CVE-2012-1182

Samba < 3.4.16, 3.5.x < 3.5.14, 3.6.x < 3.6.4 - Remote Code Execution via RPC Array Length Validation Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-1182. PoCs published by Metasploit, Unknown, blasty, mephos, sinn3r, juan vazquez, including Metasploit module exploits/linux/samba/setinfopolicy_heap.

AI-analyzed exploit summary This Metasploit module exploits a heap overflow in Samba's LSA RPC service (CVE-2012-1182) by brute-forcing the system() address to bypass NX and achieve remote code execution with root privileges.

Description

The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/21850

View Code ZIP pw:eip

This Metasploit module exploits a heap overflow in Samba's LSA RPC service (CVE-2012-1182) by brute-forcing the system() address to bypass NX and achieve remote code execution with root privileges.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Samba versions 3.4.x < 3.4.16, 3.5.x < 3.5.14, 3.6.x < 3.6.4

Auth required

Prerequisites: Network access to Samba's SMB service · Valid SMB credentials

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Unknown, blasty, mephos, sinn3r, juan vazquez · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/setinfopolicy_heap.rb

View Code ZIP pw:eip

This Metasploit module exploits a heap overflow in Samba's LSA RPC service (CVE-2012-1182) via a crafted SetInformationPolicy call, using brute-force to bypass NX and achieve remote code execution with root privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Samba 3.5.4 to 3.5.11

No auth needed

Prerequisites: Network access to Samba's LSA RPC service · Target system running vulnerable Samba version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27

Core References

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2012:055

Various Sources x_refsource_confirm

http://www.samba.org/samba/history/samba-3.6.4.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00007.html

Vendor Advisory x_refsource_confirm

https://www.samba.org/samba/security/CVE-2012-1182

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48751

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00014.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2012/dsa-2450

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=134323086902585&w=2

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00008.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48844

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-1423-1

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078726.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078836.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48816

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078258.html

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133951282306605&w=2

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00009.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48879

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48754

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080567.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1026913

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48818

Various Sources x_refsource_confirm

http://www.collax.com/produkte/AllinOne-server-for-small-businesses#id2565578

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48999

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT5281

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48873

Scores

EPSS 0.7403

EPSS Percentile 99.4%

Details

CWE

CWE-189

Status published

Products (37)

samba/samba 3.0.0

samba/samba 3.0.1

samba/samba 3.0.2 (2 CPE variants)

samba/samba 3.0.2a

samba/samba 3.0.3

samba/samba 3.0.4 (2 CPE variants)

samba/samba 3.0.5

samba/samba 3.0.6

samba/samba 3.0.7

samba/samba 3.0.8

... and 27 more

Published Apr 10, 2012

Tracked Since Feb 18, 2026