Vulnerabilities > CVE-2007-0453 - Remote Buffer Overflow vulnerability in Samba NSS host lookup Winbind
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Nessus
NASL family Misc. NASL id SAMBA_3_0_24.NASL description According to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 24685 published 2007-02-22 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24685 title Samba < 3.0.24 Multiple Flaws code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24685); script_version("1.17"); script_cvs_date("Date: 2018/07/27 18:38:14"); script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454"); script_bugtraq_id(22395, 22403, 22410); script_name(english:"Samba < 3.0.24 Multiple Flaws"); script_summary(english:"Checks the version of Samba"); script_set_attribute(attribute:"synopsis", value: "The remote Samba server is affected by several vulnerabilities that could lead to remote code execution"); script_set_attribute(attribute:"description", value: "According to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon"); script_set_attribute(attribute:"solution", value:"Upgrade to Samba 3.0.24 or newer"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("smb_nativelanman.nasl"); script_require_keys("Settings/ParanoidReport", "SMB/NativeLanManager"); exit(0); } include("audit.inc"); include("global_settings.inc"); # # Many distributions backported the fixes so this check # is unreliable # if (report_paranoia < 2) audit(AUDIT_PARANOID); lanman = get_kb_item("SMB/NativeLanManager"); if("Samba" >< lanman) { if(ereg(pattern:"Samba 3\.0\.([0-9]|1[0-9]|2[0-3])[^0-9]*$", string:lanman, icase:TRUE)) security_hole(get_kb_item("SMB/transport")); }NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2007-038-01.NASL description New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24668 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24668 title Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2007-038-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(24668); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454"); script_xref(name:"SSA", value:"2007-038-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a94795e7" ); script_set_attribute(attribute:"solution", value:"Update the affected samba package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Sun Solaris的nss_winbind.so.1库实现上存在漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。 如果Sun Solaris系统运行Samba的winbindd守护程序且配置为使用nss_winbind.so.1库进行gethostbyname()和getipnodebyname()名称解析查询的话,如: ## /etc/nsswitch.conf ... ipnodes: files winbind hosts: files winbind 则在将请求发送给winbindd守护程序之前,在把传送给NSS接口的字符串拷贝到静态缓冲区时可能会触发缓冲区溢出,导致执行任意指令。 Samba Samba 3.0.6 - 3.0.23d - Sun Solaris 9.0 - Sun Solaris 8.0 - Sun Solaris 10.0 临时解决方法: * 从/etc/nsswitch.conf删除winbind项。 厂商补丁: Samba ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch" target="_blank">http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch</a> |
| id | SSV:1371 |
| last seen | 2017-11-19 |
| modified | 2007-02-07 |
| published | 2007-02-07 |
| reporter | Root |
| title | Samba NSS主机查询Winbind多个远程缓冲区溢出漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-05-14 |
| organization | Red Hat |
| statement | Not vulnerable. These issues did not affect Linux versions of Samba. |
References
- http://osvdb.org/33098
- http://secunia.com/advisories/24043
- http://secunia.com/advisories/24101
- http://secunia.com/advisories/24151
- http://securitytracker.com/id?1017589
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916
- http://us1.samba.org/samba/security/CVE-2007-0453.html
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
- http://www.securityfocus.com/archive/1/459168/100/0/threaded
- http://www.securityfocus.com/archive/1/459365/100/0/threaded
- http://www.securityfocus.com/bid/22410
- http://www.trustix.org/errata/2007/0007
- http://www.vupen.com/english/advisories/2007/0483
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32231
- https://issues.rpath.com/browse/RPL-1005