Vulnerabilities > CVE-2003-0085 - Buffer Overflow vulnerability in Samba SMB/CIFS Packet Assembling

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
samba
hp
critical
nessus
exploit available

Summary

Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.

Exploit-Db

  • descriptionSamba 2.2.x nttrans Overflow. CVE-2003-0085. Remote exploit for linux platform
    idEDB-ID:9936
    last seen2016-02-01
    modified2003-04-07
    published2003-04-07
    reporterH D Moore
    sourcehttps://www.exploit-db.com/download/9936/
    titleSamba 2.2.x - nttrans Overflow
  • descriptionSamba SMB 2.2.x,CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability. CVE-2003-0085. Remote exploit for unix platform
    idEDB-ID:22356
    last seen2016-02-02
    modified2003-03-15
    published2003-03-15
    reporterflatline
    sourcehttps://www.exploit-db.com/download/22356/
    titleSamba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability
  • descriptionSamba 2.2.2 - 2.2.6 nttrans Buffer Overflow. CVE-2003-0085. Remote exploit for linux platform
    idEDB-ID:16321
    last seen2016-02-01
    modified2010-04-28
    published2010-04-28
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16321/
    titleSamba 2.2.2 - 2.2.6 nttrans Buffer Overflow

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-096.NASL
    descriptionUpdated Samba packages are now available to fix security vulnerabilities found during a code audit. Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine. Additionally, a race condition could allow an attacker to overwrite critical system files. All users of Samba are advised to update to the erratum packages which contain patches to correct these vulnerabilities. These packages contain the security fixes backported to the Samba 2.2.7 codebase.
    last seen2020-06-01
    modified2020-06-02
    plugin id12379
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12379
    titleRHEL 2.1 : samba (RHSA-2003:096)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:096. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12379);
      script_version ("1.31");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086", "CVE-2003-1332");
      script_xref(name:"RHSA", value:"2003:096");
    
      script_name(english:"RHEL 2.1 : samba (RHSA-2003:096)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated Samba packages are now available to fix security
    vulnerabilities found during a code audit.
    
    Samba is a suite of utilities which provides file and printer sharing
    services to SMB/CIFS clients.
    
    Sebastian Krahmer discovered a security vulnerability present in
    unpatched versions of Samba prior to 2.2.8. An anonymous user could
    use the vulnerability to gain root access on the target machine.
    
    Additionally, a race condition could allow an attacker to overwrite
    critical system files.
    
    All users of Samba are advised to update to the erratum packages which
    contain patches to correct these vulnerabilities.
    
    These packages contain the security fixes backported to the Samba
    2.2.7 codebase."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0085"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-1332"
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.8.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/history/samba-2.2.10.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:096"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:096";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.7-2.21as")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-262.NASL
    descriptionSebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are : - a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd. - the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files Both problems have been fixed in upstream version 2.2.8, and version 2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.
    last seen2020-06-01
    modified2020-06-02
    plugin id15099
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15099
    titleDebian DSA-262-1 : samba - remote exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-262. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15099);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086");
      script_bugtraq_id(7106, 7107);
      script_xref(name:"DSA", value:"262");
    
      script_name(english:"Debian DSA-262-1 : samba - remote exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Sebastian Krahmer of the SuSE security audit team found two problems
    in samba, a popular SMB/CIFS implementation. The problems are :
    
      - a buffer overflow in the SMB/CIFS packet fragment
        re-assembly code used by smbd. Since smbd runs as root
        an attacker can use this to gain root access to a
        machine running smbd.
      - the code to write reg files was vulnerable for a chown
        race which made it possible for a local user to
        overwrite system files
    
    Both problems have been fixed in upstream version 2.2.8, and version
    2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-262"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected samba package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-032.NASL
    description<p>The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem.</p> <p>MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system:</p> <p>The
    last seen2020-06-01
    modified2020-06-02
    plugin id14016
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14016
    titleMandrake Linux Security Advisory : samba (MDKSA-2003:032)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:032. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14016);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086");
      script_xref(name:"MDKSA", value:"2003:032");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2003:032)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "<p>The SuSE security team, during an audit of the Samba source code,
    found a flaw in the main smbd code which could allow an external
    attacker to remotely and anonymously gain root privilege on a system
    running the Samba server. This flaw exists in all version of Samba 2.x
    up to and including 2.2.7a. The Samba team announced 2.2.8 today,
    however these updated packages include a patch that corrects this
    problem.</p>
    
    <p>MandrakeSoft urges all users to upgrade immediately. If you are
    unable to apply the updated packages (perhaps due to unavailability on
    your preferred mirror), the following steps can be taken to protect an
    unpatched system:</p>
    
    <p>The 'hosts allow' and 'hosts deny' options in the smb.conf file can
    be used to allow access to your Samba server by only selected hosts;
    for example:</p>
    
    <pre> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny
    = 0.0.0.0/0 </pre>
    
    <p>This will disallow all connections from machines that are not the
    localhost or in the 192.168.2 and 192.168.3 private networks.
    Alternatively, you can tell Samba to listen to only specific network
    interfaces by using the 'interfaces' and 'bind interfaces only'
    options:</p>
    
    <pre> interfaces = eth1 lo bind interfaces only = yes </pre>
    
    <p>Obviously, use the internal interface for your network and not an
    external interface connected to the internet. You may also choose to
    firewall off some UDP and TCP ports in addition to the previously
    mentioned suggestions by blocking external access to ports 137 and 138
    (UDP) and ports 139 and 445 (TCP).</p>
    
    <p>These steps should only be used as a temporary preventative measure
    and all users should upgrade as quickly as possible.</p>
    
    <p>Thanks to Sebastian Krahmer and the SuSE security team for
    performing the audit, Jeremy Allison for providing the fix, and Andrew
    Tridgell for providing advice on how to protect an unpatched Samba
    system.</p>"
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.samba.org/samba/history/samba-2.2.10.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGain a shell remotely
    NASL idSAMBA_FRAGS_OVERFLOW.NASL
    descriptionThe remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. In addition, it is reported that Samba contains a flaw related to the handling of .reg files that may allow a local user to overwrite arbitrary file.
    last seen2020-06-01
    modified2020-06-02
    plugin id11398
    published2003-03-15
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11398
    titleSamba < 2.2.8 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref: 
    # From: Wichert Akkerman <[email protected]>
    # Subject: [SECURITY] [DSA-262-1] samba security fix
    # Resent-Message-ID: <VvQa6C.A.oDH.Ng1c-@murphy>
    # To: [email protected]
    #
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11398);
     script_version ("1.21");
    
     script_cve_id("CVE-2003-0085", "CVE-2003-0086");
     script_bugtraq_id(7106, 7107);
     script_xref(name:"RHSA", value:"2003:095-03");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:016");
    
     script_name(english: "Samba < 2.2.8 Multiple Vulnerabilities");
     
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code may be run on the remote server." );
     script_set_attribute(attribute:"description", value:
    "The remote Samba server, according to its version number, is vulnerable
    to a remote buffer overflow when receiving specially crafted SMB 
    fragment packets.
    
    An attacker needs to be able to access at least one share to exploit 
    this flaw.
    
    In addition, it is reported that Samba contains a flaw
    related to the handling of .reg files that may allow
    a local user to overwrite arbitrary file." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba 2.2.8." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
    script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/15");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/03/15");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
    script_end_attributes();
    
     script_summary(english: "checks samba version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english: "Gain a shell remotely");
     script_dependencie("smb_nativelanman.nasl");
     script_require_keys("SMB/NativeLanManager");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     if(ereg(pattern:"Samba 2\.(0\..*|2\.[0-7][^0-9].*)", string:lanman))security_hole(139);
    }
    
  • NASL familyGain a shell remotely
    NASL idSAMBA_TNG_FLAWS.NASL
    descriptionThe remote Samba server, according to its version number, is vulnerable to multiple flaws that could let an attacker gain a root shell on this host.
    last seen2020-06-01
    modified2020-06-02
    plugin id11442
    published2003-03-22
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11442
    titleSamba TNG < 0.3.1 Multiple Remote Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref: 
    #
    # Date: Sat, 22 Mar 2003 21:03:11 +0100 (CET)
    # From: Stephan Lauffer <[email protected]>
    # To: [email protected]
    # Cc: [email protected], <[email protected]>
    # Subject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11442);
     script_version("1.17");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    
     script_cve_id("CVE-2003-0085");
     script_bugtraq_id(7106, 7206);
    
     script_name(english: "Samba TNG < 0.3.1 Multiple Remote Vulnerabilities");
     script_summary(english: "checks samba version");
     
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code may be run on the remote server.");
     script_set_attribute(attribute:"description", value:
    "The remote Samba server, according to its version number, is vulnerable 
    to multiple flaws that could let an attacker gain a root shell on this 
    host.");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba TNG 0.3.1");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
    script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/22");
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/27");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english: "Gain a shell remotely");
     script_dependencie("smb_nativelanman.nasl");
     script_require_keys("SMB/NativeLanManager");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     if(ereg(pattern:"Samba TNG-alpha$", string:lanman))security_hole(139);
    }
    

Oval

accepted2010-09-20T04:00:29.162-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionBuffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
familyunix
idoval:org.mitre.oval:def:552
statusaccepted
submitted2003-08-11T12:00:00.000-04:00
titleSMB/CIFS Packet Fragment Re-assembly BO
version41

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82287/nttrans.rb.txt
idPACKETSTORM:82287
last seen2016-12-05
published2009-10-28
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/82287/Samba-nttrans-Overflow.html
titleSamba nttrans Overflow

Redhat

advisories
  • rhsa
    idRHSA-2003:095
  • rhsa
    idRHSA-2003:096