Vulnerabilities > CVE-2007-0453 - Unspecified vulnerability in Samba
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN samba
nessus
Summary
Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Nessus
NASL family Misc. NASL id SAMBA_3_0_24.NASL description According to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 24685 published 2007-02-22 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24685 title Samba < 3.0.24 Multiple Flaws code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24685); script_version("1.17"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454"); script_bugtraq_id(22395, 22403, 22410); script_name(english:"Samba < 3.0.24 Multiple Flaws"); script_summary(english:"Checks the version of Samba"); script_set_attribute(attribute:"synopsis", value: "The remote Samba server is affected by several vulnerabilities that could lead to remote code execution"); script_set_attribute(attribute:"description", value: "According to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon"); script_set_attribute(attribute:"solution", value:"Upgrade to Samba 3.0.24 or newer"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("smb_nativelanman.nasl"); script_require_keys("Settings/ParanoidReport", "SMB/NativeLanManager"); exit(0); } include("audit.inc"); include("global_settings.inc"); # # Many distributions backported the fixes so this check # is unreliable # if (report_paranoia < 2) audit(AUDIT_PARANOID); lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba 3\.0\.([0-9]|1[0-9]|2[0-3])[^0-9]*$", string:lanman, icase:TRUE)) security_hole(get_kb_item("SMB/transport")); }NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2007-038-01.NASL description New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24668 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24668 title Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2007-038-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24668); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454"); script_xref(name:"SSA", value:"2007-038-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a94795e7" ); script_set_attribute(attribute:"solution", value:"Update the affected samba package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Sun Solaris的nss_winbind.so.1库实现上存在漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。 如果Sun Solaris系统运行Samba的winbindd守护程序且配置为使用nss_winbind.so.1库进行gethostbyname()和getipnodebyname()名称解析查询的话,如: ## /etc/nsswitch.conf ... ipnodes: files winbind hosts: files winbind 则在将请求发送给winbindd守护程序之前,在把传送给NSS接口的字符串拷贝到静态缓冲区时可能会触发缓冲区溢出,导致执行任意指令。 Samba Samba 3.0.6 - 3.0.23d - Sun Solaris 9.0 - Sun Solaris 8.0 - Sun Solaris 10.0 临时解决方法: * 从/etc/nsswitch.conf删除winbind项。 厂商补丁: Samba ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch" target="_blank">http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch</a> |
| id | SSV:1371 |
| last seen | 2017-11-19 |
| modified | 2007-02-07 |
| published | 2007-02-07 |
| reporter | Root |
| title | Samba NSS主机查询Winbind多个远程缓冲区溢出漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-05-14 |
| organization | Red Hat |
| statement | Not vulnerable. These issues did not affect Linux versions of Samba. |
References
- http://us1.samba.org/samba/security/CVE-2007-0453.html
- https://issues.rpath.com/browse/RPL-1005
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916
- http://www.trustix.org/errata/2007/0007
- http://www.securityfocus.com/bid/22410
- http://securitytracker.com/id?1017589
- http://secunia.com/advisories/24043
- http://secunia.com/advisories/24101
- http://secunia.com/advisories/24151
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
- http://osvdb.org/33098
- http://www.vupen.com/english/advisories/2007/0483
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32231
- http://www.securityfocus.com/archive/1/459365/100/0/threaded
- http://www.securityfocus.com/archive/1/459168/100/0/threaded