Vulnerabilities > CVE-2009-1886 - USE of Externally-Controlled Format String vulnerability in Samba
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 13 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Exploit-Db
| description | Samba 3.3.5 Format String And Security Bypass Vulnerabilities. CVE-2009-1886. Remote exploit for linux platform |
| id | EDB-ID:33053 |
| last seen | 2016-02-03 |
| modified | 2009-05-19 |
| published | 2009-05-19 |
| reporter | Jeremy Allison |
| source | https://www.exploit-db.com/download/33053/ |
| title | Samba <= 3.3.5 Format String And Security Bypass Vulnerabilities |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_CIFS-MOUNT-6343.NASL description Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba. (CVE-2009-1888) Also a printing issue in KRB5 setups was fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 41483 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41483 title SuSE 10 Security Update : Samba (ZYPP Patch Number 6343) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41483); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:36"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_name(english:"SuSE 10 Security Update : Samba (ZYPP Patch Number 6343)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba. (CVE-2009-1888) Also a printing issue in KRB5 setups was fixed." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1886.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1888.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 6343."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:2, reference:"cifs-mount-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"libsmbclient-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"libsmbclient-devel-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"samba-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"samba-client-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"samba-krb-printing-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"samba-vscan-0.3.6b-42.85.3")) flag++; if (rpm_check(release:"SLED10", sp:2, reference:"samba-winbind-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"x86_64", reference:"libsmbclient-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"x86_64", reference:"samba-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"x86_64", reference:"samba-client-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLED10", sp:2, cpu:"x86_64", reference:"samba-winbind-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"cifs-mount-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"libmsrpc-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"libmsrpc-devel-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"libsmbclient-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"libsmbclient-devel-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-client-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-krb-printing-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-python-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-vscan-0.3.6b-42.85.3")) flag++; if (rpm_check(release:"SLES10", sp:2, reference:"samba-winbind-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"x86_64", reference:"libsmbclient-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"x86_64", reference:"samba-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"x86_64", reference:"samba-client-32bit-3.0.32-0.14")) flag++; if (rpm_check(release:"SLES10", sp:2, cpu:"x86_64", reference:"samba-winbind-32bit-3.0.32-0.14")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-196.NASL description Multiple vulnerabilities has been found and corrected in samba : Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename (CVE-2009-1886). The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory (CVE-2009-1888). This update provides samba 3.2.13 to address these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40521 published 2009-08-10 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40521 title Mandriva Linux Security Advisory : samba (MDVSA-2009:196) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:196. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(40521); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:52"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_xref(name:"MDVSA", value:"2009:196"); script_name(english:"Mandriva Linux Security Advisory : samba (MDVSA-2009:196)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in samba : Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename (CVE-2009-1886). The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory (CVE-2009-1888). This update provides samba 3.2.13 to address these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64netapi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64netapi0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64smbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64smbclient0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64smbclient0-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64smbsharemodes-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64smbsharemodes0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64talloc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64talloc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64tdb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64tdb1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libnetapi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libnetapi0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsmbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsmbclient0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsmbclient0-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsmbsharemodes-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libsmbsharemodes0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libtalloc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libtalloc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libtdb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libtdb1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mount-cifs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nss_wins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:samba-winbind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64netapi-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64netapi0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64smbclient0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64smbclient0-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64smbclient0-static-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64smbsharemodes-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64smbsharemodes0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64talloc-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64talloc1-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64tdb-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64tdb1-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64wbclient-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64wbclient0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libnetapi-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libnetapi0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libsmbclient0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libsmbclient0-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libsmbclient0-static-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libsmbsharemodes-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libsmbsharemodes0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libtalloc-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libtalloc1-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libtdb-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libtdb1-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libwbclient-devel-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libwbclient0-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"mount-cifs-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"nss_wins-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-client-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-common-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-doc-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-server-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-swat-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"samba-winbind-3.2.13-0.2mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-177-01.NASL description New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39559 published 2009-06-28 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39559 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : samba (SSA:2009-177-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2009-177-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(39559); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:21"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_xref(name:"SSA", value:"2009-177-01"); script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : samba (SSA:2009-177-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.521591 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?43f23915" ); script_set_attribute(attribute:"solution", value:"Update the affected samba package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.2"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.0", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++; if (slackware_check(osver:"10.1", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++; if (slackware_check(osver:"10.2", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++; if (slackware_check(osver:"11.0", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++; if (slackware_check(osver:"12.0", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack12.0")) flag++; if (slackware_check(osver:"12.1", pkgname:"samba", pkgver:"3.0.35", pkgarch:"i486", pkgnum:"1_slack12.1")) flag++; if (slackware_check(osver:"12.2", pkgname:"samba", pkgver:"3.2.13", pkgarch:"i486", pkgnum:"1_slack12.2")) flag++; if (slackware_check(osver:"current", pkgname:"samba", pkgver:"3.2.13", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"samba", pkgver:"3.2.13", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1823.NASL description Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1886 The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. - CVE-2009-1888 In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter last seen 2020-06-01 modified 2020-06-02 plugin id 39568 published 2009-06-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39568 title Debian DSA-1823-1 : samba - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1823. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(39568); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_xref(name:"DSA", value:"1823"); script_name(english:"Debian DSA-1823-1 : samba - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-1886 The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. - CVE-2009-1888 In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter 'dos filemode' is set to 'yes' in the smb.conf and the user already has write access to the file." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-1886" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-1888" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-1888" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1823" ); script_set_attribute( attribute:"solution", value: "Upgrade the samba package. The old stable distribution (etch) is not affected by these problems. For the stable distribution (lenny), these problems have been fixed in version 3.2.5-4lenny6." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"libpam-smbpass", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"libsmbclient", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"libsmbclient-dev", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"libwbclient0", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba-common", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba-dbg", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba-doc", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba-doc-pdf", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"samba-tools", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"smbclient", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"smbfs", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"swat", reference:"3.2.5-4lenny6")) flag++; if (deb_check(release:"5.0", prefix:"winbind", reference:"3.2.5-4lenny6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_CIFS-MOUNT-090629.NASL description Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba. (CVE-2009-1888) last seen 2020-06-01 modified 2020-06-02 plugin id 41372 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41372 title SuSE 11 Security Update : Samba (SAT Patch Number 1053) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41372); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:35"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_name(english:"SuSE 11 Security Update : Samba (SAT Patch Number 1053)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba. (CVE-2009-1888)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=513360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=515479" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1886.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2009-1888.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 1053."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:cifs-mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ldapsmb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libsmbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libsmbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtalloc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtalloc1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtdb1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libtdb1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libwbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libwbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-client-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-krb-printing"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-vscan"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:samba-winbind-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (pl) audit(AUDIT_OS_NOT, "SuSE 11.0"); flag = 0; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"cifs-mount-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libsmbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libtalloc1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libtdb1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"libwbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"samba-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"samba-client-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"samba-krb-printing-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"samba-vscan-0.3.6b-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"samba-winbind-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"cifs-mount-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libsmbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libsmbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libtalloc1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libtalloc1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libtdb1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libtdb1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libwbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"libwbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-client-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-client-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-krb-printing-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-vscan-0.3.6b-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-winbind-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"samba-winbind-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"cifs-mount-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"ldapsmb-1.34b-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"libsmbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"libtalloc1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"libtdb1-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"libwbclient0-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"samba-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"samba-client-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"samba-krb-printing-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"samba-winbind-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libsmbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libtalloc1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libtdb1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"libwbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"samba-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"samba-client-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"samba-winbind-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libsmbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libtalloc1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libtdb1-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"libwbclient0-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"samba-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"samba-client-32bit-3.2.7-11.7.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"samba-winbind-32bit-3.2.7-11.7.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id SAMBA_ACL_SECURITY_BYPASS.NASL description According to its version number, the version of Samba running on the remote host has a security bypass vulnerability. Access restrictions can be bypassed due to a read of uninitialized data in smbd. This could allow a user to modify an access control list (ACL), even when they should be denied permission. Note the last seen 2020-06-01 modified 2020-06-02 plugin id 39502 published 2009-06-24 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39502 title Samba < 3.0.35 / 3.2.13 / 3.3.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(39502); script_version("1.15"); script_cve_id("CVE-2009-1886", "CVE-2009-1888", "CVE-2006-3403"); script_bugtraq_id(35472); script_xref(name:"Secunia", value:"35539"); script_name(english:"Samba < 3.0.35 / 3.2.13 / 3.3.6 Multiple Vulnerabilities"); script_summary(english:"Checks the remote Samba version"); script_set_attribute( attribute:"synopsis", value: "The remote Samba server may be affected by a security bypass vulnerability." ); script_set_attribute( attribute:"description", value: "According to its version number, the version of Samba running on the remote host has a security bypass vulnerability. Access restrictions can be bypassed due to a read of uninitialized data in smbd. This could allow a user to modify an access control list (ACL), even when they should be denied permission. Note the 'dos filemode' parameter must be set to 'yes' in smb.conf in order for an attack to be successful (the default setting is 'no'). Also note versions 3.2.0 - 3.2.12 of smbclient are affected by a format string vulnerability, though Nessus has not checked for this." ); script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2009-1888.html" ); script_set_attribute( attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2009-1886.html" ); script_set_attribute( attribute:"solution", value: "Upgrade to Samba version 3.3.6 / 3.2.13 / 3.0.35 or later, or apply the appropriate patch referenced in the vendor's advisory." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_publication_date", value: "2009/06/24"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_nativelanman.nasl"); script_require_keys("SMB/samba", "SMB/NativeLanManager"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) exit(1, "Report paranoia is low, and this plugin's prone to false positives"); lanman = get_kb_item("SMB/NativeLanManager"); if (isnull(lanman)) exit(1, "A SMB banner was not found."); match = eregmatch(string:lanman, pattern:'^Samba ([0-9.]+)$', icase:TRUE); if (isnull(match)) exit(1, "The banner does not appear to be Samba."); version = match[1]; ver_fields = split(version, sep:'.', keep:FALSE); major = int(ver_fields[0]); minor = int(ver_fields[1]); rev = int(ver_fields[2]); # Affected versions: # 3.3.0 - 3.3.5 # 3.2.0 - 3.2.12 # 3.0.0 - 3.0.34 if ( major == 3 && ((minor == 3 && rev <= 5) || (minor == 2 && rev <= 12) || (minor == 0 && rev <= 34)) ) { port = get_kb_item("SMB/transport"); if (minor == 3) fix = '3.3.6'; else if (minor == 2) fix = '3.2.13'; else if (minor == 0) fix = '3.0.35'; if (report_verbosity) { report = string( "\n", "Installed version : ", version, "\n", "Fixed version : ", fix, "\n" ); security_note(port:port, extra:report); } else security_note(port); exit(0); } else exit(1, "Samba version " + version + " is not vulnerable.");NASL family SuSE Local Security Checks NASL id SUSE_11_0_CIFS-MOUNT-090624.NASL description Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba (CVE-2009-1888). last seen 2020-06-01 modified 2020-06-02 plugin id 39928 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39928 title openSUSE Security Update : cifs-mount (cifs-mount-1036) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update cifs-mount-1036. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(39928); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_name(english:"openSUSE Security Update : cifs-mount (cifs-mount-1036)"); script_summary(english:"Check for the cifs-mount-1036 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba (CVE-2009-1888)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=513360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=515479" ); script_set_attribute( attribute:"solution", value:"Update the affected cifs-mount packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cifs-mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ldapsmb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libnetapi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libnetapi0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbsharemodes-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbsharemodes0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-krb-printing"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"cifs-mount-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"ldapsmb-1.34b-195.10") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libnetapi-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libnetapi0-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libsmbclient-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libsmbclient0-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libsmbsharemodes-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libsmbsharemodes0-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libtalloc-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libtalloc1-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libtdb-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libtdb1-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libwbclient-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"libwbclient0-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"samba-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"samba-client-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"samba-devel-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"samba-krb-printing-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"samba-winbind-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"libsmbclient0-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"libtalloc1-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"libtdb1-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"libwbclient0-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"samba-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"samba-client-32bit-3.2.4-4.5") ) flag++; if ( rpm_check(release:"SUSE11.0", cpu:"x86_64", reference:"samba-winbind-32bit-3.2.4-4.5") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-839-1.NASL description J. David Hester discovered that Samba incorrectly handled users that lack home directories when the automated [homes] share is enabled. An authenticated user could connect to that share name and gain access to the whole filesystem. (CVE-2009-2813) Tim Prouty discovered that the smbd daemon in Samba incorrectly handled certain unexpected network replies. A remote attacker could send malicious replies to the server and cause smbd to use all available CPU, leading to a denial of service. (CVE-2009-2906) Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, would not verify user permissions before opening a credentials file. A local user could exploit this to use or read the contents of unauthorized credential files. (CVE-2009-2948) Reinhard Nissl discovered that the smbclient utility contained format string vulnerabilities in its file name handling. Because of security features in Ubuntu, exploitation of this vulnerability is limited. If a user or automated system were tricked into processing a specially crafted file name, smbclient could be made to crash, possibly leading to a denial of service. This only affected Ubuntu 8.10. (CVE-2009-1886) Jeremy Allison discovered that the smbd daemon in Samba incorrectly handled permissions to modify access control lists when dos filemode is enabled. A remote attacker could exploit this to modify access control lists. This only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-1886). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 41968 published 2009-10-02 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/41968 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : samba vulnerabilities (USN-839-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-839-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(41968); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2009-1886", "CVE-2009-1888", "CVE-2009-2813", "CVE-2009-2906", "CVE-2009-2948"); script_bugtraq_id(36363, 36572, 36573); script_xref(name:"USN", value:"839-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : samba vulnerabilities (USN-839-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "J. David Hester discovered that Samba incorrectly handled users that lack home directories when the automated [homes] share is enabled. An authenticated user could connect to that share name and gain access to the whole filesystem. (CVE-2009-2813) Tim Prouty discovered that the smbd daemon in Samba incorrectly handled certain unexpected network replies. A remote attacker could send malicious replies to the server and cause smbd to use all available CPU, leading to a denial of service. (CVE-2009-2906) Ronald Volgers discovered that the mount.cifs utility, when installed as a setuid program, would not verify user permissions before opening a credentials file. A local user could exploit this to use or read the contents of unauthorized credential files. (CVE-2009-2948) Reinhard Nissl discovered that the smbclient utility contained format string vulnerabilities in its file name handling. Because of security features in Ubuntu, exploitation of this vulnerability is limited. If a user or automated system were tricked into processing a specially crafted file name, smbclient could be made to crash, possibly leading to a denial of service. This only affected Ubuntu 8.10. (CVE-2009-1886) Jeremy Allison discovered that the smbd daemon in Samba incorrectly handled permissions to modify access control lists when dos filemode is enabled. A remote attacker could exploit this to modify access control lists. This only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-1886). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/839-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpam-smbpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python2.4-samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-doc-pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smbclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smbfs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:swat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:winbind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|8\.04|8\.10|9\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"libpam-smbpass", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libsmbclient", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libsmbclient-dev", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"python2.4-samba", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"samba", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"samba-common", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"samba-dbg", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"samba-doc", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"samba-doc-pdf", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"smbclient", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"smbfs", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"swat", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"winbind", pkgver:"3.0.22-1ubuntu3.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libpam-smbpass", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libsmbclient", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"libsmbclient-dev", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"samba", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"samba-common", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"samba-dbg", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"samba-doc", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"samba-doc-pdf", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"smbclient", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"smbfs", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"swat", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"winbind", pkgver:"3.0.28a-1ubuntu4.9")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libpam-smbpass", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libsmbclient", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libsmbclient-dev", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"libwbclient0", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba", pkgver:"2:3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba-common", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba-dbg", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba-doc", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba-doc-pdf", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"samba-tools", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"smbclient", pkgver:"2:3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"smbfs", pkgver:"2:3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"swat", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"winbind", pkgver:"3.2.3-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libpam-smbpass", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libsmbclient", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libsmbclient-dev", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"libwbclient0", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba", pkgver:"2:3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba-common", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba-dbg", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba-doc", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba-doc-pdf", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"samba-tools", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"smbclient", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"smbfs", pkgver:"2:3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"swat", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"winbind", pkgver:"3.3.2-1ubuntu3.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpam-smbpass / libsmbclient / libsmbclient-dev / libwbclient0 / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_11_1_CIFS-MOUNT-090624.NASL description Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba (CVE-2009-1888). last seen 2020-06-01 modified 2020-06-02 plugin id 40198 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40198 title openSUSE Security Update : cifs-mount (cifs-mount-1036) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update cifs-mount-1036. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40198); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2009-1886", "CVE-2009-1888"); script_name(english:"openSUSE Security Update : cifs-mount (cifs-mount-1036)"); script_summary(english:"Check for the cifs-mount-1036 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fixed a format string vulnerability in smbclient (CVE-2009-1886) and a ACL bypass vulnerability in samba (CVE-2009-1888)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=513360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=515479" ); script_set_attribute( attribute:"solution", value:"Update the affected cifs-mount packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(134, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:cifs-mount"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ldapsmb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libnetapi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libnetapi0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbsharemodes-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsmbsharemodes0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtalloc1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtdb1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libwbclient0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-client-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-krb-printing"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-vscan"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:samba-winbind-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.1", reference:"cifs-mount-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"ldapsmb-1.34b-6.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libnetapi-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libnetapi0-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libsmbclient-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libsmbclient0-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libsmbsharemodes-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libsmbsharemodes0-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libtalloc-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libtalloc1-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libtdb-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libtdb1-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libwbclient-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"libwbclient0-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-client-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-devel-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-krb-printing-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-vscan-0.3.6b-6.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"samba-winbind-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"libsmbclient0-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"libtalloc1-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"libtdb1-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"libwbclient0-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"samba-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"samba-client-32bit-3.2.7-11.3.2") ) flag++; if ( rpm_check(release:"SUSE11.1", cpu:"x86_64", reference:"samba-winbind-32bit-3.2.7-11.3.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "samba"); }
Seebug
| bulletinFamily | exploit |
| description | Bugraq ID: 35472 CVE ID:CVE-2009-1888 CVE-2009-1886 CNCVE ID:CNCVE-20091888 CNCVE-20091886 Samba是一款实现SMB协议、跨平台进行文件共享和打印共享服务的程序。 Samba存在格式串和安全绕过问题,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 -Samba 3.0.31 - 3.3.5中的smbd守护程序包含一个未初始化数据值读取问题,可影响访问控制。如果用户尝试修改访问拒绝权限的控制列表时,如果在smb.conf中设置"dos filemode"参数值为"yes",那么可越过这个拒绝权限制约,用户可对文件进行写访问。错误发生在针对写访问的检查过程中,读取的未初始化内存可代替文件'stat'结构的值。 -Samba 3.2.0 - 3.2.12包含的smbclient工具处理文件名时存在格式串错误: smb: \> put aa%3Fbb putting file aa%3Fbb as \aa0,000000bb (0,0 kb/s) (average 0,0 kb/s) 很明显"aa%3Fbb"被解析成格式串,使用特殊构建的文件名,可触发格式串错误,导致内存破坏。 Samba Samba 3.3.5 Samba Samba 3.2.12 Samba Samba 3.2.5 Samba Samba 3.2.4 Samba Samba 3.2.3 Samba Samba 3.2.2 Samba Samba 3.2.1 Samba Samba 3.2 Samba Samba 3.0.34 Samba Samba 3.0.33 Samba Samba 3.0.32 Samba Samba 3.0.30 + MandrakeSoft Linux Mandrake 2007.1 x86_64 + MandrakeSoft Linux Mandrake 2007.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 Samba Samba 3.0.29 Samba Samba 3.0.28 Samba Samba 3.0.26 Samba Samba 3.0.25 Samba Samba 3.0.24 + MandrakeSoft Linux Mandrake 2007.1 x86_64 + MandrakeSoft Linux Mandrake 2007.1 + MandrakeSoft Linux Mandrake 2007.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 Samba Samba 3.0.22 + Ubuntu Ubuntu Linux 6.06 LTS sparc + Ubuntu Ubuntu Linux 6.06 LTS powerpc + Ubuntu Ubuntu Linux 6.06 LTS i386 + Ubuntu Ubuntu Linux 6.06 LTS amd64 Samba Samba 3.0.21 Samba Samba 3.0.20 + Slackware Linux 10.2 Samba Samba 3.0.14 Samba Samba 3.0.13 Samba Samba 3.0.12 Samba Samba 3.0.11 Samba Samba 3.0.10 + Slackware Linux 10.1 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.1 Samba Samba 3.0.27 Samba Samba 3.0.23a + MandrakeSoft Corporate Server 4.0 x86_64 + MandrakeSoft Corporate Server 4.0 厂商解决方案 可参考如下补丁: Samba Samba 3.0.34 Samba samba-3.0.34-CVE-2009-1888.patch <a href="http://us1.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-" target="_blank" rel=external nofollow>http://us1.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-</a> 1888.patch Samba Samba 3.2.12 Samba samba-3.2.12-CVE-2009-1886.patch <a href="http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-" target="_blank" rel=external nofollow>http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-</a> 1886.patch Samba samba-3.2.12-CVE-2009-1888.patch <a href="http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-" target="_blank" rel=external nofollow>http://us1.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-</a> 1888.patch Samba Samba 3.3.5 Samba samba-3.3.5-CVE-2009-1888.patch <a href="http://us1.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1" target="_blank" rel=external nofollow>http://us1.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1</a> 888.patch |
| id | SSV:11701 |
| last seen | 2017-11-19 |
| modified | 2009-06-25 |
| published | 2009-06-25 |
| reporter | Root |
| title | Samba格式串和安全绕过漏洞 |
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-06-29 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 3, 4, or 5. |
References
- http://secunia.com/advisories/35539
- http://secunia.com/advisories/35573
- http://secunia.com/advisories/35606
- http://secunia.com/advisories/36918
- http://www.debian.org/security/2009/dsa-1823
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:196
- http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1886.patch
- http://www.samba.org/samba/security/CVE-2009-1886.html
- http://www.securityfocus.com/bid/35472
- http://www.securitytracker.com/id?1022441
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.521591
- http://www.ubuntu.com/usn/USN-839-1
- http://www.vupen.com/english/advisories/2009/1664
- https://bugzilla.samba.org/show_bug.cgi?id=6478
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51328