CVE-2015-0240

Samba _netr_ServerPasswordSet Uninitialized Credential State

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-0240. PoCs published by sleepya, Richard van Eeden, sleepya, sinn3r, including Metasploit module auxiliary/scanner/smb/smb_uninit_cred.

AI-analyzed exploit summary This exploit targets CVE-2015-0240, a heap-based buffer overflow in Samba versions prior to 3.6.24. It leverages the uninitialized 'creds' variable controlled by the ReferentID field in the PrimaryName structure to achieve remote code execution on vulnerable x86 systems.

Description

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.

Exploits (2)

exploitdb WORKING POC
by sleepya · pythondoslinux_x86
https://www.exploit-db.com/exploits/36741

This exploit targets CVE-2015-0240, a heap-based buffer overflow in Samba versions prior to 3.6.24. It leverages the uninitialized 'creds' variable controlled by the ReferentID field in the PrimaryName structure to achieve remote code execution on vulnerable x86 systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Samba < 3.6.24
No auth needed
Prerequisites: Network access to the target's SMB service (port 445) · Vulnerable Samba version (< 3.6.24) running on x86 architecture
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Richard van Eeden, sleepya, sinn3r · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_uninit_cred.rb

This Metasploit module exploits CVE-2015-0240, an uninitialized credential state vulnerability in Samba's _netr_ServerPasswordSet function. It includes both passive version checking and an active exploit that triggers a segmentation fault in vulnerable Samba versions.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Samba versions 3.5.0-3.5.9, 3.6.0-3.6.24, 4.0.0-4.0.24, 4.1.0-4.1.16
No auth needed
Prerequisites: Network access to SMB ports (139 or 445)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (36)

Core 36
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=143039217203031&w=2
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2015-0084.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36741/
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2508-1
Vendor Advisory x_refsource_confirm
https://www.samba.org/samba/security/CVE-2015-0240
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72711
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201502-15.xml
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3171
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031783
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1191325
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:082
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=142722696102151&w=2
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:081
Vendor Advisory x_refsource_confirm
https://access.redhat.com/articles/1346913
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0254.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0250.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0253.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0249.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0251.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0252.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0255.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0256.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0257.html

Scores

EPSS 0.8860
EPSS Percentile 99.8%

Details

CWE
CWE-17
Status published
Products (50)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 14.10
novell/suse_linux_enterprise_desktop 12
novell/suse_linux_enterprise_server 12
novell/suse_linux_enterprise_software_development_kit 12
redhat/enterprise_linux 5
redhat/enterprise_linux 6.0
redhat/enterprise_linux 7.0
samba/samba 3.5.0
... and 40 more
Published Feb 24, 2015
Tracked Since Feb 18, 2026