Vulnerabilities > CVE-2007-2446 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Samba

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2007:0354. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25239);
  script_version ("1.29");
  script_cvs_date("Date: 2019/10/25 13:36:12");

  script_cve_id("CVE-2007-2446", "CVE-2007-2447");
  script_bugtraq_id(23972, 23973, 24195, 24196, 24197, 24198);
  script_xref(name:"RHSA", value:"2007:0354");

  script_name(english:"RHEL 2.1 / 3 / 4 / 5 : samba (RHSA-2007:0354)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated samba packages that fix several security flaws are now
available.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

Samba provides file and printer sharing services to SMB/CIFS clients.

Various bugs were found in NDR parsing, used to decode MS-RPC requests
in Samba. A remote attacker could have sent carefully crafted requests
causing a heap overflow, which may have led to the ability to execute
arbitrary code on the server. (CVE-2007-2446)

Unescaped user input parameters were being passed as arguments to
/bin/sh. A remote, authenticated, user could have triggered this flaw
and executed arbitrary code on the server. Additionally, on Red Hat
Enterprise Linux 5 only, this flaw could be triggered by a remote
unauthenticated user if Samba was configured to use the non-default
'username map script' option. (CVE-2007-2447)

Users of Samba should upgrade to these packages, which contain
backported patches to correct these issues. After upgrading, Samba
should be restarted using 'service smb restart'

On Red Hat Enterprise Linux 5 the impact of these issues is reduced as
Samba is constrained by the default SELinux 'targeted' policy.

Red Hat would like to thank the Samba developers, TippingPoint, and
iDefense for reporting these issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2007-2446"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2007-2447"
  );
  # http://www.samba.org/samba/security/CVE-2007-2447.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/security/CVE-2007-2447.html"
  );
  # http://www.samba.org/samba/security/CVE-2007-2446.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/security/CVE-2007-2446.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2007:0354"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:samba-swat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/16");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^(2\.1|3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x / 5.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2007:0354";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-2.2.12-1.21as.6")) flag++;

  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-client-2.2.12-1.21as.6")) flag++;

  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-common-2.2.12-1.21as.6")) flag++;

  if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"samba-swat-2.2.12-1.21as.6")) flag++;


  if (rpm_check(release:"RHEL3", reference:"samba-3.0.9-1.3E.13.2")) flag++;

  if (rpm_check(release:"RHEL3", reference:"samba-client-3.0.9-1.3E.13.2")) flag++;

  if (rpm_check(release:"RHEL3", reference:"samba-common-3.0.9-1.3E.13.2")) flag++;

  if (rpm_check(release:"RHEL3", reference:"samba-swat-3.0.9-1.3E.13.2")) flag++;


  if (rpm_check(release:"RHEL4", reference:"samba-3.0.10-1.4E.12.2")) flag++;

  if (rpm_check(release:"RHEL4", reference:"samba-client-3.0.10-1.4E.12.2")) flag++;

  if (rpm_check(release:"RHEL4", reference:"samba-common-3.0.10-1.4E.12.2")) flag++;

  if (rpm_check(release:"RHEL4", reference:"samba-swat-3.0.10-1.4E.12.2")) flag++;


  if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", reference:"samba-common-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"i386", reference:"samba-swat-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"samba-swat-3.0.23c-2.el5.2.0.2")) flag++;

  if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"samba-swat-3.0.23c-2.el5.2.0.2")) flag++;


  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
  }
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2007:0354 and 
# CentOS Errata and Security Advisory 2007:0354 respectively.
#

include("compat.inc");

if (description)
{
  script_id(25224);
  script_version("1.19");
  script_cvs_date("Date: 2019/10/25 13:36:03");

  script_cve_id("CVE-2007-2446", "CVE-2007-2447");
  script_bugtraq_id(23972, 23973, 24195, 24196, 24197, 24198);
  script_xref(name:"RHSA", value:"2007:0354");

  script_name(english:"CentOS 3 / 4 / 5 : samba (CESA-2007:0354)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated samba packages that fix several security flaws are now
available.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

Samba provides file and printer sharing services to SMB/CIFS clients.

Various bugs were found in NDR parsing, used to decode MS-RPC requests
in Samba. A remote attacker could have sent carefully crafted requests
causing a heap overflow, which may have led to the ability to execute
arbitrary code on the server. (CVE-2007-2446)

Unescaped user input parameters were being passed as arguments to
/bin/sh. A remote, authenticated, user could have triggered this flaw
and executed arbitrary code on the server. Additionally, on Red Hat
Enterprise Linux 5 only, this flaw could be triggered by a remote
unauthenticated user if Samba was configured to use the non-default
'username map script' option. (CVE-2007-2447)

Users of Samba should upgrade to these packages, which contain
backported patches to correct these issues. After upgrading, Samba
should be restarted using 'service smb restart'

On Red Hat Enterprise Linux 5 the impact of these issues is reduced as
Samba is constrained by the default SELinux 'targeted' policy.

Red Hat would like to thank the Samba developers, TippingPoint, and
iDefense for reporting these issues."
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013755.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?50ae6125"
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013756.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?3ef38124"
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013759.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?77120864"
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013760.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?7826c463"
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013762.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?5d97895f"
  );
  # https://lists.centos.org/pipermail/centos-announce/2007-May/013763.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b218e9d1"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected samba packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:samba-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:samba-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:samba-swat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/16");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x / 5.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-3", reference:"samba-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"CentOS-3", reference:"samba-client-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"CentOS-3", reference:"samba-common-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"CentOS-3", reference:"samba-swat-3.0.9-1.3E.13.2")) flag++;

if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"samba-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"samba-client-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"samba-common-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"samba-swat-3.0.10-1.4E.12.2")) flag++;

if (rpm_check(release:"CentOS-5", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"CentOS-5", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"CentOS-5", reference:"samba-common-3.0.23c-2.el5.2.0.2")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update samba-3350.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(27430);
  script_version ("1.14");
  script_cvs_date("Date: 2019/10/25 13:36:30");

  script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447");

  script_name(english:"openSUSE 10 Security Update : samba (samba-3350)");
  script_summary(english:"Check for the samba-3350 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Specially crafted MS-RPC packets could overwrite heap memory and
therfore could potentially be exploited to execute code
(CVE-2007-2446).

Authenticated users could leverage specially crafted MS-RPC packets to
pass arguments unfiltered to /bin/sh (CVE-2007-2447).

A bug in the local SID/Name translation routines may potentially
result in a user being able to issue SMB protocol operations as root
(CVE-2007-2444)."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected samba packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmsrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libmsrpc-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-python");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind-32bit");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE10.2", reference:"libmsrpc-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"libmsrpc-devel-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"libsmbclient-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"libsmbclient-devel-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"samba-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"samba-client-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"samba-python-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", reference:"samba-winbind-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"libsmbclient-32bit-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-32bit-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-client-32bit-3.0.23d-19.5") ) flag++;
if ( rpm_check(release:"SUSE10.2", cpu:"x86_64", reference:"samba-winbind-32bit-3.0.23d-19.5") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmsrpc / libmsrpc-devel / libsmbclient / libsmbclient-32bit / etc");
}

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(25216);
  script_version("1.20");
 script_cvs_date("Date: 2018/07/27 18:38:14");

  script_cve_id("CVE-2007-2446");
  script_bugtraq_id(23973, 24195, 24196, 24197, 24198);

  script_name(english:"Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow");
  script_summary(english:"Checks version of Samba");

 script_set_attribute(attribute:"synopsis", value:"It is possible to execute code on the remote host through Samba.");
 script_set_attribute(attribute:"description", value:
"The version of the Samba server installed on the remote host is
affected by multiple heap overflow vulnerabilities, which can be
exploited remotely to execute code with the privileges of the Samba
daemon.");
 script_set_attribute(attribute:"see_also", value:"http://www.samba.org/samba/security/CVE-2007-2446.html");
 script_set_attribute(attribute:"solution", value:"Upgrade to Samba version 3.0.25 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Samba lsa_io_trans_names Heap Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/07/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/15");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_nativelanman.nasl");
  script_require_keys("SMB/NativeLanManager");
  script_require_ports(139, 445);

  exit(0);
}


include ("smb_func.inc");
include("audit.inc");


function LsaLookupSid2 (handle, sid_array)
{
 local_var ref_id, data, sid, count, names, rep;

 ref_id = 0x20000;

 data = handle[0]  +  # Handle

        # PSID Array
        raw_dword (d:max_index (sid_array))  + # number of sid in PSID Array
        raw_dword (d:ref_id)                 + # Referent ID
        raw_dword (d:max_index (sid_array)) ;  # max_count

 ref_id++;

 # ref_id
 foreach sid (sid_array)
 {
  data += raw_dword (d:ref_id);

  ref_id++;
 }

 foreach sid (sid_array)
 {
  count = ord(sid[1]);

  data += raw_dword (d:count)   +
          sid ;
 }


 data += raw_dword (d:2)         + # count = 2 (1 more to test the flaw)
         raw_dword (d:0x20004)   + # (LSA_TRANSLATED_NAMES)
         raw_dword (d:1)         + # only 1 entry

         # name
         raw_dword (d:1) +
	 raw_word (w:0)  +
         raw_word (w:0)  +
         raw_dword (d:0) +
         raw_dword (d:0) +

         raw_dword (d:1)        + # Level (nothing else seems to work)
         raw_dword (d:0)        ; # Num mapped ?

 data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_LSALOOKUPSID, data:data);
 if (!data)
   return NULL;

 rep = dce_rpc_parse_response (fid:handle[1], data:data);
 if (!rep || (strlen (rep) < 20))
   return NULL;

 return rep;
}


lanman = get_kb_item("SMB/NativeLanManager");
if ("Samba" >!< lanman)
  audit(AUDIT_HOST_NOT, "running Samba" );


sid = raw_string (0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x20,0x02,0x00,0x00);

name	= kb_smb_name();
port	= kb_smb_transport();




if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
r = NetUseAdd(share:"IPC$");
if ( r != 1 ) audit(AUDIT_SHARE_FAIL, "IPC$");

group = NULL;

lsa = LsaOpenPolicy (desired_access:0x20801);
if (!isnull(lsa))
{
 sids = NULL;
 sids[0] = sid;
 names = LsaLookupSid2 (handle:lsa, sid_array:sids);
 if (!isnull(names))
   security_hole(port);

 LsaClose (handle:lsa);
 NetUseDel();
}
else
{
  NetUseDel();
  audit(AUDIT_HOST_NOT, "affected");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2007-0006. 
# The text itself is copyright (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(40370);
  script_version("1.24");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id("CVE-2004-0813", "CVE-2006-1174", "CVE-2006-3619", "CVE-2006-4146", "CVE-2006-4600", "CVE-2007-0061", "CVE-2007-0062", "CVE-2007-0063", "CVE-2007-0494", "CVE-2007-1716", "CVE-2007-1856", "CVE-2007-2442", "CVE-2007-2443", "CVE-2007-2446", "CVE-2007-2447", "CVE-2007-2798", "CVE-2007-4059", "CVE-2007-4155", "CVE-2007-4496", "CVE-2007-4497");
  script_bugtraq_id(18111, 19832, 22231, 23520, 23972, 23973, 24195, 24196, 24197, 24198, 24653, 24655, 24657, 25110, 25131, 25729, 25731, 25732);
  script_xref(name:"VMSA", value:"2007-0006");

  script_name(english:"VMSA-2007-0006 : Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESX host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Problems addressed by these patches :

I    Arbitrary code execution and denial of service vulnerabilities

     This release fixes a security vulnerability that could allow a
     guest operating system user with administrative privileges to cause
     memory corruption in a host process, and thus potentially execute
     arbitrary code on the host. (CVE-2007-4496)

     This release fixes a denial of service vulnerability that could
     allow a guest operating system to cause a host process to become
     unresponsive or exit unexpectedly. (CVE-2007-4497)

     Thanks to Rafal Wojtczvk of McAfee for identifying and reporting
     these issues.

II   Hosted products DHCP security vulnerabilities addressed

     This release fixes several vulnerabilities in the DHCP server
     that could enable a specially crafted packets to gain system-level
     privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)

     Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security
     Systems X-Force for discovering and researching these
     vulnerabilities.

III  Windows based hosted product vulnerability in
     IntraProcessLogging.dll and vielib.dll.

     This release fixes a security vulnerability that could allow a
     malicious remote user to exploit the library file
     IntraProcessLogging.dll to overwrite files in a system.
     (CVE-2007-4059)

     This release fixes a security vulnerability that could allow a
     malicious remote user to exploit the library file vielib.dll to
     overwrite files in a system. (CVE-2007-4155)

     Thanks to the Goodfellas Security Research Team for discovering and
     researching these vulnerabilities.

IV  Escalation of privileges on Windows hosted systems

     This release fixes a security vulnerability in which Workstation
     was starting registered Windows services in an insecure manner.
     This vulnerability could allow a malicious user to escalate user
     privileges.

     Thanks to Foundstone for discovering this vulnerability.

V    Potential denial of service using VMware Player

     This release fixes a problem that prevented VMware Player from
     launching. This problem was accompanied by the error message VMware
     Player unrecoverable error: (player) Exception 0xc0000005 (access
     violation) has occurred.

VI   ESX Service Console updates

a.   Service console package Samba, has been updated to address the
     following issues :

     Various bugs were found in NDR parsing, used to decode MS-RPC
     requests in Samba. A remote attacker could have sent carefully
     crafted requests causing a heap overflow, which may have led to the
     ability to execute arbitrary code on the server. (CVE-2007-2446)

     Unescaped user input parameters were being passed as arguments to
     /bin/sh. A remote, authenticated, user could have triggered this
     flaw and executed arbitrary code on the server. Additionally, this
     flaw could be triggered by a remote unauthenticated user if Samba
     was configured to use the non-default username map script option.
     (CVE-2007-2447)

     Thanks to the Samba developers, TippingPoint, and iDefense for
     identifying and reporting these issues.

     Note: These issues only affect the service console network, and are
     not remote vulnerabilities for ESX Server hosts that have been set
     up with the security best practices provided by VMware.
     http://www.vmware.com/resources/techresources/726

b.   Updated bind package for the service console fixes a flaw with the
     way ISC BIND processed certain DNS query responses.

     ISC BIND (Berkeley Internet Name Domain) is an implementation of
     the DNS (Domain Name System) protocols. Under some circumstances, a
     malicious remote user could launch a Denial-of-Service attack on
     ESX Server hosts that had enabled DNSSEC validation.
     (CVE-2007-0494)

     Note: These issues only affect the service console network, and are
     not remote vulnerabilities for ESX Server hosts that have been set
     up with the security best practices provided by VMware.
     http://www.vmware.com/resources/techresources/726

c.   This patch provides updated service console package krb5 update.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     assigned the names CVE-2007-2442, CVE-2007-2443, and CVE-2007-2798
     to these security issues.

     Thanks to Wei Wang of McAfee Avert Labs discovered these
     vulnerabilities.

     Note: The VMware service console does not provide the kadmind
     binary, and is not affected by these issues, but a update has been
     provided for completeness.

d.   Service console update for vixie-cron

     This patch provides an updated service console package vixie-cron.
     Cron is a standard UNIX daemon that runs specified programs at
     scheduled times.

     A denial of service issue was found in the way vixie-cron verified
     crontab file integrity. A local user with the ability to create a
     hardlink to /etc/crontab could potentially prevent vixie-cron from
     executing certain system cron jobs. (CVE-2007-1856)

     Thanks to Raphael Marichez for identifying this issue.

e.   Service console update for shadow-utils

     This patch provides an updated shadow-utils package.  A new
     user's mailbox, when created, could have random permissions for a
     short period. This could enable a local malicious user to
     read or modify the mailbox. (CVE-2006-1174)

f.  Service console update for OpenLDAP

     This patch provides a updated OpenLDAP package. A flaw could
     allow users with selfwrite access to modify the distinguished
     name of any user, instead of being limited to modify only
     their own distinguished name. (CVE-2006-4600)

g.   Service console update for PAM

     This patch provides an updated PAM package A vulnerability was
     found that could allow console users with access to certain device
     files to cause damage to recordable CD drives. Certain file
     permissions have now been modified to disallow access.
     (CVE-2004-0813)

     A flaw was found with console device permissions. It was possible
     for various console devices to retain ownership of the previoius
     console user after logging out, which could result in leakage of
     information to an unauthorized user. (CVE-2007-1716)

h.   Service console update for GCC

     This patch provides security fixes for the service console GNU
     Compiler Collection (GCC) packages that include C, C++, Java,
     Fortran 77, Objective C, and Ada 95 GNU compilers and related
     support libraries.

     A flaw was found in the fastjar utility that could potentially
     allow a malicious user to create a JAR file which, if unpacked
     using fastjar, could write to any file that an authorized user had
     write access to. (CVE-2006-3619)

     Thanks to Jürgen Weigert for identifying this issue.

i.   Service Console update for GDB

     This patch provides a security fix for the service console GNU
     debugger (GDB).  Various vulnerabilities were found in GDB. These
     vulnerabilities may allow a malicious user to deceive a user into
     loading debugging information into GDB, enabling the execution of
     arbitrary code with the privileges of the user. (CVE-2006-4146)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2007/000001.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(119, 189, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.0.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.1.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/09/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27");
  script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/30");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2007-09-18");
flag = 0;


if (esx_check(ver:"ESX 2.0.2", patch:"8")) flag++;

if (esx_check(ver:"ESX 2.1.3", patch:"8")) flag++;

if (esx_check(ver:"ESX 2.5.3", patch:"13")) flag++;

if (esx_check(ver:"ESX 2.5.4", patch:"10")) flag++;

if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001204")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001205")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001206")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001207")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001208")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001209")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001210")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001211")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-1001212")) flag++;
if (esx_check(ver:"ESX 3.0.0", patch:"ESX-4809553")) flag++;

if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001213")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001214")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001691")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001692")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001693")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001694")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1001723")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-8253547")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-8258730")) flag++;
if (esx_check(ver:"ESX 3.0.1", patch:"ESX-8567382")) flag++;

if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001725")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001726")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001727")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001728")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001729")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001730")) flag++;
if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1001731")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(25260);
  script_version("1.19");
  script_cvs_date("Date: 2019/08/02 13:32:38");

  script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447");

  script_name(english:"FreeBSD : samba -- multiple vulnerabilities (3546a833-03ea-11dc-a51d-0019b95d4f14)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The Samba Team reports :

A bug in the local SID/Name translation routines may potentially
result in a user being able to issue SMB/CIFS protocol operations as
root.

When translating SIDs to/from names using Samba local list of user and
group accounts, a logic error in the smbd daemon's internal security
stack may result in a transition to the root user id rather than the
non-root user. The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user. This window of opportunity may
allow the attacker to establish additional means of gaining root
access to the server.

Various bugs in Samba's NDR parsing can allow a user to send specially
crafted MS-RPC requests that will overwrite the heap space with user
defined data.

Unescaped user input parameters are passed as arguments to /bin/sh
allowing for remote command execution.

This bug was originally reported against the anonymous calls to the
SamrChangePassword() MS-RPC function in combination with the 'username
map script' smb.conf option (which is not enabled by default).

After further investigation by Samba developers, it was determined
that the problem was much broader and impacts remote printer and file
share management as well. The root cause is passing unfiltered user
input provided via MS-RPC calls to /bin/sh when invoking externals
scripts defined in smb.conf. However, unlike the 'username map script'
vulnerability, the remote file and printer management scripts require
an authenticated user session."
  );
  # http://de5.samba.org/samba/security/CVE-2007-2444.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/security/CVE-2007-2444.html"
  );
  # http://de5.samba.org/samba/security/CVE-2007-2446.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/security/CVE-2007-2446.html"
  );
  # http://de5.samba.org/samba/security/CVE-2007-2447.html
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/security/CVE-2007-2447.html"
  );
  # https://vuxml.freebsd.org/freebsd/3546a833-03ea-11dc-a51d-0019b95d4f14.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?5bcbde7b"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:samba");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"samba>3.*<3.0.25")) flag++;
if (pkg_test(save_report:TRUE, pkg:"samba>3.*,1<3.0.25,1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-samba>3.*<3.0.25")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-samba>3.*,1<3.0.25,1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2007:0354 and 
# Oracle Linux Security Advisory ELSA-2007-0354 respectively.
#

include("compat.inc");

if (description)
{
  script_id(67499);
  script_version("1.10");
  script_cvs_date("Date: 2019/10/25 13:36:06");

  script_cve_id("CVE-2007-2446", "CVE-2007-2447");
  script_bugtraq_id(23972, 23973, 24195, 24196, 24197, 24198);
  script_xref(name:"RHSA", value:"2007:0354");

  script_name(english:"Oracle Linux 3 / 4 / 5 : samba (ELSA-2007-0354)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2007:0354 :

Updated samba packages that fix several security flaws are now
available.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

Samba provides file and printer sharing services to SMB/CIFS clients.

Various bugs were found in NDR parsing, used to decode MS-RPC requests
in Samba. A remote attacker could have sent carefully crafted requests
causing a heap overflow, which may have led to the ability to execute
arbitrary code on the server. (CVE-2007-2446)

Unescaped user input parameters were being passed as arguments to
/bin/sh. A remote, authenticated, user could have triggered this flaw
and executed arbitrary code on the server. Additionally, on Red Hat
Enterprise Linux 5 only, this flaw could be triggered by a remote
unauthenticated user if Samba was configured to use the non-default
'username map script' option. (CVE-2007-2447)

Users of Samba should upgrade to these packages, which contain
backported patches to correct these issues. After upgrading, Samba
should be restarted using 'service smb restart'

On Red Hat Enterprise Linux 5 the impact of these issues is reduced as
Samba is constrained by the default SELinux 'targeted' policy.

Red Hat would like to thank the Samba developers, TippingPoint, and
iDefense for reporting these issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2007-June/000212.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2007-May/000132.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2007-May/000134.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected samba packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:samba-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:samba-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:samba-swat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/06/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4 / 5", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL3", cpu:"i386", reference:"samba-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"samba-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"samba-client-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"samba-client-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"samba-common-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"samba-common-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"samba-swat-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"samba-swat-3.0.9-1.3E.13.2")) flag++;

if (rpm_check(release:"EL4", cpu:"i386", reference:"samba-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"samba-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"samba-client-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"samba-client-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"samba-common-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"samba-common-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"samba-swat-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"samba-swat-3.0.10-1.4E.12.2")) flag++;

if (rpm_check(release:"EL5", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"EL5", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"EL5", reference:"samba-common-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"EL5", reference:"samba-swat-3.0.23c-2.el5.2.0.2")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba / samba-client / samba-common / samba-swat");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1291. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25228);
  script_version("1.18");
  script_cvs_date("Date: 2019/08/02 13:32:20");

  script_cve_id("CVE-2007-2444", "CVE-2007-2446", "CVE-2007-2447");
  script_bugtraq_id(23972, 23973, 23974);
  script_xref(name:"DSA", value:"1291");

  script_name(english:"Debian DSA-1291-1 : samba - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several issues have been identified in Samba, the SMB/CIFS file- and
print-server implementation for GNU/Linux.

  - CVE-2007-2444
    When translating SIDs to/from names using Samba local
    list of user and group accounts, a logic error in the
    smbd daemon's internal security stack may result in a
    transition to the root user id rather than the non-root
    user. The user is then able to temporarily issue
    SMB/CIFS protocol operations as the root user. This
    window of opportunity may allow the attacker to
    establish addition means of gaining root access to the
    server.

  - CVE-2007-2446
    Various bugs in Samba's NDR parsing can allow a user to
    send specially crafted MS-RPC requests that will
    overwrite the heap space with user defined data.

  - CVE-2007-2447
    Unescaped user input parameters are passed as arguments
    to /bin/sh allowing for remote command execution."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2007-2444"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2007-2446"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2007-2447"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2007/dsa-1291"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the samba package.

For the stable distribution (etch), these problems have been fixed in
version 3.0.24-6etch1.

For the testing and unstable distributions (lenny and sid,
respectively), these problems have been fixed in version 3.0.25-1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"libpam-smbpass", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"libsmbclient", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"libsmbclient-dev", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"python-samba", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"samba", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"samba-common", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"samba-dbg", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"samba-doc", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"samba-doc-pdf", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"smbclient", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"smbfs", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"swat", reference:"3.0.24-6etch1")) flag++;
if (deb_check(release:"4.0", prefix:"winbind", reference:"3.0.24-6etch1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(60180);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/25 13:36:17");

  script_cve_id("CVE-2007-2446", "CVE-2007-2447");

  script_name(english:"Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Various bugs were found in NDR parsing, used to decode MS-RPC requests
in Samba. A remote attacker could have sent carefully crafted requests
causing a heap overflow, which may have led to the ability to execute
arbitrary code on the server. (CVE-2007-2446)

Unescaped user input parameters were being passed as arguments to
/bin/sh. A remote, authenticated, user could have triggered this flaw
and executed arbitrary code on the server. Additionally on Scientific
Linux 5 this flaw could be triggered by a remote unauthenticated user
if Samba was configured to use the non-default 'username map script'
option. (CVE-2007-2447)"
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0705&L=scientific-linux-errata&T=0&P=1919
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?8e571739"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL3", reference:"samba-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"SL3", reference:"samba-client-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"SL3", reference:"samba-common-3.0.9-1.3E.13.2")) flag++;
if (rpm_check(release:"SL3", reference:"samba-swat-3.0.9-1.3E.13.2")) flag++;

if (rpm_check(release:"SL4", reference:"samba-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"SL4", reference:"samba-client-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"SL4", reference:"samba-common-3.0.10-1.4E.12.2")) flag++;
if (rpm_check(release:"SL4", reference:"samba-swat-3.0.10-1.4E.12.2")) flag++;

if (rpm_check(release:"SL5", cpu:"i386", reference:"samba-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"SL5", cpu:"i386", reference:"samba-client-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"SL5", cpu:"i386", reference:"samba-common-3.0.23c-2.el5.2.0.2")) flag++;
if (rpm_check(release:"SL5", cpu:"i386", reference:"samba-swat-3.0.23c-2.el5.2.0.2")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

if ( ! defined_func("bn_random") ) exit(0);
if ( NASL_LEVEL < 3000 ) exit(0);


include("compat.inc");

if(description)
{
 script_id(25830);
 script_version ("1.18");
 script_cvs_date("Date: 2018/07/14  1:59:35");

 script_cve_id("CVE-2004-0996", "CVE-2004-2541", "CVE-2005-0758", "CVE-2005-2090", "CVE-2005-3128",
               "CVE-2006-2842", "CVE-2006-3174", "CVE-2006-4019", "CVE-2006-6142", "CVE-2007-0450",
               "CVE-2007-0478", "CVE-2007-1001", "CVE-2007-1262", "CVE-2007-1287", "CVE-2007-1358",
               "CVE-2007-1460", "CVE-2007-1461", "CVE-2007-1484", "CVE-2007-1521", "CVE-2007-1583",
               "CVE-2007-1711", "CVE-2007-1717", "CVE-2007-1860", "CVE-2007-2403", "CVE-2007-2404",
               "CVE-2007-2405", "CVE-2007-2406", "CVE-2007-2407", "CVE-2007-2408", "CVE-2007-2409",
               "CVE-2007-2410", "CVE-2007-2442", "CVE-2007-2443", "CVE-2007-2446", "CVE-2007-2447",
               "CVE-2007-2589", "CVE-2007-2798", "CVE-2007-3742", "CVE-2007-3744", "CVE-2007-3745",
               "CVE-2007-3746", "CVE-2007-3747", "CVE-2007-3748", "CVE-2007-3944");
 script_bugtraq_id(11697, 13582, 23910, 23972, 23973, 24195, 24196, 24197, 24198, 24653, 25159);

 script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-007)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a Mac OS X update that fixes various
security issues." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Mac OS X 10.4 or 10.3 which
does not have the security update 2007-007 applied. 

This update contains several security fixes for the following programs :

 - bzip2
 - CFNetwork
 - CoreAudio
 - cscope
 - gnuzip
 - iChat
 - Kerberos
 - mDNSResponder
 - PDFKit
 - PHP
 - Quartz Composer
 - Samba
 - SquirrelMail
 - Tomcat
 - WebCore
 - WebKit" );
 script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=306172" );
 script_set_attribute(attribute:"solution", value:
"Install the security update 2007-007 :

http://www.apple.com/support/downloads/securityupdate200700710410universal.html
http://www.apple.com/support/downloads/securityupdate20070071039.html
http://www.apple.com/support/downloads/securityupdate20070071039server.html" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(16, 20, 22, 59, 79, 119, 352);

 script_set_attribute(attribute:"plugin_publication_date", value: "2007/08/02");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/08/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/11/09");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
 script_end_attributes();

 script_summary(english:"Check for the presence of the SecUpdate 2007-007");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}


packages = get_kb_item("Host/MacOSX/packages");
if ( ! packages ) exit(0);



uname = get_kb_item("Host/uname");
if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-9]\.|8\.10\.)", string:uname) )
{
  if (!egrep(pattern:"^SecUpd(Srvr)?(2007-00[789]|200[89]-|20[1-9][0-9]-)", string:packages)) 
    security_hole(0);
}