ID CVE-2007-6015
Summary Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
References
Vulnerable Configurations
  • Samba 2.0.1
    cpe:2.3:a:samba:samba:2.0.1
  • Samba 2.0.2
    cpe:2.3:a:samba:samba:2.0.2
  • Samba 2.0.3
    cpe:2.3:a:samba:samba:2.0.3
  • Samba 2.0.4
    cpe:2.3:a:samba:samba:2.0.4
  • Samba 2.0.5
    cpe:2.3:a:samba:samba:2.0.5
  • Samba 2.0.6
    cpe:2.3:a:samba:samba:2.0.6
  • Samba 2.0.7
    cpe:2.3:a:samba:samba:2.0.7
  • Samba 2.0.8
    cpe:2.3:a:samba:samba:2.0.8
  • Samba 2.0.9
    cpe:2.3:a:samba:samba:2.0.9
  • Samba 2.0.10
    cpe:2.3:a:samba:samba:2.0.10
  • Samba 2.2.0
    cpe:2.3:a:samba:samba:2.2.0
  • Samba Samba 2.2.0a
    cpe:2.3:a:samba:samba:2.2.0a
  • Samba Samba 2.2.1a
    cpe:2.3:a:samba:samba:2.2.1a
  • Samba 2.2.2
    cpe:2.3:a:samba:samba:2.2.2
  • Samba 2.2.3
    cpe:2.3:a:samba:samba:2.2.3
  • Samba Samba 2.2.3a
    cpe:2.3:a:samba:samba:2.2.3a
  • Samba 2.2.4
    cpe:2.3:a:samba:samba:2.2.4
  • Samba 2.2.5
    cpe:2.3:a:samba:samba:2.2.5
  • Samba 2.2.6
    cpe:2.3:a:samba:samba:2.2.6
  • Samba 2.2.7
    cpe:2.3:a:samba:samba:2.2.7
  • Samba Samba 2.2.7a
    cpe:2.3:a:samba:samba:2.2.7a
  • Samba 2.2.8
    cpe:2.3:a:samba:samba:2.2.8
  • Samba Samba 2.2.8a
    cpe:2.3:a:samba:samba:2.2.8a
  • Samba 2.2.9
    cpe:2.3:a:samba:samba:2.2.9
  • Samba 2.2.11
    cpe:2.3:a:samba:samba:2.2.11
  • Samba 2.2.12
    cpe:2.3:a:samba:samba:2.2.12
  • Samba 3.0.0
    cpe:2.3:a:samba:samba:3.0.0
  • Samba 3.0.1
    cpe:2.3:a:samba:samba:3.0.1
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.14
    cpe:2.3:a:samba:samba:3.0.14
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.24
    cpe:2.3:a:samba:samba:3.0.24
  • Samba 3.0.25
    cpe:2.3:a:samba:samba:3.0.25
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
  • Samba 3.0.27
    cpe:2.3:a:samba:samba:3.0.27
CVSS
Base: 9.3 (as of 14-12-2007 - 11:47)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Samba 3.0.27a send_mailslot() Remote Buffer Overflow PoC. CVE-2007-6015. Dos exploit for linux platform
id EDB-ID:4732
last seen 2016-01-31
modified 2007-12-14
published 2007-12-14
reporter x86
source https://www.exploit-db.com/download/4732/
title Samba 3.0.27a send_mailslot Remote Buffer Overflow PoC
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2008-001.NASL
    description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-001 applied. This update contains several security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 30254
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30254
    title Mac OS X Multiple Vulnerabilities (Security Update 2008-001)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_2.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.2. Mac OS X 10.5.2 contains several security fixes for a number of programs.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 30255
    published 2008-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30255
    title Mac OS X 10.5.x < 10.5.2 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1114.NASL
    description Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 29303
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29303
    title RHEL 2.1 / 3 / 4 / 5 : samba (RHSA-2007:1114)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_114685.NASL
    description SunOS 5.9_x86: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13609
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13609
    title Solaris 9 (x86) : 114685-17
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_114684.NASL
    description SunOS 5.9: Samba Patch. Date this patch was last updated by Sun : Dec/22/10
    last seen 2018-09-02
    modified 2016-12-09
    plugin id 13559
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13559
    title Solaris 9 (sparc) : 114684-17
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-1114.NASL
    description From Red Hat Security Advisory 2007:1114 : Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67620
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67620
    title Oracle Linux 3 / 4 / 5 : samba (ELSA-2007-1114)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-1114.NASL
    description Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29256
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29256
    title CentOS 3 / 4 / 5 : samba (CESA-2007:1114)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071210_SAMBA_ON_SL5_X.NASL
    description A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60328
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60328
    title Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-4269.NASL
    description Security release, fixes vulnerability reported as CVE-2007-6015 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 29279
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29279
    title Fedora 7 : samba-3.0.28-0.fc7 (2007-4269)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-4777.NASL
    description This update of samba fixes a buffer overflow in function send_mailslot() that allows to overwrite the stack with zero-bytes. (CVE-2007-6015)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 29343
    published 2007-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29343
    title openSUSE 10 Security Update : cifs-mount (cifs-mount-4777)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_FFCBD42DA8C511DCBEC202E0185F8D72.NASL
    description Secuna Research reports : Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the 'send_mailslot()' function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted 'SAMLOGON' domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the 'domain logons' option is enabled.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29691
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29691
    title FreeBSD : samba -- buffer overflow vulnerability (ffcbd42d-a8c5-11dc-bec2-02e0185f8d72)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-4275.NASL
    description Security release, fixes vulnerability reported as CVE-2007-6015 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-21
    plugin id 29280
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29280
    title Fedora 8 : samba-3.0.28-0.fc8 (2007-4275)
  • NASL family Misc.
    NASL id SAMBA_3_0_28.NASL
    description According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error in 'nmbd' within the 'send_mailslot' function. Provided the 'domain logons' option is enabled in 'smb.conf', an attacker can leverage this issue to produce a stack-based buffer overflow using a 'SAMLOGON' domain logon packet in which the username string is placed at an odd offset and is followed by a long 'GETDC' string. Note that Nessus has not actually tried to exploit this issue nor verify whether the 'domain logons' option has been enabled on the remote host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 29253
    published 2007-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29253
    title Samba < 3.0.28 send_mailslot Function Remote Buffer Overflow
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-244.NASL
    description Alin Rad Pop of Secunia Research discovered a stack-based buffer overflow in how Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or possibly execute arbitrary code with the permissions of the Samba server. The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 29342
    published 2007-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29342
    title Mandrake Linux Security Advisory : samba (MDKSA-2007:244)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12002.NASL
    description This update of Samba fixes a buffer overflow in function send_mailslot() that allows to overwrite the stack with zero-bytes. (CVE-2007-6015)
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 41171
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41171
    title SuSE9 Security Update : Samba (YOU Patch Number 12002)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-1117.NASL
    description Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 63847
    published 2013-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63847
    title RHEL 4 : samba (RHSA-2007:1117)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2008-0003.NASL
    description I Updated ESX driver a. Updated aacraid driver This patch fixes a flaw in how the aacraid SCSI driver checked IOCTL command permissions. This flaw might allow a local user on the Service Console to cause a denial of service or gain privileges. Thanks to Adaptec for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4308 to this issue. II Service Console package security updates a. Samba Alin Rad Pop of Secunia Research found a stack-based buffer overflow flaw in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash or to execute arbitrary code with the permissions of the Samba server. Note: This vulnerability can be exploited only if the attacker has access to the Service Console network. The Samba client is installed by default in the Service Console, but the Samba server is not. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-6015 to this issue. b. Python Chris Evans of the Google security research team discovered an integer overflow issue with the way Python's Perl-Compatible Regular Expression (PCRE) module handled certain regular expressions. If a Python application used the PCRE module to compile and execute untrusted regular expressions, it might be possible to cause the application to crash, or to execute arbitrary code with the privileges of the Python interpreter. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-7228 to this issue. Piotr Engelking discovered a flaw in Python's locale module where strings generated by the strxfrm() function were not properly NUL-terminated. This might result in disclosure of data stored in the memory of a Python application using the strxfrm() function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2052 to this issue. Slythers Bro reported multiple integer overflow flaws in Python's imageop module. These could allow an attacker to cause a Python application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the Python interpreter. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4965 to this issue.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 40374
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40374
    title VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2007-344-01.NASL
    description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. A boundary failure in GETDC mailslot processing can result in a buffer overrun leading to possible code execution.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 29254
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29254
    title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : samba (SSA:2007-344-01)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-4780.NASL
    description This update of samba fixes a buffer overflow in function send_mailslot() that allows to overwrite the stack with zero-bytes. (CVE-2007-6015)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29392
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29392
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 4780)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1427.NASL
    description Alin Rad Pop discovered that Samba, a LanManager-like file and printer server for Unix, is vulnerable to a buffer overflow in the nmbd code which handles GETDC mailslot requests, which might lead to the execution of arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29262
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29262
    title Debian DSA-1427-1 : samba - buffer overflow
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-556-1.NASL
    description Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. If a server was configured with domain logon enabled, an unauthenticated remote attacker could send a specially crafted domain logon packet and execute arbitrary code or crash the Samba service. By default, domain logon is disabled in Ubuntu. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 29738
    published 2007-12-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29738
    title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerability (USN-556-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200712-10.NASL
    description The remote host is affected by the vulnerability described in GLSA-200712-10 (Samba: Execution of arbitrary code) Alin Rad Pop (Secunia Research) discovered a boundary checking error in the send_mailslot() function which could lead to a stack-based buffer overflow. Impact : A remote attacker could send a specially crafted 'SAMLOGON' domain logon packet, possibly leading to the execution of arbitrary code with elevated privileges. Note that this vulnerability is exploitable only when domain logon support is enabled in Samba, which is not the case in Gentoo's default configuration. Workaround : Disable domain logon in Samba by setting 'domain logons = no' in the 'global' section of your smb.conf and restart Samba.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 29297
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29297
    title GLSA-200712-10 : Samba: Execution of arbitrary code
oval via4
  • accepted 2013-04-29T04:14:46.631-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
    family unix
    id oval:org.mitre.oval:def:11572
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
    version 24
  • accepted 2015-04-20T04:02:26.531-04:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
    family unix
    id oval:org.mitre.oval:def:5605
    status accepted
    submitted 2008-06-30T13:13:25.000-04:00
    title HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code
    version 42
redhat via4
advisories
  • bugzilla
    id 407081
    title Critical Regression caused by CVE-2007-4572
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 3 is installed
        oval oval:com.redhat.rhsa:tst:20060015001
      • OR
        • AND
          • comment samba is earlier than 0:3.0.9-1.3E.14.3
            oval oval:com.redhat.rhsa:tst:20071114002
          • comment samba is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060003
        • AND
          • comment samba-client is earlier than 0:3.0.9-1.3E.14.3
            oval oval:com.redhat.rhsa:tst:20071114004
          • comment samba-client is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060007
        • AND
          • comment samba-common is earlier than 0:3.0.9-1.3E.14.3
            oval oval:com.redhat.rhsa:tst:20071114008
          • comment samba-common is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060009
        • AND
          • comment samba-swat is earlier than 0:3.0.9-1.3E.14.3
            oval oval:com.redhat.rhsa:tst:20071114006
          • comment samba-swat is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060005
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment samba is earlier than 0:3.0.25b-1.el4_6.4
            oval oval:com.redhat.rhsa:tst:20071114011
          • comment samba is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060003
        • AND
          • comment samba-client is earlier than 0:3.0.25b-1.el4_6.4
            oval oval:com.redhat.rhsa:tst:20071114013
          • comment samba-client is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060007
        • AND
          • comment samba-common is earlier than 0:3.0.25b-1.el4_6.4
            oval oval:com.redhat.rhsa:tst:20071114014
          • comment samba-common is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060009
        • AND
          • comment samba-swat is earlier than 0:3.0.25b-1.el4_6.4
            oval oval:com.redhat.rhsa:tst:20071114012
          • comment samba-swat is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070060005
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment samba is earlier than 0:3.0.25b-1.el5_1.4
            oval oval:com.redhat.rhsa:tst:20071114016
          • comment samba is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070061003
        • AND
          • comment samba-client is earlier than 0:3.0.25b-1.el5_1.4
            oval oval:com.redhat.rhsa:tst:20071114022
          • comment samba-client is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070061009
        • AND
          • comment samba-common is earlier than 0:3.0.25b-1.el5_1.4
            oval oval:com.redhat.rhsa:tst:20071114020
          • comment samba-common is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070061005
        • AND
          • comment samba-swat is earlier than 0:3.0.25b-1.el5_1.4
            oval oval:com.redhat.rhsa:tst:20071114018
          • comment samba-swat is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070061007
    rhsa
    id RHSA-2007:1114
    released 2007-12-10
    severity Critical
    title RHSA-2007:1114: samba security and bug fix update (Critical)
  • rhsa
    id RHSA-2007:1117
rpms
  • samba-0:3.0.9-1.3E.14.3
  • samba-client-0:3.0.9-1.3E.14.3
  • samba-common-0:3.0.9-1.3E.14.3
  • samba-swat-0:3.0.9-1.3E.14.3
  • samba-0:3.0.25b-1.el4_6.4
  • samba-client-0:3.0.25b-1.el4_6.4
  • samba-common-0:3.0.25b-1.el4_6.4
  • samba-swat-0:3.0.25b-1.el4_6.4
  • samba-0:3.0.25b-1.el5_1.4
  • samba-client-0:3.0.25b-1.el5_1.4
  • samba-common-0:3.0.25b-1.el5_1.4
  • samba-swat-0:3.0.25b-1.el5_1.4
refmap via4
apple APPLE-SA-2008-02-11
bid 26791
bugtraq
  • 20071210 Secunia Research: Samba "send_mailslot()" Buffer OverflowVulnerability
  • 20071210 [SECURITY] Buffer overrun in send_mailslot()
  • 20071210 rPSA-2007-0261-1 samba samba-swat
  • 20071214 POC for samba send_mailslot()
  • 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates
cert TA08-043B
cert-vn VU#438395
confirm
debian DSA-1427
fedora
  • FEDORA-2007-4269
  • FEDORA-2007-4275
gentoo GLSA-200712-10
hp
  • HPSBUX02316
  • HPSBUX02341
  • SSRT071495
  • SSRT080075
mandriva MDKSA-2007:244
misc http://secunia.com/secunia_research/2007-99/advisory/
mlist [Security-announce] 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates
sectrack 1019065
secunia
  • 27760
  • 27894
  • 27977
  • 27993
  • 27999
  • 28003
  • 28028
  • 28029
  • 28037
  • 28067
  • 28089
  • 28891
  • 29032
  • 29341
  • 30484
  • 30835
slackware SSA:2007-344-01
sreason 3438
sunalert
  • 1019295
  • 238251
suse SUSE-SA:2007:068
ubuntu USN-556-1
vupen
  • ADV-2007-4153
  • ADV-2008-0495
  • ADV-2008-0637
  • ADV-2008-0859
  • ADV-2008-1712
  • ADV-2008-1908
xf samba-sendmailslot-bo(38965)
Last major update 08-08-2013 - 01:41
Published 13-12-2007 - 16:46
Last modified 30-10-2018 - 12:25
Back to Top