Forum - Computer security: vulnerabilities and exploits database

[EN] securityvulns.ru
no-pyccku

Samba file server multiple security vulnerabilities
updated since 15.05.2007
Published: 16.05.2007
Source: BUGTRAQ
SecurityVulns ID: 7713
Type: remote
Level: 7/10
Description: Multiple heap based buffer overflows, invalid SID to uid translation privilege escalation, shell characters problem.

Affected: SAMBA : Samba 3.0
CVE: CVE-2007-2447 (The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.)
CVE-2007-2446 (Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).)
CVE-2007-2444 (Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user.)
CVE-2007-2444 (Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user.)

Original document ZDI, ZDI-07-032: Samba sec_io_acl Heap Overflow Vulnerability (16.05.2007)

ZDI, ZDI-07-030: Samba netdfs_io_dfs_EnumInfo_d Heap Overflow Vulnerability (16.05.2007)

ZDI, ZDI-07-029: Samba lsa_io_privilege_set Heap Overflow Vulnerability (16.05.2007)

ZDI, ZDI-07-031: Samba smb_io_notify_option_type_data Heap Overflow Vulnerability (16.05.2007)

document ZDI, ZDI-07-033: Samba lsa_io_trans_names Heap Overflow Vulnerability (16.05.2007)

IDEFENSE, iDefense Security Advisory 05.14.07: Samba SAMR Change Password Remote Command Injection Vulnerability (15.05.2007)

SAMBA, [SAMBA-SECURITY] CVE-2007-2447: Remote Command Injection Vulnerability (15.05.2007)

document SAMBA, [SAMBA-SECURITY] CVE-2007-2444: Local SID/Name Translation Failure Can Result in User Privilege Elevation (15.05.2007)

SAMBA, [SAMBA-SECURITY] CVE-2007-2446: Multiple Heap Overflows Allow Remote Code Execution (15.05.2007)

Discuss: Read or add your comments to this news (1 comments)

	Eugene Yunak: Многочисленные уязвимости в Samba (multiple bugs) 16.05.2007 2:30:32
	а видел ли кто-то рализации эксплоитов для этой штучки? если не сложно, наведите на правильный путь на val-amart НЕкошка mail.ru Где вообще эксплоитами можно разжиться?

Show		Threads
		Messages


Login:*		(Register)
Password:*
(private)	To:
(reply)	Subject:*
Text:

Main Forum (Eng) General security questions not appropriate for another forums.	3proxy Forum (Eng) All 3proxy question must be posted to this forum.	Bugs, Vulnerabilities, PoCs and Exploits (Eng) All vulnerability related questions, vulnerability digging and exploit creation.	Windows programming and administration (Eng) Administering Windows and application development.	Unix programming and administation (Eng) Administering Unix and application development.	Test forum Please post all test messages here. All test messages from different forums will be deteted.
Main Forum (Rus)	3proxy Forum (Rus)	Bugs, Vulnerabilities, PoCs and Exploits (Rus)	Windows programming and administration (Rus)	Unix programming and administation (Rus)