Vulnerabilities > CVE-2002-1318
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 19 | |
Application | 5 | |
Application | 3 |
Metasploit
description | This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers. |
id | MSF:EXPLOIT/MULTI/SAMBA/NTTRANS |
last seen | 2020-05-23 |
modified | 2017-07-24 |
published | 2006-11-28 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/samba/nttrans.rb |
title | Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-081.NASL description A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem. last seen 2020-06-01 modified 2020-06-02 plugin id 13979 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13979 title Mandrake Linux Security Advisory : samba (MDKSA-2002:081) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:081. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13979); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1318"); script_xref(name:"MDKSA", value:"2002:081"); script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2002:081)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem." ); # http://www.samba.org/samba/whatsnew/samba-2.2.7.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/history/samba-2.2.7.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Gain a shell remotely NASL id SAMBA_UNICODE_OVERFLOW.NASL description The remote Samba server, according to its version number, is vulnerable to a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. last seen 2020-06-01 modified 2020-06-02 plugin id 11168 published 2002-11-25 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11168 title Samba Encrypted Password String Conversion Decryption Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(11168); script_version ("1.16"); script_cve_id("CVE-2002-1318"); script_bugtraq_id(6210); script_name(english: "Samba Encrypted Password String Conversion Decryption Overflow"); script_set_attribute(attribute:"synopsis", value: "Remote code can be executed on the remote server." ); script_set_attribute(attribute:"description", value: "The remote Samba server, according to its version number, is vulnerable to a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd." ); script_set_attribute(attribute:"solution", value: "upgrade to Samba 2.2.7" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/11/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/11/20"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_summary(english: "checks samba version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_family(english: "Gain a shell remotely"); script_dependencie("smb_nativelanman.nasl"); script_require_ports(139); script_require_keys("SMB/NativeLanManager"); exit(0); } # # The script code starts here # lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { # Samba 2.2.2 to 2.2.6 is affected if(ereg(pattern:"Samba 2\.2\.[2-6][^0-9]*$", string:lanman))security_hole(139); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-200.NASL description Steve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended. last seen 2020-06-01 modified 2020-06-02 plugin id 15037 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15037 title Debian DSA-200-1 : samba - remote exploit code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-200. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15037); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1318"); script_xref(name:"DSA", value:"200"); script_name(english:"Debian DSA-200-1 : samba - remote exploit"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Steve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-200" ); script_set_attribute( attribute:"solution", value: "This problem has been fixed in version 2.2.3a-12 of the Debian samba packages and upstream version 2.2.7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
accepted | 2005-03-09T07:56:00.000-04:00 | ||||
class | vulnerability | ||||
contributors |
| ||||
description | Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. | ||||
family | unix | ||||
id | oval:org.mitre.oval:def:1467 | ||||
status | accepted | ||||
submitted | 2005-01-19T12:00:00.000-04:00 | ||||
title | Samba Encrypted Password DoS | ||||
version | 35 |
Redhat
advisories |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20021204-01-I
- ftp://patches.sgi.com/support/free/security/advisories/20021204-01-I
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000550
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000550
- http://marc.info/?l=bugtraq&m=103801986818076&w=2
- http://marc.info/?l=bugtraq&m=103801986818076&w=2
- http://marc.info/?l=bugtraq&m=103859045302448&w=2
- http://marc.info/?l=bugtraq&m=103859045302448&w=2
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/53580
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/53580
- http://us1.samba.org/samba/whatsnew/samba-2.2.7.html
- http://us1.samba.org/samba/whatsnew/samba-2.2.7.html
- http://www.ciac.org/ciac/bulletins/n-019.shtml
- http://www.ciac.org/ciac/bulletins/n-019.shtml
- http://www.ciac.org/ciac/bulletins/n-023.shtml
- http://www.ciac.org/ciac/bulletins/n-023.shtml
- http://www.ciac.org/ciac/bulletins/n-023.shtml
- http://www.ciac.org/ciac/bulletins/n-023.shtml
- http://www.debian.org/security/2002/dsa-200
- http://www.debian.org/security/2002/dsa-200
- http://www.kb.cert.org/vuls/id/958321
- http://www.kb.cert.org/vuls/id/958321
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-081.php
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-081.php
- http://www.novell.com/linux/security/advisories/2002_045_samba.html
- http://www.novell.com/linux/security/advisories/2002_045_samba.html
- http://www.redhat.com/support/errata/RHSA-2002-266.html
- http://www.redhat.com/support/errata/RHSA-2002-266.html
- http://www.securityfocus.com/bid/6210
- http://www.securityfocus.com/bid/6210
- https://exchange.xforce.ibmcloud.com/vulnerabilities/10683
- https://exchange.xforce.ibmcloud.com/vulnerabilities/10683
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1467
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1467