Vulnerabilities > CVE-2007-5398 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Samba
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-009.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 29723 published 2007-12-18 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29723 title Mac OS X Multiple Vulnerabilities (Security Update 2007-009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29723); script_version("1.27"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2006-0024", "CVE-2007-1218", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661", "CVE-2007-1662", "CVE-2007-3798", "CVE-2007-3876", "CVE-2007-4131", "CVE-2007-4351", "CVE-2007-4572", "CVE-2007-4708", "CVE-2007-4709", "CVE-2007-4710", "CVE-2007-4766", "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4965", "CVE-2007-5116", "CVE-2007-5379", "CVE-2007-5380", "CVE-2007-5398", "CVE-2007-5476", "CVE-2007-5770", "CVE-2007-5847", "CVE-2007-5848", "CVE-2007-5849", "CVE-2007-5850", "CVE-2007-5851", "CVE-2007-5853", "CVE-2007-5854", "CVE-2007-5855", "CVE-2007-5856", "CVE-2007-5857", "CVE-2007-5858", "CVE-2007-5859", "CVE-2007-5860", "CVE-2007-5861", "CVE-2007-5863", "CVE-2007-6077", "CVE-2007-6165"); script_bugtraq_id(17106, 22772, 24965, 25417, 25696, 26096, 26268, 26274, 26346, 26350, 26421, 26454, 26455, 26510, 26598, 26908, 26910, 26926); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-009)"); script_summary(english:"Check for the presence of Security Update 2007-009"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2007-009 applied. This update contains several security fixes for a large number of programs."); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307179"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/13649"); script_set_attribute(attribute:"solution", value:"Install Security Update 2007-009."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mail.app Image Attachment Command Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_cwe_id(16, 20, 22, 79, 119, 134, 189, 200, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if ( ! uname ) exit(0); if ( egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2007-009|200[89]-|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if ( egrep(pattern:"Darwin.* (9\.[01]\.)", string:uname) ) { packages = get_kb_item("Host/MacOSX/packages/boms"); if ( ! packages ) exit(0); if ( !egrep(pattern:"^com\.apple\.pkg\.update\.security\.2007\.009\.bom", string:packages) ) security_hole(0); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-1034.NASL description Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash, or execute arbitrary code. (CVE-2007-5398) Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue. Users of Samba should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 63844 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63844 title RHEL 4 : samba (RHSA-2007:1034) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-544-1.NASL description Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28251 published 2007-11-16 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28251 title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerabilities (USN-544-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-1013.NASL description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28244 published 2007-11-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28244 title RHEL 2.1 / 3 : samba (RHSA-2007:1013) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-1013.NASL description From Red Hat Security Advisory 2007:1013 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67596 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67596 title Oracle Linux 3 : samba (ELSA-2007-1013) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-1016.NASL description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the last seen 2020-06-01 modified 2020-06-02 plugin id 28245 published 2007-11-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28245 title RHEL 4 : samba (RHSA-2007:1016) NASL family Fedora Local Security Checks NASL id FEDORA_2007-3402.NASL description Security Fixes : - CVE-2007-4572 - CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28229 published 2007-11-16 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28229 title Fedora 7 : samba-3.0.27-0.fc7 (2007-3402) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-544-2.NASL description USN-544-1 fixed two vulnerabilities in Samba. Fixes for CVE-2007-5398 are unchanged, but the upstream changes for CVE-2007-4572 introduced a regression in all releases which caused Linux smbfs mounts to fail. Additionally, Dapper and Edgy included an incomplete patch which caused configurations using NetBIOS to fail. A proper fix for these regressions does not exist at this time, and so the patch addressing CVE-2007-4572 has been removed. This vulnerability is believed to be an unexploitable denial of service, but a future update will address this issue. We apologize for the inconvenience. Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. (CVE-2007-4572) Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. (CVE-2007-5398). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28288 published 2007-11-20 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28288 title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba regression (USN-544-2) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1409.NASL description This update fixes all currently known regressions introduced with the previous two revisions of DSA-1409. The original text is reproduced below : Several local/remote vulnerabilities have been discovered in samba, a LanManager-like file and printer server for Unix. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-5398 Alin Rad Pop of Secunia Research discovered that nmbd did not properly check the length of netbios packets. When samba is configured as a WINS server, a remote attacker could send multiple crafted requests resulting in the execution of arbitrary code with root privileges. - CVE-2007-4572 Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 28298 published 2007-11-26 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28298 title Debian DSA-1409-3 : samba - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2007-751.NASL description - Thu Nov 15 2007 Simo Sorce <ssorce at redhat.com> 3.0.24-8.fc6 - Fix CVE-2007-4572 - Fix CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28315 published 2007-11-26 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28315 title Fedora Core 6 : samba-3.0.24-8.fc6 (2007-751) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-224.NASL description The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update : This update corrects all known regressions with previous Samba updates due to the security fixes to correct CVE-2007-4572. last seen 2020-06-01 modified 2020-06-02 plugin id 28274 published 2007-11-20 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28274 title Mandrake Linux Security Advisory : samba (MDKSA-2007:224-3) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200711-29.NASL description The remote host is affected by the vulnerability described in GLSA-200711-29 (Samba: Execution of arbitrary code) Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia Research) discovered a boundary checking error in the reply_netbios_packet() function which could lead to a stack-based buffer overflow (CVE-2007-5398). The Samba developers discovered a boundary error when processing GETDC logon requests also leading to a buffer overflow (CVE-2007-4572). Impact : To exploit the first vulnerability, a remote unauthenticated attacker could send specially crafted WINS last seen 2020-06-01 modified 2020-06-02 plugin id 28318 published 2007-11-26 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28318 title GLSA-200711-29 : Samba: Execution of arbitrary code NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A63B15F997FF11DC9E480016179B2DD5.NASL description The Samba Team reports : Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the last seen 2020-06-01 modified 2020-06-02 plugin id 28317 published 2007-11-26 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28317 title FreeBSD : samba -- multiple vulnerabilities (a63b15f9-97ff-11dc-9e48-0016179b2dd5) NASL family Solaris Local Security Checks NASL id SOLARIS9_114684.NASL description SunOS 5.9: Samba Patch. Date this patch was last updated by Sun : Dec/22/10 last seen 2020-06-01 modified 2020-06-02 plugin id 13559 published 2004-07-12 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13559 title Solaris 9 (sparc) : 114684-17 NASL family Scientific Linux Local Security Checks NASL id SL_20071115_SAMBA_ON_SL5_X.NASL description A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the last seen 2020-06-01 modified 2020-06-02 plugin id 60309 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60309 title Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64 NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-1013.NASL description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) Red Hat would like to thank Alin Rad Pop of Secunia Research, and the Samba developers for responsibly disclosing these issues. Users of Samba are advised to ugprade to these updated packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37627 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37627 title CentOS 3 : samba (CESA-2007:1013) NASL family SuSE Local Security Checks NASL id SUSE_CIFS-MOUNT-4719.NASL description This update fixes two buffer overflows in nmbd (CVE-2007-4572 / CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details. last seen 2020-06-01 modified 2020-06-02 plugin id 29391 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29391 title SuSE 10 Security Update : Samba (ZYPP Patch Number 4719) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2008-0001.NASL description I Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40372 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40372 title VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages NASL family Fedora Local Security Checks NASL id FEDORA_2007-3403.NASL description Security Fixes : - CVE-2007-4572 - CVE-2007-5398 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28256 published 2007-11-20 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28256 title Fedora 8 : samba-3.0.27-0.fc8 (2007-3403) NASL family Misc. NASL id SAMBA_3_0_27.NASL description According to its banner, the version of the Samba server on the remote host contains a boundary error in the last seen 2020-06-01 modified 2020-06-02 plugin id 28228 published 2007-11-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28228 title Samba < 3.0.27 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-1016.NASL description From Red Hat Security Advisory 2007:1016 : Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the last seen 2020-06-01 modified 2020-06-02 plugin id 67597 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67597 title Oracle Linux 4 : samba (ELSA-2007-1016) NASL family SuSE Local Security Checks NASL id SUSE_CIFS-MOUNT-4740.NASL description This update fixes two buffer overflows in nmbd (CVE-2007-4572, CVE-2007-5398). Remote attackers could potentially exploit them to execute arbitrary code. The updated packages additionally contain fixes for numerous other defects. Please refer to the package changelog for details. last seen 2020-06-01 modified 2020-06-02 plugin id 28370 published 2007-11-30 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28370 title openSUSE 10 Security Update : cifs-mount (cifs-mount-4740) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_114685.NASL description SunOS 5.9_x86: Samba Patch. Date this patch was last updated by Sun : Dec/22/10 last seen 2020-06-01 modified 2020-06-02 plugin id 13609 published 2004-07-12 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13609 title Solaris 9 (x86) : 114685-17 NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-1016.NASL description Updated samba packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap-based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the last seen 2020-06-01 modified 2020-06-02 plugin id 67059 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67059 title CentOS 4 : samba (CESA-2007:1016) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-1017.NASL description Updated samba packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Samba is a suite of programs used by machines to share files, printers, and other information. A buffer overflow flaw was found in the way Samba creates NetBIOS replies. If a Samba server is configured to run as a WINS server, a remote unauthenticated user could cause the Samba server to crash or execute arbitrary code. (CVE-2007-5398) A heap based buffer overflow flaw was found in the way Samba authenticates users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash. Careful analysis of this flaw has determined that arbitrary code execution is not possible, and under most circumstances will not result in a crash of the Samba server. (CVE-2007-4572) A flaw was found in the way Samba assigned group IDs under certain conditions. If the last seen 2020-06-01 modified 2020-06-02 plugin id 28246 published 2007-11-16 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28246 title RHEL 5 : samba (RHSA-2007:1017) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2007-320-01.NASL description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28277 published 2007-11-20 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/28277 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : samba (SSA:2007-320-01)
Oval
accepted 2013-04-29T04:03:46.255-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. family unix id oval:org.mitre.oval:def:10230 status accepted submitted 2010-07-09T03:56:16-04:00 title Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. version 27 accepted 2015-04-20T04:02:27.981-04:00 class vulnerability contributors name Pai Peng organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation
description Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. family unix id oval:org.mitre.oval:def:5811 status accepted submitted 2008-06-30T13:13:25.000-04:00 title HP-UX running HP CIFS Server (Samba), Remote Execution of Arbitrary Code version 45
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 26455 CVE(CAN) ID: CVE-2007-5398 Samba是一套实现SMB(Server Messages Block)协议、跨平台进行文件共享和打印共享服务的程序。 Samba的nmbd/nmbd_packets.c文件中的reply_netbios_packet()函数在发送NetBIOS回复时存在栈溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 如果客户端发送了多个特制的WINS “Name Registration”请求并跟随有WINS “Name Query”请求的话,就可以触发这个溢出,导致执行任意指令。但利用这个漏洞要求将Samba配置为用作WINS服务器,也就是启用了wins支持选项。 Samba Samba 3.0.0 - 3.0.26a 临时解决方法: * 在服务器的smb.conf文件中禁用wins support功能。 厂商补丁: RedHat ------ RedHat已经为此发布了安全公告(RHSA-2007:1017-01、RHSA-2007:1016-01、RHSA-2007:1013-01)以及相应补丁: RHSA-2007:1017-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1017.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1017.html</a> RHSA-2007:1016-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1016.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1016.html</a> RHSA-2007:1013-01:Critical: samba security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-1013.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-1013.html</a> Samba ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://us1.samba.org/samba/ftp/stable/samba-3.0.27.tar.gz" target="_blank">http://us1.samba.org/samba/ftp/stable/samba-3.0.27.tar.gz</a> |
| id | SSV:2435 |
| last seen | 2017-11-19 |
| modified | 2007-11-17 |
| published | 2007-11-17 |
| reporter | Root |
| title | Samba nmbd_packets.c NetBIOS回复栈溢出漏洞 |
References
- http://secunia.com/secunia_research/2007-90/advisory/
- http://us1.samba.org/samba/security/CVE-2007-5398.html
- http://secunia.com/advisories/27450
- https://issues.rpath.com/browse/RPL-1894
- http://www.debian.org/security/2007/dsa-1409
- https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00472.html
- http://www.gentoo.org/security/en/glsa/glsa-200711-29.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:224
- http://www.redhat.com/support/errata/RHSA-2007-1013.html
- http://www.redhat.com/support/errata/RHSA-2007-1016.html
- http://www.redhat.com/support/errata/RHSA-2007-1017.html
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.447739
- http://www.novell.com/linux/security/advisories/2007_65_samba.html
- http://www.securityfocus.com/bid/26455
- http://securitytracker.com/id?1018953
- http://secunia.com/advisories/27679
- http://secunia.com/advisories/27682
- http://secunia.com/advisories/27691
- http://secunia.com/advisories/27701
- http://secunia.com/advisories/27720
- http://secunia.com/advisories/27731
- http://secunia.com/advisories/27742
- http://secunia.com/advisories/27787
- http://secunia.com/advisories/27927
- http://securityreason.com/securityalert/3372
- http://docs.info.apple.com/article.html?artnum=307179
- http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
- http://www.us-cert.gov/cas/techalerts/TA07-352A.html
- http://secunia.com/advisories/28136
- http://lists.vmware.com/pipermail/security-announce/2008/000002.html
- http://secunia.com/advisories/28368
- http://www.vmware.com/security/advisories/VMSA-2008-0001.html
- http://secunia.com/advisories/29341
- http://secunia.com/advisories/30484
- http://secunia.com/advisories/30835
- http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-237764-1
- http://www.vupen.com/english/advisories/2007/4238
- http://www.vupen.com/english/advisories/2008/0859/references
- http://www.vupen.com/english/advisories/2008/0064
- http://marc.info/?l=bugtraq&m=120524782005154&w=2
- http://www.vupen.com/english/advisories/2008/1908
- http://www.vupen.com/english/advisories/2007/3869
- http://www.vupen.com/english/advisories/2008/1712/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38502
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5811
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10230
- https://usn.ubuntu.com/544-1/
- http://www.securityfocus.com/archive/1/486859/100/0/threaded
- http://www.securityfocus.com/archive/1/485936/100/0/threaded
- http://www.securityfocus.com/archive/1/483744/100/0/threaded