CVE-2015-0240

Samba _netr_ServerPasswordSet Uninitialized Credential State

Title source: metasploit

Description

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.

Exploits (2)

exploitdb WORKING POC

by sleepya · pythondoslinux_x86

https://www.exploit-db.com/exploits/36741

View Code ZIP pw:eip

metasploit WORKING POC

by Richard van Eeden, sleepya, sinn3r · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_uninit_cred.rb

View Code ZIP pw:eip

References (36)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0249.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0250.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0251.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0252.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0253.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0254.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0255.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0256.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2015-0257.html

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

[Vendor Advisory] http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.360345

[Third Party Advisory] http://advisories.mageia.org/MGASA-2015-0084.html

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2015:081

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2015:082

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72711

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031783

[Vendor Advisory] http://www.ubuntu.com/usn/USN-2508-1

[Vendor Advisory] https://access.redhat.com/articles/1346913

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1191325

[Exploit] https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

... and 16 more

Scores

EPSS 0.9108

EPSS Percentile 99.6%

Details

CWE

CWE-17

Status published

Products (50)

canonical/ubuntu_linux 12.04

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 14.10

novell/suse_linux_enterprise_desktop 12

novell/suse_linux_enterprise_server 12

novell/suse_linux_enterprise_software_development_kit 12

redhat/enterprise_linux 5

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

samba/samba 3.5.0

... and 40 more

Published Feb 24, 2015

Tracked Since Feb 18, 2026