabilities (USN-460-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1291.NASL
    description Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux. - CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. - CVE-2007-2446 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. - CVE-2007-2447 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 25228
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25228
    title Debian DSA-1291-1 : samba - several vulnerabilities
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200705-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200705-15 (Samba: Multiple vulnerabilities) Samba contains a logical error in the smbd daemon when translating local SID to user names (CVE-2007-2444). Furthermore, Samba contains several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). Lastly, Samba fails to properly sanitize remote procedure input provided via Microsoft Remote Procedure Calls (CVE-2007-2447). Impact : A remote attacker could exploit these vulnerabilities to gain root privileges via various vectors. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 25236
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25236
    title GLSA-200705-15 : Samba: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-104.NASL
    description A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server (CVE-2007-2446). A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh (CVE-2007-2447). Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd's internal security stack could result in a transition to the root user id rather than the non-root user (CVE-2007-2444). Update : The fix for CVE-2007-2444 broke the behaviour of force group when the forced group is a local Unix group for domain member servers. This update corrects that regression.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 25237
    published 2007-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25237
    title Mandrake Linux Security Advisory : samba (MDKSA-2007:104-1)
  • NASL family Misc.
    NASL id SAMBA_3_0_25.NASL
    description According to its banner, the version of the Samba server installed on the remote host is affected by multiple buffer overflow and remote command injection vulnerabilities, which can be exploited remotely, as well as a local privilege escalation bug.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 25217
    published 2007-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25217
    title Samba < 3.0.25 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SAMBA-3350.NASL
    description Specially crafted MS-RPC packets could overwrite heap memory and therfore could potentially be exploited to execute code (CVE-2007-2446). Authenticated users could leverage specially crafted MS-RPC packets to pass arguments unfiltered to /bin/sh (CVE-2007-2447). A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB protocol operations as root (CVE-2007-2444).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27430
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27430
    title openSUSE 10 Security Update : samba (samba-3350)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3546A83303EA11DCA51D0019B95D4F14.NASL
    description The Samba Team reports : A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution. This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the 'username map script' smb.conf option (which is not enabled by default). After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the 'username map script' vulnerability, the remote file and printer management scripts require an authenticated user session.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 25260
    published 2007-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25260
    title FreeBSD : samba -- multiple vulnerabilities (3546a833-03ea-11dc-a51d-0019b95d4f14)
refmap via4
bid 23974
bugtraq
  • 20070513 [SAMBA-SECURITY] CVE-2007-2444: Local SID/Name Translation Failure Can Result in User Privilege Elevation
  • 20070515 FLEA-2007-0017-1: samba
confirm
debian DSA-1291
gentoo GLSA-200705-15
hp
  • HPSBTU02218
  • SSRT071424
mandriva MDKSA-2007:104
openpkg OpenPKG-SA-2007.012
osvdb 34698
sectrack 1018049
secunia
  • 25232
  • 25241
  • 25246
  • 25251
  • 25255
  • 25256
  • 25259
  • 25270
  • 25289
  • 25675
  • 25772
slackware SSA:2007-134-01
sreason 2701
sunalert
  • 102964
  • 200588
suse SUSE-SA:2007:031
trustix 2007-0017
ubuntu
  • USN-460-1
  • USN-460-2
vupen
  • ADV-2007-1805
  • ADV-2007-2210
  • ADV-2007-2281
statements via4
contributor Mark J Cox
lastmodified 2007-05-15
organization Red Hat
statement Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Last major update 18-07-2013 - 01:31
Published 14-05-2007 - 17:19
Last modified 16-10-2018 - 12:43
Back to Top