Vulnerabilities > CVE-2003-0086 - Unspecified vulnerability in Samba

047910
CVSS 1.2 - LOW
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
local
high complexity
samba
nessus

Summary

The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-096.NASL
    descriptionUpdated Samba packages are now available to fix security vulnerabilities found during a code audit. Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine. Additionally, a race condition could allow an attacker to overwrite critical system files. All users of Samba are advised to update to the erratum packages which contain patches to correct these vulnerabilities. These packages contain the security fixes backported to the Samba 2.2.7 codebase.
    last seen2020-06-01
    modified2020-06-02
    plugin id12379
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12379
    titleRHEL 2.1 : samba (RHSA-2003:096)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:096. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12379);
      script_version ("1.31");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086", "CVE-2003-1332");
      script_xref(name:"RHSA", value:"2003:096");
    
      script_name(english:"RHEL 2.1 : samba (RHSA-2003:096)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated Samba packages are now available to fix security
    vulnerabilities found during a code audit.
    
    Samba is a suite of utilities which provides file and printer sharing
    services to SMB/CIFS clients.
    
    Sebastian Krahmer discovered a security vulnerability present in
    unpatched versions of Samba prior to 2.2.8. An anonymous user could
    use the vulnerability to gain root access on the target machine.
    
    Additionally, a race condition could allow an attacker to overwrite
    critical system files.
    
    All users of Samba are advised to update to the erratum packages which
    contain patches to correct these vulnerabilities.
    
    These packages contain the security fixes backported to the Samba
    2.2.7 codebase."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0085"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-1332"
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.8.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/history/samba-2.2.10.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:096"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:096";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.7-2.21as")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.7-2.21as")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-262.NASL
    descriptionSebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are : - a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd. - the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files Both problems have been fixed in upstream version 2.2.8, and version 2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.
    last seen2020-06-01
    modified2020-06-02
    plugin id15099
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15099
    titleDebian DSA-262-1 : samba - remote exploit
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-262. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15099);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086");
      script_bugtraq_id(7106, 7107);
      script_xref(name:"DSA", value:"262");
    
      script_name(english:"Debian DSA-262-1 : samba - remote exploit");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Sebastian Krahmer of the SuSE security audit team found two problems
    in samba, a popular SMB/CIFS implementation. The problems are :
    
      - a buffer overflow in the SMB/CIFS packet fragment
        re-assembly code used by smbd. Since smbd runs as root
        an attacker can use this to gain root access to a
        machine running smbd.
      - the code to write reg files was vulnerable for a chown
        race which made it possible for a local user to
        overwrite system files
    
    Both problems have been fixed in upstream version 2.2.8, and version
    2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-262"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected samba package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12.1")) flag++;
    if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-032.NASL
    description<p>The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem.</p> <p>MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system:</p> <p>The
    last seen2020-06-01
    modified2020-06-02
    plugin id14016
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14016
    titleMandrake Linux Security Advisory : samba (MDKSA-2003:032)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:032. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14016);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0085", "CVE-2003-0086");
      script_xref(name:"MDKSA", value:"2003:032");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2003:032)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "<p>The SuSE security team, during an audit of the Samba source code,
    found a flaw in the main smbd code which could allow an external
    attacker to remotely and anonymously gain root privilege on a system
    running the Samba server. This flaw exists in all version of Samba 2.x
    up to and including 2.2.7a. The Samba team announced 2.2.8 today,
    however these updated packages include a patch that corrects this
    problem.</p>
    
    <p>MandrakeSoft urges all users to upgrade immediately. If you are
    unable to apply the updated packages (perhaps due to unavailability on
    your preferred mirror), the following steps can be taken to protect an
    unpatched system:</p>
    
    <p>The 'hosts allow' and 'hosts deny' options in the smb.conf file can
    be used to allow access to your Samba server by only selected hosts;
    for example:</p>
    
    <pre> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny
    = 0.0.0.0/0 </pre>
    
    <p>This will disallow all connections from machines that are not the
    localhost or in the 192.168.2 and 192.168.3 private networks.
    Alternatively, you can tell Samba to listen to only specific network
    interfaces by using the 'interfaces' and 'bind interfaces only'
    options:</p>
    
    <pre> interfaces = eth1 lo bind interfaces only = yes </pre>
    
    <p>Obviously, use the internal interface for your network and not an
    external interface connected to the internet. You may also choose to
    firewall off some UDP and TCP ports in addition to the previously
    mentioned suggestions by blocking external access to ports 137 and 138
    (UDP) and ports 139 and 445 (TCP).</p>
    
    <p>These steps should only be used as a temporary preventative measure
    and all users should upgrade as quickly as possible.</p>
    
    <p>Thanks to Sebastian Krahmer and the SuSE security team for
    performing the audit, Jeremy Allison for providing the fix, and Andrew
    Tridgell for providing advice on how to protect an unpatched Samba
    system.</p>"
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.samba.org/samba/history/samba-2.2.10.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7a-8.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGain a shell remotely
    NASL idSAMBA_FRAGS_OVERFLOW.NASL
    descriptionThe remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. In addition, it is reported that Samba contains a flaw related to the handling of .reg files that may allow a local user to overwrite arbitrary file.
    last seen2020-06-01
    modified2020-06-02
    plugin id11398
    published2003-03-15
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11398
    titleSamba < 2.2.8 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Ref: 
    # From: Wichert Akkerman <[email protected]>
    # Subject: [SECURITY] [DSA-262-1] samba security fix
    # Resent-Message-ID: <VvQa6C.A.oDH.Ng1c-@murphy>
    # To: [email protected]
    #
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11398);
     script_version ("1.21");
    
     script_cve_id("CVE-2003-0085", "CVE-2003-0086");
     script_bugtraq_id(7106, 7107);
     script_xref(name:"RHSA", value:"2003:095-03");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:016");
    
     script_name(english: "Samba < 2.2.8 Multiple Vulnerabilities");
     
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code may be run on the remote server." );
     script_set_attribute(attribute:"description", value:
    "The remote Samba server, according to its version number, is vulnerable
    to a remote buffer overflow when receiving specially crafted SMB 
    fragment packets.
    
    An attacker needs to be able to access at least one share to exploit 
    this flaw.
    
    In addition, it is reported that Samba contains a flaw
    related to the handling of .reg files that may allow
    a local user to overwrite arbitrary file." );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba 2.2.8." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
    script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/15");
     script_set_attribute(attribute:"vuln_publication_date", value: "2003/03/15");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
    script_end_attributes();
    
     script_summary(english: "checks samba version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english: "Gain a shell remotely");
     script_dependencie("smb_nativelanman.nasl");
     script_require_keys("SMB/NativeLanManager");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     if(ereg(pattern:"Samba 2\.(0\..*|2\.[0-7][^0-9].*)", string:lanman))security_hole(139);
    }
    

Oval

accepted2007-04-25T19:52:35.344-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
descriptionThe code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown.
familyunix
idoval:org.mitre.oval:def:554
statusaccepted
submitted2003-08-11T12:00:00.000-04:00
titleSamba Arbitrary File Overwrite Vulnerability
version38

Redhat

advisories
  • rhsa
    idRHSA-2003:095
  • rhsa
    idRHSA-2003:096