Vulnerabilities > CVE-2002-1318 - Buffer Overrun vulnerability in Samba Server Encrypted Password

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

samba

sgi

critical

nessus

metasploit

NVD

Published: 2002-12-11

Updated: 2018-05-03

Summary

Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string.

Vulnerable Configurations

Part	Description	Count
Application	Samba Samba Samba 2.2.2 Samba Samba 2.2.3 Samba Samba 2.2.4 Samba Samba 2.2.5 Samba Samba 2.2.6	5
Application	Hp HP Cifs 9000 Server A.01.08 HP Cifs 9000 Server A.01.08.01 HP Cifs 9000 Server A.01.09	3
OS	Sgi SGI Irix 6.5 SGI Irix 6.5.1 SGI Irix 6.5.2 SGI Irix 6.5.3 SGI Irix 6.5.4 SGI Irix 6.5.5 SGI Irix 6.5.6 SGI Irix 6.5.7 SGI Irix 6.5.8 SGI Irix 6.5.9 SGI Irix 6.5.10 SGI Irix 6.5.11 SGI Irix 6.5.12 SGI Irix 6.5.13 SGI Irix 6.5.14 SGI Irix 6.5.15 SGI Irix 6.5.16 SGI Irix 6.5.17 SGI Irix 6.5.18	19

Metasploit

description	This module attempts to exploit a buffer overflow vulnerability present in versions 2.2.2 through 2.2.6 of Samba. The Samba developers report this as: "Bug in the length checking for encrypted password change requests from clients." The bug was discovered and reported by the Debian Samba Maintainers.
id	MSF:EXPLOIT/MULTI/SAMBA/NTTRANS
last seen	2020-05-23
modified	2017-07-24
published	2006-11-28
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1318 http://www.samba.org/samba/history/samba-2.2.7a.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/samba/nttrans.rb
title	Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow

Nessus

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2002-081.NASL
description	A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem.
last seen	2020-06-01
modified	2020-06-02
plugin id	13979
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/13979
title	Mandrake Linux Security Advisory : samba (MDKSA-2002:081)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:081. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13979); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1318"); script_xref(name:"MDKSA", value:"2002:081"); script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2002:081)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem." ); # http://www.samba.org/samba/whatsnew/samba-2.2.7.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/history/samba-2.2.7.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.2-3.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.3a-10.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Gain a shell remotely
NASL id	SAMBA_UNICODE_OVERFLOW.NASL
description	The remote Samba server, according to its version number, is vulnerable to a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd.
last seen	2020-06-01
modified	2020-06-02
plugin id	11168
published	2002-11-25
reporter	This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11168
title	Samba Encrypted Password String Conversion Decryption Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(11168); script_version ("1.16"); script_cve_id("CVE-2002-1318"); script_bugtraq_id(6210); script_name(english: "Samba Encrypted Password String Conversion Decryption Overflow"); script_set_attribute(attribute:"synopsis", value: "Remote code can be executed on the remote server." ); script_set_attribute(attribute:"description", value: "The remote Samba server, according to its version number, is vulnerable to a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd." ); script_set_attribute(attribute:"solution", value: "upgrade to Samba 2.2.7" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/11/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/11/20"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_summary(english: "checks samba version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_family(english: "Gain a shell remotely"); script_dependencie("smb_nativelanman.nasl"); script_require_ports(139); script_require_keys("SMB/NativeLanManager"); exit(0); } # # The script code starts here # lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { # Samba 2.2.2 to 2.2.6 is affected if(ereg(pattern:"Samba 2\.2\.[2-6][^0-9]*$", string:lanman))security_hole(139); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-200.NASL
description	Steve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended.
last seen	2020-06-01
modified	2020-06-02
plugin id	15037
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15037
title	Debian DSA-200-1 : samba - remote exploit
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-200. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15037); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-1318"); script_xref(name:"DSA", value:"200"); script_name(english:"Debian DSA-200-1 : samba - remote exploit"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Steve Langasek found an exploitable bug in the password handling code in samba: when converting from DOS code-page to little endian UCS2 unicode a buffer length was not checked and a buffer could be overflowed. There is no known exploit for this, but an upgrade is strongly recommended." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-200" ); script_set_attribute( attribute:"solution", value: "This problem has been fixed in version 2.2.3a-12 of the Debian samba packages and upstream version 2.2.7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12")) flag++; if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Oval

accepted

2005-03-09T07:56:00.000-04:00

class

vulnerability

contributors

name	Brian Soby
organization	The MITRE Corporation

description

family

unix

oval:org.mitre.oval:def:1467

status

accepted

submitted

2005-01-19T12:00:00.000-04:00

title

Samba Encrypted Password DoS

version

Redhat

advisories

rhsa

id	RHSA-2002:266

Summary

Vulnerable Configurations

Metasploit

Nessus

Oval

Redhat

References