VuXML ID | Description |
1583640d-be20-11dd-a578-0030843d3802 | samba -- potential leakage of arbitrary memory contents
Samba Team reports:
Samba 3.0.29 and beyond contain a change to deal with gcc 4
optimizations. Part of the change modified range checking for
client-generated offsets of secondary trans, trans2 and nttrans
requests. These requests are used to transfer arbitrary amounts
of memory from clients to servers and back using small SMB
requests and contain two offsets: One offset (A) pointing into
the PDU sent by the client and one (B) to direct the transferred
contents into the buffer built on the server side. While the range
checking for offset (B) is correct, a cut and paste error lets offset
(A) pass completely unchecked against overflow.
The buffers passed into trans, trans2 and nttrans undergo higher-level
processing like DCE/RPC requests or listing directories. The missing
bounds check means that a malicious client can make the server do this
higher-level processing on arbitrary memory contents of the smbd process
handling the request. It is unknown if that can be abused to pass arbitrary
memory contents back to the client, but an important barrier is missing from
the affected Samba versions.
Discovery 2008-11-27 Entry 2008-11-29 samba
samba3
ja-samba
ge 3.0.29,1 lt 3.0.32_2,1
samba32-devel
< 3.2.4_1
CVE-2008-4314
http://www.samba.org/samba/security/CVE-2008-4314.html
http://secunia.com/advisories/32813/
|
2bc96f18-683f-11dc-82b6-02e0185f8d72 | samba -- nss_info plugin privilege escalation vulnerability
The Samba development team reports:
The idmap_ad.so library provides an nss_info extension to
Winbind for retrieving a user's home directory path, login
shell and primary group id from an Active Directory domain
controller. This functionality is enabled by defining the
"winbind nss info" smb.conf option to either "sfu" or
"rfc2307".
Both the Windows "Identity Management for Unix" and
"Services for Unix" MMC plug-ins allow a user to be assigned
a primary group for Unix clients that differs from the user's
Windows primary group. When the rfc2307 or sfu nss_info plugin
has been enabled, in the absence of either the RFC2307 or SFU
primary group attribute, Winbind will assign a primary group ID
of 0 to the domain user queried using the getpwnam() C library
call.
Discovery 2007-09-11 Entry 2007-09-21 Modified 2008-09-26 samba
< 3.0.26a
gt *,1 lt 3.0.26a,1
CVE-2007-4138
http://www.samba.org/samba/security/CVE-2007-4138.html
|
2de14f7a-dad9-11d8-b59a-00061bc2ad93 | Multiple Potential Buffer Overruns in Samba
Evgeny Demidov discovered that the Samba server has a
buffer overflow in the Samba Web Administration Tool (SWAT)
on decoding Base64 data during HTTP Basic Authentication.
Versions 3.0.2 through 3.0.4 are affected.
Another buffer overflow bug has been found in the code
used to support the "mangling method = hash" smb.conf
option. The default setting for this parameter is "mangling
method = hash2" and therefore not vulnerable. Versions
between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected.
Discovery 2004-07-14 Entry 2004-07-21 Modified 2008-09-26 samba
gt 3.* lt 3.0.5
gt 3.*,1 lt 3.0.5,1
< 2.2.10
ja-samba
< 2.2.10.j1.0
CVE-2004-0600
CVE-2004-0686
http://www.securityfocus.com/archive/1/369698
http://www.securityfocus.com/archive/1/369706
http://www.samba.org/samba/whatsnew/samba-3.0.5.html
http://www.samba.org/samba/whatsnew/samba-2.2.10.html
http://www.osvdb.org/8190
http://www.osvdb.org/8191
http://secunia.com/advisories/12130
|
3388eff9-5d6e-11d8-80e3-0020ed76ef5a | Samba 3.0.x password initialization bug
From the Samba 3.0.2 release notes:
Security Announcement: It has been confirmed that
previous versions of Samba 3.0 are susceptible to a password
initialization bug that could grant an attacker unauthorized
access to a user account created by the mksmbpasswd.sh shell
script.
Discovery 2004-02-09 Entry 2004-02-12 samba
ge 3.0,1 lt 3.0.1_2,1
http://www.samba.org/samba/whatsnew/samba-3.0.2.html
CVE-2004-0082
|
3546a833-03ea-11dc-a51d-0019b95d4f14 | samba -- multiple vulnerabilities
The Samba Team reports:
A bug in the local SID/Name translation routines may
potentially result in a user being able to issue SMB/CIFS
protocol operations as root.
When translating SIDs to/from names using Samba local
list of user and group accounts, a logic error in the smbd
daemon's internal security stack may result in a
transition to the root user id rather than the non-root
user. The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user. This window of
opportunity may allow the attacker to establish additional
means of gaining root access to the server.
Various bugs in Samba's NDR parsing can allow a user to
send specially crafted MS-RPC requests that will overwrite
the heap space with user defined data.
Unescaped user input parameters are passed as arguments
to /bin/sh allowing for remote command execution.
This bug was originally reported against the anonymous
calls to the SamrChangePassword() MS-RPC function in
combination with the "username map script" smb.conf option
(which is not enabled by default).
After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well. The
root cause is passing unfiltered user input provided via
MS-RPC calls to /bin/sh when invoking externals scripts
defined in smb.conf. However, unlike the "username map
script" vulnerability, the remote file and printer
management scripts require an authenticated user
session.
Discovery 2007-05-14 Entry 2007-05-16 Modified 2008-09-26 samba
ja-samba
gt 3.* lt 3.0.25
gt 3.*,1 lt 3.0.25,1
CVE-2007-2444
CVE-2007-2446
CVE-2007-2447
http://de5.samba.org/samba/security/CVE-2007-2444.html
http://de5.samba.org/samba/security/CVE-2007-2446.html
http://de5.samba.org/samba/security/CVE-2007-2447.html
|
3b3676be-52e1-11d9-a9e7-0001020eed82 | samba -- integer overflow vulnerability
Greg MacManus, iDEFENSE Labs reports:
Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could allow
an attacker to cause controllable heap corruption, leading
to execution of arbitrary commands with root
privileges.
Successful remote exploitation allows an attacker to gain
root privileges on a vulnerable system. In order to
exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba
server. Unsuccessful exploitation attempts will cause the
process serving the request to crash with signal 11, and
may leave evidence of an attack in logs.
Discovery 2004-12-02 Entry 2004-12-21 Modified 2008-09-26 samba
< 3.0.10
gt *,1 lt 3.0.10,1
ja-samba
< 2.2.12.j1.0beta1_2
gt 3.* lt 3.0.10
gt 3.*,1 lt 3.0.10,1
CVE-2004-1154
http://www.idefense.com/application/poi/display?id=165&type=vulnerabilities
http://www.samba.org/samba/security/CAN-2004-1154.html
|
57ae52f7-b9cc-11db-bf0f-0013720b182d | samba -- format string bug in afsacl.so VFS plugin
The Samba Team reports:
NOTE: This security advisory only impacts Samba servers
that share AFS file systems to CIFS clients and which have
been explicitly instructed in smb.conf to load the afsacl.so
VFS module.
The source defect results in the name of a file stored on
disk being used as the format string in a call to snprintf().
This bug becomes exploitable only when a user is able
to write to a share which utilizes Samba's afsacl.so library
for setting Windows NT access control lists on files residing
on an AFS file system.
Discovery 2007-02-05 Entry 2007-03-16 samba
ja-samba
ge 3.0.6,1 lt 3.0.24,1
CVE-2007-0454
http://www.samba.org/samba/security/CVE-2007-0454.html
|
92fd40eb-c458-11da-9c79-00123ffe8333 | samba -- Exposure of machine account credentials in winbind log files
Samba Security Advisory:
The machine trust account password is the secret
shared between a domain controller and a specific
member server. Access to the member server machine
credentials allows an attacker to impersonate the
server in the domain and gain access to additional
information regarding domain users and groups.
The winbindd daemon writes the clear text of server's
machine credentials to its log file at level 5.
The winbindd log files are world readable by default
and often log files are requested on open mailing
lists as tools used to debug server misconfigurations.
This affects servers configured to use domain or
ads security and possibly Samba domain controllers
as well (if configured to use winbindd).
Discovery 2006-03-30 Entry 2006-04-05 samba
ge 3.0.21a,1 lt 3.0.22,1
ja-samba
ge 3.0.21a,1 lt 3.0.22,1
CVE-2006-1059
http://us1.samba.org/samba/security/CAN-2006-1059.html
http://secunia.com/advisories/19455/
|
a63b15f9-97ff-11dc-9e48-0016179b2dd5 | samba -- multiple vulnerabilities
The Samba Team reports:
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
Samba developers have discovered what is believed to be
a non-exploitable buffer over in nmbd during the processing
of GETDC logon server requests. This code is only used
when the Samba server is configured as a Primary or Backup
Domain Controller.
Discovery 2007-11-15 Entry 2007-11-21 Modified 2008-09-26 samba
samba3
ja-samba
< 3.0.26a
gt *,1 lt 3.0.26a_2,1
26454
CVE-2007-4572
CVE-2007-5398
http://secunia.com/advisories/27450/
http://us1.samba.org/samba/security/CVE-2007-4572.html
http://us1.samba.org/samba/security/CVE-2007-5398.html
|
b168ddea-105a-11db-ac96-000c6ec775d9 | samba -- memory exhaustion DoS in smbd
The Samba Team reports:
The smbd daemon maintains internal data structures used
track active connections to file and printer shares. In
certain circumstances an attacker may be able to
continually increase the memory usage of an smbd process
by issuing a large number of share connection requests.
This defect affects all Samba configurations.
Discovery 2006-07-10 Entry 2006-07-10 samba
ja-samba
ge 3.0.1,1 lt 3.0.23,1
CVE-2006-3403
http://www.samba.org/samba/security/CAN-2006-3403.html
|
ba13dc13-340d-11d9-ac1b-000d614f7fad | samba -- potential remote DoS vulnerability
Karol Wiesek at iDEFENSE reports:
A remote attacker could cause an smbd process to consume
abnormal amounts of system resources due to an input
validation error when matching filenames containing
wildcard characters.
Although samba.org classifies this as a DoS vulnerability,
several members of the security community believe it may be
exploitable for arbitrary code execution.
Discovery 2004-09-30 Entry 2004-11-12 Modified 2008-09-26 samba
gt 3.* lt 3.0.8
gt 3.*,1 lt 3.0.8,1
ports/73701
CVE-2004-0930
http://us4.samba.org/samba/security/CAN-2004-0930.html
|
de16b056-132e-11d9-bc4a-000c41e2cdad | samba -- remote file disclosure
According to a Samba Team security notice:
A security vulnerability has been located in Samba
2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote
attacker may be able to gain access to files which exist
outside of the share's defined path. Such files must still
be readable by the account used for the connection.
The original notice for CAN-2004-0815 indicated that
Samba 3.0.x <= 3.0.5 was vulnerable to the security
issue. After further research, Samba developers have
confirmed that only Samba 3.0.2a and earlier releases
contain the exploitable code.
Discovery 2004-09-30 Entry 2004-09-30 Modified 2008-09-26 samba
< 2.2.12
gt 3.* le 3.0.2a
gt 3.*,1 le 3.0.2a_1,1
ja-samba
< 2.2.11.j1.0_1
CVE-2004-0815
http://www.samba.org/samba/news/#security_2.2.12
|
f235fe7a-b9ca-11db-bf0f-0013720b182d | samba -- potential Denial of Service bug in smbd
The Samba Team reports:
Internally Samba's file server daemon, smbd, implements
support for deferred file open calls in an attempt to serve
client requests that would otherwise fail due to a share mode
violation. When renaming a file under certain circumstances
it is possible that the request is never removed from the deferred
open queue. smbd will then become stuck is a loop trying to
service the open request.
This bug may allow an authenticated user to exhaust resources
such as memory and CPU on the server by opening multiple CIFS
sessions, each of which will normally spawn a new smbd process,
and sending each connection into an infinite loop.
Discovery 2007-02-05 Entry 2007-03-16 samba
ja-samba
ge 3.0.6,1 lt 3.0.24,1
CVE-2007-0452
http://www.samba.org/samba/security/CVE-2007-0452.html
|
f3d3f621-38d8-11d9-8fff-000c6e8f12ef | smbd -- buffer-overrun vulnerability
Caused by improper bounds checking of certain trans2
requests, there is a possible buffer overrun in smbd.
The attacker needs to be able to create files with
very specific Unicode filenames on the share to take
advantage of this issue.
Discovery 2004-11-15 Entry 2004-11-17 Modified 2008-09-26 samba
ge 3.* lt 3.0.8
ge 3.*,1 lt 3.0.8,1
CVE-2004-0882
11678
http://marc.theaimsgroup.com/?l=bugtraq&m=110055646329581
|
ffcbd42d-a8c5-11dc-bec2-02e0185f8d72 | samba -- buffer overflow vulnerability
Secuna Research reports:
Secunia Research has discovered a vulnerability in Samba, which
can be exploited by malicious people to compromise a vulnerable
system. The vulnerability is caused due to a boundary error within
the "send_mailslot()" function. This can be exploited to cause a
stack-based buffer overflow with zero bytes via a specially crafted
"SAMLOGON" domain logon packet containing a username string placed
at an odd offset followed by an overly long GETDC string.
Successful exploitation allows execution of arbitrary code, but
requires that the "domain logons" option is enabled.
Discovery 2007-12-10 Entry 2007-12-12 Modified 2008-09-26 samba
samba3
ja-samba
< 3.0.28
gt *,1 lt 3.0.28,1
CVE-2007-6015
http://secunia.com/advisories/27760/
|