Vulnerabilities > CVE-2003-0085 - Buffer Overflow vulnerability in Samba SMB/CIFS Packet Assembling
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Samba
| 22 |
| Application | 7 |
Exploit-Db
description Samba 2.2.x nttrans Overflow. CVE-2003-0085. Remote exploit for linux platform id EDB-ID:9936 last seen 2016-02-01 modified 2003-04-07 published 2003-04-07 reporter H D Moore source https://www.exploit-db.com/download/9936/ title Samba 2.2.x - nttrans Overflow description Samba SMB 2.2.x,CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability. CVE-2003-0085. Remote exploit for unix platform id EDB-ID:22356 last seen 2016-02-02 modified 2003-03-15 published 2003-03-15 reporter flatline source https://www.exploit-db.com/download/22356/ title Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability description Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow. CVE-2003-0085. Remote exploit for linux platform id EDB-ID:16321 last seen 2016-02-01 modified 2010-04-28 published 2010-04-28 reporter metasploit source https://www.exploit-db.com/download/16321/ title Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-096.NASL description Updated Samba packages are now available to fix security vulnerabilities found during a code audit. Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine. Additionally, a race condition could allow an attacker to overwrite critical system files. All users of Samba are advised to update to the erratum packages which contain patches to correct these vulnerabilities. These packages contain the security fixes backported to the Samba 2.2.7 codebase. last seen 2020-06-01 modified 2020-06-02 plugin id 12379 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12379 title RHEL 2.1 : samba (RHSA-2003:096) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:096. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12379); script_version ("1.31"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0085", "CVE-2003-0086", "CVE-2003-1332"); script_xref(name:"RHSA", value:"2003:096"); script_name(english:"RHEL 2.1 : samba (RHSA-2003:096)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Samba packages are now available to fix security vulnerabilities found during a code audit. Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine. Additionally, a race condition could allow an attacker to overwrite critical system files. All users of Samba are advised to update to the erratum packages which contain patches to correct these vulnerabilities. These packages contain the security fixes backported to the Samba 2.2.7 codebase." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0085" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0086" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-1332" ); # http://www.samba.org/samba/whatsnew/samba-2.2.8.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/history/samba-2.2.10.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:096" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/31"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:096"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.7-2.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.7-2.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.7-2.21as")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.7-2.21as")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-262.NASL description Sebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are : - a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd. - the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files Both problems have been fixed in upstream version 2.2.8, and version 2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody. last seen 2020-06-01 modified 2020-06-02 plugin id 15099 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15099 title Debian DSA-262-1 : samba - remote exploit code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-262. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15099); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0085", "CVE-2003-0086"); script_bugtraq_id(7106, 7107); script_xref(name:"DSA", value:"262"); script_name(english:"Debian DSA-262-1 : samba - remote exploit"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Sebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are : - a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd. - the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files Both problems have been fixed in upstream version 2.2.8, and version 2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-262" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected samba package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12.1")) flag++; if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-032.NASL description <p>The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem.</p> <p>MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system:</p> <p>The last seen 2020-06-01 modified 2020-06-02 plugin id 14016 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14016 title Mandrake Linux Security Advisory : samba (MDKSA-2003:032) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:032. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14016); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0085", "CVE-2003-0086"); script_xref(name:"MDKSA", value:"2003:032"); script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2003:032)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "<p>The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem.</p> <p>MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system:</p> <p>The 'hosts allow' and 'hosts deny' options in the smb.conf file can be used to allow access to your Samba server by only selected hosts; for example:</p> <pre> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 </pre> <p>This will disallow all connections from machines that are not the localhost or in the 192.168.2 and 192.168.3 private networks. Alternatively, you can tell Samba to listen to only specific network interfaces by using the 'interfaces' and 'bind interfaces only' options:</p> <pre> interfaces = eth1 lo bind interfaces only = yes </pre> <p>Obviously, use the internal interface for your network and not an external interface connected to the internet. You may also choose to firewall off some UDP and TCP ports in addition to the previously mentioned suggestions by blocking external access to ports 137 and 138 (UDP) and ports 139 and 445 (TCP).</p> <p>These steps should only be used as a temporary preventative measure and all users should upgrade as quickly as possible.</p> <p>Thanks to Sebastian Krahmer and the SuSE security team for performing the audit, Jeremy Allison for providing the fix, and Andrew Tridgell for providing advice on how to protect an unpatched Samba system.</p>" ); # http://www.samba.org/samba/whatsnew/samba-2.2.8.html script_set_attribute( attribute:"see_also", value:"http://www.samba.org/samba/history/samba-2.2.10.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gain a shell remotely NASL id SAMBA_FRAGS_OVERFLOW.NASL description The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. In addition, it is reported that Samba contains a flaw related to the handling of .reg files that may allow a local user to overwrite arbitrary file. last seen 2020-06-01 modified 2020-06-02 plugin id 11398 published 2003-03-15 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11398 title Samba < 2.2.8 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Ref: # From: Wichert Akkerman <[email protected]> # Subject: [SECURITY] [DSA-262-1] samba security fix # Resent-Message-ID: <VvQa6C.A.oDH.Ng1c-@murphy> # To: [email protected] # include("compat.inc"); if(description) { script_id(11398); script_version ("1.21"); script_cve_id("CVE-2003-0085", "CVE-2003-0086"); script_bugtraq_id(7106, 7107); script_xref(name:"RHSA", value:"2003:095-03"); script_xref(name:"SuSE", value:"SUSE-SA:2003:016"); script_name(english: "Samba < 2.2.8 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote server." ); script_set_attribute(attribute:"description", value: "The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. In addition, it is reported that Samba contains a flaw related to the handling of .reg files that may allow a local user to overwrite arbitrary file." ); script_set_attribute(attribute:"solution", value: "Upgrade to Samba 2.2.8." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/15"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/03/15"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_summary(english: "checks samba version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english: "Gain a shell remotely"); script_dependencie("smb_nativelanman.nasl"); script_require_keys("SMB/NativeLanManager"); exit(0); } # # The script code starts here # lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba 2\.(0\..*|2\.[0-7][^0-9].*)", string:lanman))security_hole(139); }NASL family Gain a shell remotely NASL id SAMBA_TNG_FLAWS.NASL description The remote Samba server, according to its version number, is vulnerable to multiple flaws that could let an attacker gain a root shell on this host. last seen 2020-06-01 modified 2020-06-02 plugin id 11442 published 2003-03-22 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11442 title Samba TNG < 0.3.1 Multiple Remote Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Ref: # # Date: Sat, 22 Mar 2003 21:03:11 +0100 (CET) # From: Stephan Lauffer <[email protected]> # To: [email protected] # Cc: [email protected], <[email protected]> # Subject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release include("compat.inc"); if (description) { script_id(11442); script_version("1.17"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_cve_id("CVE-2003-0085"); script_bugtraq_id(7106, 7206); script_name(english: "Samba TNG < 0.3.1 Multiple Remote Vulnerabilities"); script_summary(english: "checks samba version"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote server."); script_set_attribute(attribute:"description", value: "The remote Samba server, according to its version number, is vulnerable to multiple flaws that could let an attacker gain a root shell on this host."); script_set_attribute(attribute:"solution", value: "Upgrade to Samba TNG 0.3.1"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/22"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english: "Gain a shell remotely"); script_dependencie("smb_nativelanman.nasl"); script_require_keys("SMB/NativeLanManager"); exit(0); } # # The script code starts here # lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba TNG-alpha$", string:lanman))security_hole(139); }
Oval
| accepted | 2010-09-20T04:00:29.162-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| description | Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:552 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2003-08-11T12:00:00.000-04:00 | ||||||||||||||||
| title | SMB/CIFS Packet Fragment Re-assembly BO | ||||||||||||||||
| version | 41 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82287/nttrans.rb.txt |
| id | PACKETSTORM:82287 |
| last seen | 2016-12-05 |
| published | 2009-10-28 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/82287/Samba-nttrans-Overflow.html |
| title | Samba nttrans Overflow |
Redhat
| advisories |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20030302-01-I
- http://marc.info/?l=bugtraq&m=104792646416629&w=2
- http://marc.info/?l=bugtraq&m=104792723017768&w=2
- http://marc.info/?l=bugtraq&m=104801012929374&w=2
- http://secunia.com/advisories/8299
- http://secunia.com/advisories/8303
- http://www.debian.org/security/2003/dsa-262
- http://www.gentoo.org/security/en/glsa/glsa-200303-11.xml
- http://www.kb.cert.org/vuls/id/298233
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:032
- http://www.novell.com/linux/security/advisories/2003_016_samba.html
- http://www.redhat.com/support/errata/RHSA-2003-095.html
- http://www.redhat.com/support/errata/RHSA-2003-096.html
- http://www.securityfocus.com/archive/1/316165/30/25370/threaded
- http://www.securityfocus.com/archive/1/317145/30/25220/threaded
- http://www.securityfocus.com/bid/7106
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A552