Vulnerabilities > CVE-2007-2444 - Improper Privilege Management vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 2 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SAMBA-3350.NASL description Specially crafted MS-RPC packets could overwrite heap memory and therfore could potentially be exploited to execute code (CVE-2007-2446). Authenticated users could leverage specially crafted MS-RPC packets to pass arguments unfiltered to /bin/sh (CVE-2007-2447). A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB protocol operations as root (CVE-2007-2444). last seen 2020-06-01 modified 2020-06-02 plugin id 27430 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27430 title openSUSE 10 Security Update : samba (samba-3350) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update samba-3350. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27430); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447"); script_name(english:"openSUSE 10 Security Update : samba (samba-3350)"); script_summary(english:"Check for the samba-3350 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Specially crafted MS-RPC packets could overwrite heap memory and therfore could potentially be exploited to execute code (CVE-2007-2446). Authenticated users could leverage specially crafted MS-RPC packets to pass arguments unfiltered to /bin/sh (CVE-2007-2447). A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB protocol operations as root (CVE-2007-2444)." ); script_set_attribute( attribute:"solution", value:"Update the affected samba packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmsrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmsrpc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"libmsrpc-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"libmsrpc-devel-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"libsmbclient-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"libsmbclient-devel-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"samba-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"samba-client-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"samba-python-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"samba-winbind-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"libsmbclient-32bit-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-32bit-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-client-32bit-3.0.23d-19.5") ) flag++; if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-winbind-32bit-3.0.23d-19.5") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmsrpc / libmsrpc-devel / libsmbclient / libsmbclient-32bit / etc"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3546A83303EA11DCA51D0019B95D4F14.NASL description The Samba Team reports : A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 25260 published 2007-05-20 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25260 title FreeBSD : samba -- multiple vulnerabilities (3546a833-03ea-11dc-a51d-0019b95d4f14) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(25260); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447"); script_name(english:"FreeBSD : samba -- multiple vulnerabilities (3546a833-03ea-11dc-a51d-0019b95d4f14)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The Samba Team reports : A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution. This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the 'username map script' smb.conf option (which is not enabled by default). After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the 'username map script' vulnerability, the remote file and printer management scripts require an authenticated user session." ); # http://de5.samba.org/samba/security/CVE-2007-2444.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2007-2444.html" ); # http://de5.samba.org/samba/security/CVE-2007-2446.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2007-2446.html" ); # http://de5.samba.org/samba/security/CVE-2007-2447.html script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2007-2447.html" ); # https://vuxml.freebsd.org/freebsd/3546a833-03ea-11dc-a51d-0019b95d4f14.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5bcbde7b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"samba>3.*<3.0.25")) flag++; if (pkg_test(save_report:TRUE, pkg:"samba>3.*,1<3.0.25,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"ja-samba>3.*<3.0.25")) flag++; if (pkg_test(save_report:TRUE, pkg:"ja-samba>3.*,1<3.0.25,1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1291.NASL description Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux. - CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon last seen 2020-06-01 modified 2020-06-02 plugin id 25228 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25228 title Debian DSA-1291-1 : samba - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1291. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(25228); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447"); script_bugtraq_id(23972, 23973, 23974); script_xref(name:"DSA", value:"1291"); script_name(english:"Debian DSA-1291-1 : samba - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux. - CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. - CVE-2007-2446 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. - CVE-2007-2447 Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-2444" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-2446" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-2447" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1291" ); script_set_attribute( attribute:"solution", value: "Upgrade the samba package. For the stable distribution (etch), these problems have been fixed in version 3.0.24-6etch1. For the testing and unstable distributions (lenny and sid, respectively), these problems have been fixed in version 3.0.25-1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libpam-smbpass", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsmbclient", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsmbclient-dev", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"python-samba", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"samba", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"samba-common", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"samba-dbg", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"samba-doc", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"samba-doc-pdf", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"smbclient", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"smbfs", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"swat", reference:"3.0.24-6etch1")) flag++; if (deb_check(release:"4.0", prefix:"winbind", reference:"3.0.24-6etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2007-507.NASL description This release of Samba fixes some Serious security bugs : - CVE-2007-2444 - CVE-2007-2446 - CVE-2007-2447 Official upstream announcements here: http://www.samba.org/samba/security/CVE-2007-2444.html http://www.samba.org/samba/security/CVE-2007-2446.html http://www.samba.org/samba/security/CVE-2007-2447.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25234 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25234 title Fedora Core 6 : samba-3.0.24-5.fc6 (2007-507) NASL family Fedora Local Security Checks NASL id FEDORA_2007-506.NASL description This release of Samba fixes some Serious security bugs : - CVE-2007-2444 - CVE-2007-2446 - CVE-2007-2447 Official upstream announcements here: http://www.samba.org/samba/security/CVE-2007-2444.html http://www.samba.org/samba/security/CVE-2007-2446.html http://www.samba.org/samba/security/CVE-2007-2447.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25233 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25233 title Fedora Core 5 : samba-3.0.24-5.fc5 (2007-506) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-104.NASL description A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server (CVE-2007-2446). A remote authenticated user could trigger a flaw where unescaped user input parameters were being passed as arguments to /bin/sh (CVE-2007-2447). Finally, on Samba 3.0.23d and higher, when Samba translated SID to/from name using the Samba local list of user and group accounts, a logic error in smbd last seen 2020-06-01 modified 2020-06-02 plugin id 25237 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25237 title Mandrake Linux Security Advisory : samba (MDKSA-2007:104-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200705-15.NASL description The remote host is affected by the vulnerability described in GLSA-200705-15 (Samba: Multiple vulnerabilities) Samba contains a logical error in the smbd daemon when translating local SID to user names (CVE-2007-2444). Furthermore, Samba contains several bugs when parsing NDR encoded RPC parameters (CVE-2007-2446). Lastly, Samba fails to properly sanitize remote procedure input provided via Microsoft Remote Procedure Calls (CVE-2007-2447). Impact : A remote attacker could exploit these vulnerabilities to gain root privileges via various vectors. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25236 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25236 title GLSA-200705-15 : Samba: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-460-2.NASL description USN-460-1 fixed several vulnerabilities in Samba. The upstream changes for CVE-2007-2444 had an unexpected side-effect in Feisty. Shares configured with the last seen 2020-06-01 modified 2020-06-02 plugin id 28060 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28060 title Ubuntu 7.04 : samba regression (USN-460-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-460-1.NASL description Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444) Brian Schafer discovered that Samba did not handle NDR parsing correctly. A remote attacker could send specially crafted MS-RPC requests that could overwrite heap memory and execute arbitrary code. (CVE-2007-2446) It was discovered that Samba did not correctly escape input parameters for external scripts defined in smb.conf. Remote authenticated users could send specially crafted MS-RPC requests and execute arbitrary shell commands. (CVE-2007-2447). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28059 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28059 title Ubuntu 6.06 LTS / 6.10 / 7.04 : samba vulnerabilities (USN-460-1) NASL family Misc. NASL id SAMBA_3_0_25.NASL description According to its banner, the version of the Samba server installed on the remote host is affected by multiple buffer overflow and remote command injection vulnerabilities, which can be exploited remotely, as well as a local privilege escalation bug. last seen 2020-06-01 modified 2020-06-02 plugin id 25217 published 2007-05-15 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25217 title Samba < 3.0.25 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2007-134-01.NASL description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25222 published 2007-05-16 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25222 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / current : samba (SSA:2007-134-01)
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-05-15 |
| organization | Red Hat |
| statement | Not vulnerable. These issues did not affect the versions of Samba as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. |
References
- http://www.samba.org/samba/security/CVE-2007-2444.html
- https://issues.rpath.com/browse/RPL-1366
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906
- http://secunia.com/advisories/25241
- http://secunia.com/advisories/25246
- http://secunia.com/advisories/25256
- http://security.gentoo.org/glsa/glsa-200705-15.xml
- http://www.trustix.org/errata/2007/0017/
- http://www.ubuntu.com/usn/usn-460-1
- http://www.securityfocus.com/bid/23974
- http://www.securitytracker.com/id?1018049
- http://secunia.com/advisories/25232
- http://secunia.com/advisories/25251
- http://secunia.com/advisories/25270
- http://secunia.com/advisories/25259
- http://secunia.com/advisories/25255
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:104
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
- http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html
- http://www.ubuntu.com/usn/usn-460-2
- http://secunia.com/advisories/25289
- http://secunia.com/advisories/25675
- http://secunia.com/advisories/25772
- http://securityreason.com/securityalert/2701
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1
- http://www.vupen.com/english/advisories/2007/2281
- http://www.vupen.com/english/advisories/2007/1805
- http://www.vupen.com/english/advisories/2007/2210
- http://osvdb.org/34698
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980
- http://www.debian.org/security/2007/dsa-1291
- http://www.securityfocus.com/archive/1/468670/100/0/threaded
- http://www.securityfocus.com/archive/1/468548/100/0/threaded