CVE-2007-2446

Samba 3.0.0-3.0.25rc3 - Buffer Overflow

Title source: llm

Description

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Exploits (9)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/16859

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotesolaris

https://www.exploit-db.com/exploits/16329

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteosx

https://www.exploit-db.com/exploits/16875

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Adriano Lima · rubyremotelinux

https://www.exploit-db.com/exploits/9950

View Code ZIP pw:eip

metasploit WORKING POC

by hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/samba/lsa_transnames_heap.rb

View Code ZIP pw:eip

metasploit WORKING POC

by hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Ramon de C Valle · rubypocsolaris

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb

View Code ZIP pw:eip

metasploit WORKING POC GOOD

by Ramon de C Valle · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/lsa_transnames_heap.rb

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Ramon de C Valle · rubypocosx

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/samba/lsa_transnames_heap.rb

View Code ZIP pw:eip

References (75)

[Vendor Advisory] http://docs.info.apple.com/article.html?artnum=306172

[Vendor Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768

[Vendor Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980

[Mailing List] http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html

[Mailing List] http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html

[Various Sources] http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html

[Third Party Advisory, VDB Entry] http://osvdb.org/34699

[Third Party Advisory, VDB Entry] http://osvdb.org/34731

[Third Party Advisory, VDB Entry] http://osvdb.org/34733

[Vendor Advisory] http://secunia.com/advisories/25232

[Vendor Advisory] http://secunia.com/advisories/25241

[Vendor Advisory] http://secunia.com/advisories/25246

[Vendor Advisory] http://secunia.com/advisories/25251

[Vendor Advisory] http://secunia.com/advisories/25255

[Vendor Advisory] http://secunia.com/advisories/25256

[Vendor Advisory] http://secunia.com/advisories/25257

[Vendor Advisory] http://secunia.com/advisories/25259

[Vendor Advisory] http://secunia.com/advisories/25270

[Vendor Advisory] http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906

[Vendor Advisory] http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1

... and 55 more

Scores

EPSS 0.8905

EPSS Percentile 99.5%

Details

CWE

CWE-119

Status published

Products (30)

samba/samba 3.0.0

samba/samba 3.0.1

samba/samba 3.0.2

samba/samba 3.0.2a

samba/samba 3.0.10

samba/samba 3.0.11

samba/samba 3.0.12

samba/samba 3.0.13

samba/samba 3.0.14

samba/samba 3.0.14a

... and 20 more

Published May 14, 2007

Tracked Since Feb 18, 2026