Vulnerabilities > CVE-2004-0600

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
samba
trustix
critical
nessus
exploit available

Summary

Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.

Exploit-Db

descriptionSamba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit. CVE-2004-0600. Remote exploit for linux platform
idEDB-ID:364
last seen2016-01-31
modified2004-07-22
published2004-07-22
reporterNoam Rathaus
sourcehttps://www.exploit-db.com/download/364/
titleSamba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2004-207-01.NASL
    descriptionNew samba packages are available for Slackware 8.1, 9.0, 9.1, 10.0 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18774
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18774
    titleSlackware 10.0 / 8.1 / 9.0 / 9.1 / current : new samba packages (SSA:2004-207-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2004-207-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18774);
      script_version("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2004-0600", "CVE-2004-0686");
      script_xref(name:"SSA", value:"2004-207-01");
    
      script_name(english:"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : new samba packages (SSA:2004-207-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New samba packages are available for Slackware 8.1, 9.0, 9.1, 10.0
    and -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.407946
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8156733a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected samba package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/07/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"samba", pkgver:"2.2.10", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"samba", pkgver:"2.2.10", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"samba", pkgver:"2.2.10", pkgarch:"i486", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"samba", pkgver:"3.0.5", pkgarch:"i486", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"samba", pkgver:"3.0.5", pkgarch:"i486", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_SAMBA_304_4.NASL
    descriptionThe following package needs to be updated: ja-samba
    last seen2016-09-26
    modified2004-07-22
    plugin id13656
    published2004-07-22
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=13656
    titleFreeBSD : Multiple Potential Buffer Overruns in Samba (173)
    code
    #%NASL_MIN_LEVEL 999999
    
    # @DEPRECATED@
    #
    # This script has been deprecated by freebsd_pkg_2de14f7adad911d8b59a00061bc2ad93.nasl.
    #
    # Disabled on 2011/10/02.
    #
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This script contains information extracted from VuXML :
    #
    # Copyright 2003-2006 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #   copyright notice, this list of conditions and the following
    #   disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #   published online in any format, converted to PDF, PostScript,
    #   RTF and other formats) must reproduce the above copyright
    #   notice, this list of conditions and the following disclaimer
    #   in the documentation and/or other materials provided with the
    #   distribution.
    #
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    #
    #
    
    include('compat.inc');
    
    if ( description )
    {
     script_id(13656);
     script_version("1.19");
     script_cve_id("CVE-2004-0686");
     script_cve_id("CVE-2004-0600");
    
     script_name(english:"FreeBSD : Multiple Potential Buffer Overruns in Samba (173)");
    
    script_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');
    script_set_attribute(attribute:'description', value:'The following package needs to be updated: ja-samba');
    script_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C');
    script_set_attribute(attribute:'solution', value: 'Update the package on the remote host');
    script_set_attribute(attribute: 'see_also', value: 'http://secunia.com/advisories/12130
    http://www.mozilla.org/security/announce/2008/mfsa2008-60.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-61.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-62.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-63.html
    http://www.mozilla.org/security/announce/2008/mfsa2008-64.html
    http://www.samba.org/samba/whatsnew/samba-2.2.10.html
    http://www.samba.org/samba/whatsnew/samba-3.0.5.html');
    script_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/2de14f7a-dad9-11d8-b59a-00061bc2ad93.html');
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/07/22");
     script_end_attributes();
     script_summary(english:"Check for ja-samba");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
     family["english"] = "FreeBSD Local Security Checks";
     script_family(english:family["english"]);
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/FreeBSD/pkg_info");
     exit(0);
    }
    
    # Deprecated.
    exit(0, "This plugin has been deprecated. Refer to plugin #37185 (freebsd_pkg_2de14f7adad911d8b59a00061bc2ad93.nasl) instead.");
    
    global_var cvss_score;
    cvss_score=10;
    include('freebsd_package.inc');
    
    
    pkg_test(pkg:"samba>3.*<3.0.5");
    
    pkg_test(pkg:"samba>3.*,1<3.0.5,1");
    
    pkg_test(pkg:"samba<2.2.10");
    
    pkg_test(pkg:"ja-samba<2.2.10.j1.0");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_2DE14F7ADAD911D8B59A00061BC2AD93.NASL
    descriptionEvgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected. Another buffer overflow bug has been found in the code used to support the
    last seen2020-06-01
    modified2020-06-02
    plugin id37185
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37185
    titleFreeBSD : Multiple Potential Buffer Overruns in Samba (2de14f7a-dad9-11d8-b59a-00061bc2ad93)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37185);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:36");
    
      script_cve_id("CVE-2004-0600", "CVE-2004-0686");
      script_xref(name:"Secunia", value:"12130");
    
      script_name(english:"FreeBSD : Multiple Potential Buffer Overruns in Samba (2de14f7a-dad9-11d8-b59a-00061bc2ad93)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Evgeny Demidov discovered that the Samba server has a buffer overflow
    in the Samba Web Administration Tool (SWAT) on decoding Base64 data
    during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are
    affected.
    
    Another buffer overflow bug has been found in the code used to support
    the 'mangling method = hash' smb.conf option. The default setting for
    this parameter is 'mangling method = hash2' and therefore not
    vulnerable. Versions between 2.2.0 through 2.2.9 and 3.0.0 through
    3.0.4 are affected."
      );
      # http://www.securityfocus.com/archive/1/369698
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.securityfocus.com/archive/1/369698"
      );
      # http://www.securityfocus.com/archive/1/369706
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.securityfocus.com/archive/1/369706"
      );
      # http://www.samba.org/samba/whatsnew/samba-3.0.5.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/history/samba-3.0.5.html"
      );
      # http://www.samba.org/samba/whatsnew/samba-2.2.10.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.samba.org/samba/history/samba-2.2.10.html"
      );
      # https://vuxml.freebsd.org/freebsd/2de14f7a-dad9-11d8-b59a-00061bc2ad93.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?78bde05c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-samba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"samba>3.*<3.0.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba>3.*,1<3.0.5,1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"samba<2.2.10")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"ja-samba<2.2.10.j1.0")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idSWAT_OVERFLOW.NASL
    descriptionThe remote host is running SWAT - a web-based administration tool for Samba. There is a buffer overflow condition in the remote version of this software which might allow an attacker to execute arbitrary code on the remote host by sending a malformed authorization request (or any malformed base64 data).
    last seen2020-06-01
    modified2020-06-02
    plugin id13660
    published2004-07-22
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13660
    titleSamba SWAT HTTP Basic Auth base64 Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13660);
      script_version("1.18");
      script_cvs_date("Date: 2018/11/15 20:50:25");
    
      script_cve_id("CVE-2004-0600");
      script_bugtraq_id(10780);
    
      script_name(english:"Samba SWAT HTTP Basic Auth base64 Overflow");
      script_summary(english:"SWAT overflow");
    
      script_set_attribute(attribute:"synopsis", value:"The remote service is vulnerable to a buffer overflow.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running SWAT - a web-based administration tool for
    Samba.
    
    There is a buffer overflow condition in the remote version of this
    software which might allow an attacker to execute arbitrary code on
    the remote host by sending a malformed authorization request (or any
    malformed base64 data).");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/261");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/268");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Jul/270");
      script_set_attribute(attribute:"solution", value:"Upgrade to Samba 3.0.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/22");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_end_attributes();
    
      script_category(ACT_DESTRUCTIVE_ATTACK); # Or ACT_ATTACK ? Swat is started from inetd after all...
      script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
      script_family(english:"Web Servers");
    
      script_dependencie("swat_detect.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/swat", 901);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_service(svc: "swat", default: 901, exit_on_fail: 1);
    
    w = http_send_recv3(method: "GET", port: port, item: "/",
      username: "", password: "", exit_on_fail: 1,
      add_headers: make_array("Authorization", "Basic aaa="));
    
    res = strcat(w[0], w[1], '\r\n', w[2]);
    if ('realm="SWAT"' >!< res ) exit(0);
    
    w = http_send_recv3(method:"GET", port: port, item: "/",
      username: "", password: "", exit_on_fail: 0,
      add_headers: make_array("Authorization", "Basic ="));
    
    if (isnull(w)) security_hole(port);
    
  • NASL familyMisc.
    NASL idSAMBA_3_0_5.NASL
    descriptionAccording to its banner, the version of Samba running on the remote host is between 3.0.2 and 3.0.4, inclusive. An error exists in the base64 decoding functions, which can result in a buffer overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id17720
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17720
    titleSamba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-259.NASL
    descriptionUpdated samba packages that fix buffer overflows, as well as other various bugs, are now available. Samba provides file and printer sharing services to SMB/CIFS clients. Evgeny Demidov discovered a flaw in the internal routine used by the Samba Web Administration Tool (SWAT) in Samba versions 3.0.2 through 3.0.4. When decoding base-64 data during HTTP basic authentication, an invalid base-64 character could cause a buffer overflow. If the SWAT administration service is enabled, this flaw could allow an attacker to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0600 to this issue. Additionally, the Samba team discovered a buffer overflow in the code used to support the
    last seen2020-06-01
    modified2020-06-02
    plugin id13658
    published2004-07-22
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/13658
    titleRHEL 3 : samba (RHSA-2004:259)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-071.NASL
    descriptionA vulnerability was discovered in SWAT, the Samba Web Administration Tool. The routine used to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. This same code is also used to internally decode the sambaMungedDial attribute value when using the ldapsam passdb backend, and to decode input given to the ntlm_auth tool. This vulnerability only exists in Samba versions 3.0.2 or later; the 3.0.5 release fixes the vulnerability. Systems using SWAT, the ldapsam passdb backend, and tose running winbindd and allowing third- party applications to issue authentication requests via ntlm_auth tool should upgrade immediately. (CVE-2004-0600) A buffer overrun has been located in the code used to support the
    last seen2020-06-01
    modified2020-06-02
    plugin id14170
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14170
    titleMandrake Linux Security Advisory : samba (MDKSA-2004:071)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2004_022.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2004:022 (samba). The Samba Web Administration Tool (SWAT) was found vulnerable to a buffer overflow in its base64 code. This buffer overflow can possibly be exploited remotely before any authentication took place to execute arbitrary code. The same piece of vulnerable code was also used in ldapsam passdb and in the ntlm_auth tool. This vulnerability only exists on Samba 3.0.2 to 3.0.4. Another buffer overflow was found in Samba 3.0.0 and later, as well as in Samba 2.2.x. This overflow exists in the hash code of the mangling method (smb.conf: mangling method = hash), the default uses hash2 which is not vulnerable. There is no temporary workaround known. The first proof-of-concept exploits were seen on public mailing lists. After the installation was successfully completed please restart the samba daemon. /usr/sbin/rcsmb restart SWAT is called by inetd/xinetd. Therefore it is sufficient to kill all running instances of SWAT only. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command
    last seen2020-06-01
    modified2020-06-02
    plugin id13838
    published2004-07-25
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13838
    titleSUSE-SA:2004:022: samba
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200407-21.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200407-21 (Samba: Multiple buffer overflows) Evgeny Demidov found a buffer overflow in SWAT, located in the base64 data decoder used to handle HTTP basic authentication (CAN-2004-0600). The same flaw is present in the code used to handle the sambaMungedDial attribute value, when using the ldapsam passdb backend. Another buffer overflow was found in the code used to support the
    last seen2020-06-01
    modified2020-06-02
    plugin id14554
    published2004-08-30
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14554
    titleGLSA-200407-21 : Samba: Multiple buffer overflows

Oval

accepted2013-04-29T04:14:05.944-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionBuffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.
familyunix
idoval:org.mitre.oval:def:11445
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.
version26

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/33855/sambaPoC.txt
idPACKETSTORM:33855
last seen2016-12-05
published2004-07-23
reporterNoam Rathaus
sourcehttps://packetstormsecurity.com/files/33855/sambaPoC.txt.html
titlesambaPoC.txt

Redhat

advisories
rhsa
idRHSA-2004:259
rpms
  • samba-0:3.0.4-6.3E
  • samba-client-0:3.0.4-6.3E
  • samba-common-0:3.0.4-6.3E
  • samba-swat-0:3.0.4-6.3E