Vulnerabilities > CVE-2007-0453 - Unspecified vulnerability in Samba

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
samba
nessus

Summary

Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions.

Nessus

  • NASL familyMisc.
    NASL idSAMBA_3_0_24.NASL
    descriptionAccording to its version number, the remote Samba server is affected by several flaws : - A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate users ; - A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system when the afsacl.so VFS module is loaded) - A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id24685
    published2007-02-22
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24685
    titleSamba < 3.0.24 Multiple Flaws
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(24685);
     script_version("1.17");
     script_cvs_date("Date: 2018/07/27 18:38:14");
    
     script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454");
     script_bugtraq_id(22395, 22403, 22410);
    
     script_name(english:"Samba < 3.0.24 Multiple Flaws");
     script_summary(english:"Checks the version of Samba");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote Samba server is affected by several vulnerabilities that
    could lead to remote code execution");
     script_set_attribute(attribute:"description", value:
    "According to its version number, the remote Samba server is affected
    by several flaws :
    
      - A denial of service issue occuring if an authenticated
        attacker sends a large number of CIFS session requests
        which will cause an infinite loop to occur in the smbd
        daemon, thus utilizing CPU resources and denying access
        to legitimate users ;
    
      - A remote format string vulnerability that could be
        exploited by an attacker with write access to a remote
        share by sending a malformed request to the remote
        service (this issue only affects installations sharing
        an AFS file system when the afsacl.so VFS module is
        loaded)
    
      - A remote buffer overflow vulnerability affecting the NSS
        lookup capability of the remote winbindd daemon");
     script_set_attribute(attribute:"solution", value:"Upgrade to Samba 3.0.24 or newer");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/22");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
     script_family(english:"Misc.");
    
     script_dependencie("smb_nativelanman.nasl");
     script_require_keys("Settings/ParanoidReport", "SMB/NativeLanManager");
    
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    
    #
    # Many distributions backported the fixes so this check
    # is unreliable
    #
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    lanman = get_kb_item("SMB/NativeLanManager");
    if("Samba" >< lanman)
    {
     if(ereg(pattern:"Samba 3\.0\.([0-9]|1[0-9]|2[0-3])[^0-9]*$", string:lanman, icase:TRUE))
       security_hole(get_kb_item("SMB/transport"));
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2007-038-01.NASL
    descriptionNew samba packages are available for Slackware 10.0, 10.1, 10.2, and 11.0 to fix a denial-of-service security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24668
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24668
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2007-038-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24668);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2007-0452", "CVE-2007-0453", "CVE-2007-0454");
      script_xref(name:"SSA", value:"2007-038-01");
    
      script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 : samba (SSA:2007-038-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New samba packages are available for Slackware 10.0, 10.1, 10.2, and
    11.0 to fix a denial-of-service security issue."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?a94795e7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected samba package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/02/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"10.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++;
    
    if (slackware_check(osver:"10.1", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++;
    
    if (slackware_check(osver:"10.2", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++;
    
    if (slackware_check(osver:"11.0", pkgname:"samba", pkgver:"3.0.24", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionSamba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Sun Solaris的nss_winbind.so.1库实现上存在漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。 如果Sun Solaris系统运行Samba的winbindd守护程序且配置为使用nss_winbind.so.1库进行gethostbyname()和getipnodebyname()名称解析查询的话,如: ## /etc/nsswitch.conf ... ipnodes: files winbind hosts: files winbind 则在将请求发送给winbindd守护程序之前,在把传送给NSS接口的字符串拷贝到静态缓冲区时可能会触发缓冲区溢出,导致执行任意指令。 Samba Samba 3.0.6 - 3.0.23d - Sun Solaris 9.0 - Sun Solaris 8.0 - Sun Solaris 10.0 临时解决方法: * 从/etc/nsswitch.conf删除winbind项。 厂商补丁: Samba ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch" target="_blank">http://samba.org/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch</a>
idSSV:1371
last seen2017-11-19
modified2007-02-07
published2007-02-07
reporterRoot
titleSamba NSS主机查询Winbind多个远程缓冲区溢出漏洞

Statements

contributorMark J Cox
lastmodified2007-05-14
organizationRed Hat
statementNot vulnerable. These issues did not affect Linux versions of Samba.