Vulnerabilities > CVE-2002-1318

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
sgi
samba
hp
nessus
metasploit

Summary

Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.

Metasploit

descriptionThis module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers.
idMSF:EXPLOIT/MULTI/SAMBA/NTTRANS
last seen2020-05-23
modified2017-07-24
published2006-11-28
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/samba/nttrans.rb
titleSamba 2.2.2 - 2.2.6 nttrans Buffer Overflow

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-081.NASL
    descriptionA vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id13979
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13979
    titleMandrake Linux Security Advisory : samba (MDKSA-2002:081)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:081. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13979);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1318");
      script_xref(name:"MDKSA", value:"2002:081");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2002:081)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered
    by the Debian samba maintainers. A bug in the length checking for
    encrypted password change requests from clients could be exploited
    using a buffer overrun attack on the smbd stack. This attack would
    have to crafted in such a way that converting a DOS codepage string to
    little endian UCS2 unicode would translate into an executable block of
    code.
    
    This vulnerability has been fixed in samba version 2.2.7, and the
    updated packages have had a patch applied to fix the problem."
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.7.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/history/samba-2.2.7.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/11/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-2.2.2-3.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.2-3.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.2-3.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.2-3.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.3a-10.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7-2.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7-2.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGain a shell remotely
    NASL idSAMBA_UNICODE_OVERFLOW.NASL
    descriptionThe remote Samba server, according to its version number, is vulnerable to a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd.
    last seen2020-06-01
    modified2020-06-02
    plugin id11168
    published2002-11-25
    reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11168
    titleSamba Encrypted Password String Conversion Decryption Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11168);
     script_version ("1.16");
     script_cve_id("CVE-2002-1318");
     script_bugtraq_id(6210);
    
     script_name(english: "Samba Encrypted Password String Conversion Decryption Overflow");
     
     script_set_attribute(attribute:"synopsis", value:
    "Remote code can be executed on the remote server." );
     script_set_attribute(attribute:"description", value:
    "The remote Samba server, according to its version number, is vulnerable
    to a bug in the length checking for encrypted password change requests 
    from clients. A client could potentially send an encrypted password, 
    which, when decrypted with the old hashed password could be used as a
    buffer overrun attack on the stack of smbd." );
     script_set_attribute(attribute:"solution", value:
    "upgrade to Samba 2.2.7" );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2002/11/25");
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/11/20");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
    script_end_attributes();
     
     script_summary(english: "checks samba version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
     script_family(english: "Gain a shell remotely");
     script_dependencie("smb_nativelanman.nasl");
     script_require_ports(139);
     script_require_keys("SMB/NativeLanManager");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     # Samba 2.2.2 to 2.2.6 is affected
     if(ereg(pattern:"Samba 2\.2\.[2-6][^0-9]*$",
     	 string:lanman))security_hole(139);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-200.NASL
    descriptionSteve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended.
    last seen2020-06-01
    modified2020-06-02
    plugin id15037
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15037
    titleDebian DSA-200-1 : samba - remote exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-200. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15037);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-1318");
      script_xref(name:"DSA", value:"200");
    
      script_name(english:"Debian DSA-200-1 : samba - remote exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Steve Langasek found an exploitable bug in the password handling code
    in samba: when converting from DOS code-page to little endian UCS2
    unicode a buffer length was not checked and a buffer could be
    overflowed. There is no known exploit for this, but an upgrade is
    strongly recommended."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-200"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "This problem has been fixed in version 2.2.3a-12 of the Debian samba
    packages and upstream version 2.2.7."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/11/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12")) flag++;
    if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Oval

accepted2005-03-09T07:56:00.000-04:00
classvulnerability
contributors
nameBrian Soby
organizationThe MITRE Corporation
descriptionBuffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.
familyunix
idoval:org.mitre.oval:def:1467
statusaccepted
submitted2005-01-19T12:00:00.000-04:00
titleSamba Encrypted Password DoS
version35

Redhat

advisories
rhsa
idRHSA-2002:266

References