Vulnerabilities > CVE-2003-0196

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.

Vulnerable Configurations

Part Description Count
Application
Samba
23
Application
Samba-Tng
2
Application
Hp
8
OS
Compaq
25
OS
Hp
8
OS
Sun
11

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-044.NASL
    descriptionAn exploitable buffer overflow was discovered in the Samba server that can lead to an anonymous remote root compromise. The Samba Team also discovered some potential overflows during an internal code audit which was done in response to the previously noted buffer overflow problem. All versions of Samba prior to 2.2.8a are vulnerable. The provided updates contain a patch from the Samba Team to correct the issue. An exploit is known to exist and all Mandrake Linux users are encouraged to upgrade immediately.
    last seen2020-06-01
    modified2020-06-02
    plugin id14028
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14028
    titleMandrake Linux Security Advisory : samba (MDKSA-2003:044)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:044. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14028);
      script_version ("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0196", "CVE-2003-0201");
      script_xref(name:"MDKSA", value:"2003:044");
    
      script_name(english:"Mandrake Linux Security Advisory : samba (MDKSA-2003:044)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An exploitable buffer overflow was discovered in the Samba server that
    can lead to an anonymous remote root compromise. The Samba Team also
    discovered some potential overflows during an internal code audit
    which was done in response to the previously noted buffer overflow
    problem.
    
    All versions of Samba prior to 2.2.8a are vulnerable. The provided
    updates contain a patch from the Samba Team to correct the issue.
    
    An exploit is known to exist and all Mandrake Linux users are
    encouraged to upgrade immediately."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba trans2open Overflow (Solaris SPARC)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/04/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"nss_wins-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-client-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-common-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-doc-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-server-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-swat-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"samba-winbind-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"nss_wins-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-client-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-common-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-doc-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-server-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-swat-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"samba-winbind-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"nss_wins-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-client-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-common-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-doc-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-server-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-swat-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"samba-winbind-2.2.7a-9.2mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idSAMBA_2_2_8.NASL
    descriptionThe version of Samba running on the remote host is prior to 2.2.8a. It is, therefore, affected by a remote code execution vulnerability in the SMB/CIFS packet fragment re-assembly code in smbd. An unauthenticated, remote attacker can exploit this to inject binary specific exploit code into smbd and gain root access on a Samba serving system. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id122056
    published2019-02-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122056
    titleSamba < 2.2.8a Remote Code Execution Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122056);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/31 15:18:51");
    
      script_cve_id("CVE-2003-0196", "CVE-2003-0201");
      script_bugtraq_id(7294, 7295);
    
      script_name(english:"Samba < 2.2.8a Remote Code Execution Vulnerability");
      script_summary(english:"Checks the version of Samba.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Samba server is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Samba running on the remote host is prior to
    2.2.8a. It is, therefore, affected by a remote code execution 
    vulnerability in the SMB/CIFS packet fragment re-assembly code
    in smbd.  An unauthenticated, remote attacker can exploit this to
    inject binary specific exploit code into smbd and gain root access
    on a Samba serving system.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.samba.org/samba/history/samba-2.2.8a.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Samba version 2.2.8a or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0201");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba trans2open Overflow (Solaris SPARC)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/08");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_nativelanman.nasl");
      script_require_keys("SMB/NativeLanManager", "SMB/samba", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("vcf.inc");
    include("vcf_extras.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app = vcf::samba::get_app_info();
    vcf::check_granularity(app_info:app, sig_segments:3);
    
    constraints = 
    [
      {"max_version" : "2.2.8",  "fixed_version" : "2.2.8a"}
    ];
    
    vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-280.NASL
    descriptionDigital Defense, Inc. has alerted the Samba Team to a serious vulnerability in Samba, a LanManager-like file and printer server for Unix. This vulnerability can lead to an anonymous user gaining root access on a Samba serving system. An exploit for this problem is already circulating and in use. Since the packages for potato are quite old it is likely that they contain more security-relevant bugs that we don
    last seen2020-06-01
    modified2020-06-02
    plugin id15117
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15117
    titleDebian DSA-280-1 : samba - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-280. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15117);
      script_version("1.27");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0196", "CVE-2003-0201");
      script_bugtraq_id(7294, 7295);
      script_xref(name:"CERT", value:"267873");
      script_xref(name:"DSA", value:"280");
    
      script_name(english:"Debian DSA-280-1 : samba - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Digital Defense, Inc. has alerted the Samba Team to a serious
    vulnerability in Samba, a LanManager-like file and printer server for
    Unix. This vulnerability can lead to an anonymous user gaining root
    access on a Samba serving system. An exploit for this problem is
    already circulating and in use.
    
    Since the packages for potato are quite old it is likely that they
    contain more security-relevant bugs that we don't know of. You are
    therefore advised to upgrade your systems running Samba to woody soon.
    
    Unofficial backported packages from the Samba maintainers for version
    2.2.8 of Samba for woody are available at ~peloy and ~vorlon."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://people.debian.org/~peloy/samba/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://people.debian.org/~vorlon/samba/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-280"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the Samba packages immediately.
    
    For the stable distribution (woody) this problem has been fixed in
    version 2.2.3a-12.3.
    
    For the old stable distribution (potato) this problem has been fixed
    in version 2.0.7-5.1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Samba trans2open Overflow (Solaris SPARC)');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/04/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"samba", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-common", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"2.2", prefix:"samba-doc", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"2.2", prefix:"smbclient", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"2.2", prefix:"smbfs", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"2.2", prefix:"swat", reference:"2.0.7-5.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libpam-smbpass", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"libsmbclient-dev", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"samba", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-common", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"samba-doc", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"smbclient", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"smbfs", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"swat", reference:"2.2.3a-12.3")) flag++;
    if (deb_check(release:"3.0", prefix:"winbind", reference:"2.2.3a-12.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-138.NASL
    descriptionUpdated Samba packages that fix a security vulnerability are now available. Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. A security vulnerability has been found in versions of Samba up to and including 2.2.8. An anonymous user could exploit the vulnerability to gain root access on the target machine. Note that this is a different vulnerability than the one fixed by RHSA-2003:096. An exploit for this vulnerability is publicly available. All users of Samba are advised to update to the packages listed in this erratum, which contain a backported patch correcting this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id12387
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12387
    titleRHEL 2.1 : samba (RHSA-2003:138)
  • NASL familyGain a shell remotely
    NASL idSAMBA_TRANS2OPEN_OVERFLOW.NASL
    descriptionThe remote Samba server is vulnerable to a buffer overflow when it calls the function trans2open(). An attacker may exploit this flaw to gain a root shell on this host. In addition, it is reported that this version of Samba is vulnerable to additional overflows, although Nessus has not checked for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id11523
    published2003-04-07
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11523
    titleSamba < 2.2.8a / 3.0.0 Multiple Remote Overflows

Oval

accepted2010-09-20T04:00:29.864-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
  • nameJonathan Baker
    organizationThe MITRE Corporation
descriptionMultiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201.
familyunix
idoval:org.mitre.oval:def:564
statusaccepted
submitted2003-08-17T12:00:00.000-04:00
titleMultiple Buffer Overflows in Samba
version41

Redhat

advisories
rhsa
idRHSA-2003:137