|ba13dc13-340d-11d9-ac1b-000d614f7fad||samba -- potential remote DoS vulnerability|
Karol Wiesek at iDEFENSE reports:
A remote attacker could cause an smbd process to consume
abnormal amounts of system resources due to an input
validation error when matching filenames containing
Although samba.org classifies this as a DoS vulnerability,
several members of the security community believe it may be
exploitable for arbitrary code execution.
gt 3.* lt 3.0.8
gt 3.*,1 lt 3.0.8,1
|3546a833-03ea-11dc-a51d-0019b95d4f14||samba -- multiple vulnerabilities|
The Samba Team reports:
A bug in the local SID/Name translation routines may
potentially result in a user being able to issue SMB/CIFS
protocol operations as root.
When translating SIDs to/from names using Samba local
list of user and group accounts, a logic error in the smbd
daemon's internal security stack may result in a
transition to the root user id rather than the non-root
user. The user is then able to temporarily issue SMB/CIFS
protocol operations as the root user. This window of
opportunity may allow the attacker to establish additional
means of gaining root access to the server.
Various bugs in Samba's NDR parsing can allow a user to
send specially crafted MS-RPC requests that will overwrite
the heap space with user defined data.
Unescaped user input parameters are passed as arguments
to /bin/sh allowing for remote command execution.
This bug was originally reported against the anonymous
calls to the SamrChangePassword() MS-RPC function in
combination with the "username map script" smb.conf option
(which is not enabled by default).
After further investigation by Samba developers, it was
determined that the problem was much broader and impacts
remote printer and file share management as well. The
root cause is passing unfiltered user input provided via
MS-RPC calls to /bin/sh when invoking externals scripts
defined in smb.conf. However, unlike the "username map
script" vulnerability, the remote file and printer
management scripts require an authenticated user
gt 3.* lt 3.0.25
gt 3.*,1 lt 3.0.25,1
|b168ddea-105a-11db-ac96-000c6ec775d9||samba -- memory exhaustion DoS in smbd|
The Samba Team reports:
The smbd daemon maintains internal data structures used
track active connections to file and printer shares. In
certain circumstances an attacker may be able to
continually increase the memory usage of an smbd process
by issuing a large number of share connection requests.
This defect affects all Samba configurations.
ge 3.0.1,1 lt 3.0.23,1
|3b3676be-52e1-11d9-a9e7-0001020eed82||samba -- integer overflow vulnerability|
Greg MacManus, iDEFENSE Labs reports:
Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could allow
an attacker to cause controllable heap corruption, leading
to execution of arbitrary commands with root
Successful remote exploitation allows an attacker to gain
root privileges on a vulnerable system. In order to
exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba
server. Unsuccessful exploitation attempts will cause the
process serving the request to crash with signal 11, and
may leave evidence of an attack in logs.
gt *,1 lt 3.0.10,1
gt 3.* lt 3.0.10
gt 3.*,1 lt 3.0.10,1
|f3d3f621-38d8-11d9-8fff-000c6e8f12ef||smbd -- buffer-overrun vulnerability|
Caused by improper bounds checking of certain trans2
requests, there is a possible buffer overrun in smbd.
The attacker needs to be able to create files with
very specific Unicode filenames on the share to take
advantage of this issue.
ge 3.* lt 3.0.8
ge 3.*,1 lt 3.0.8,1
|a63b15f9-97ff-11dc-9e48-0016179b2dd5||samba -- multiple vulnerabilities|
The Samba Team reports:
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd. This defect may
only be exploited when the "wins support" parameter has
been enabled in smb.conf.
Samba developers have discovered what is believed to be
a non-exploitable buffer over in nmbd during the processing
of GETDC logon server requests. This code is only used
when the Samba server is configured as a Primary or Backup
gt *,1 lt 3.0.26a_2,1
|2bc96f18-683f-11dc-82b6-02e0185f8d72||samba -- nss_info plugin privilege escalation vulnerability|
The Samba development team reports:
The idmap_ad.so library provides an nss_info extension to
Winbind for retrieving a user's home directory path, login
shell and primary group id from an Active Directory domain
controller. This functionality is enabled by defining the
"winbind nss info" smb.conf option to either "sfu" or
Both the Windows "Identity Management for Unix" and
"Services for Unix" MMC plug-ins allow a user to be assigned
a primary group for Unix clients that differs from the user's
Windows primary group. When the rfc2307 or sfu nss_info plugin
has been enabled, in the absence of either the RFC2307 or SFU
primary group attribute, Winbind will assign a primary group ID
of 0 to the domain user queried using the getpwnam() C library
gt *,1 lt 3.0.26a,1
|ffcbd42d-a8c5-11dc-bec2-02e0185f8d72||samba -- buffer overflow vulnerability|
Secuna Research reports:
Secunia Research has discovered a vulnerability in Samba, which
can be exploited by malicious people to compromise a vulnerable
system. The vulnerability is caused due to a boundary error within
the "send_mailslot()" function. This can be exploited to cause a
stack-based buffer overflow with zero bytes via a specially crafted
"SAMLOGON" domain logon packet containing a username string placed
at an odd offset followed by an overly long GETDC string.
Successful exploitation allows execution of arbitrary code, but
requires that the "domain logons" option is enabled.
gt *,1 lt 3.0.28,1