10
CVSSv2

CVE-2007-2446

Published: 14/05/2007 Updated: 16/10/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 up to and including 3.0.25rc3 allow remote malicious users to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Affected Products

Vendor Product Versions
SambaSamba3.0.0, 3.0.1, 3.0.2, 3.0.2a, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.14a, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.20a, 3.0.20b, 3.0.21, 3.0.21a, 3.0.21b, 3.0.21c, 3.0.22, 3.0.23, 3.0.23a, 3.0.23b, 3.0.23c, 3.0.23d, 3.0.24, 3.0.25

Vendor Advisories

Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges (CVE-2007-2444) ...
Several issues have been identified in Samba, the SMB/CIFS file- and print-server implementation for GNU/Linux CVE-2007-2444 When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the ...

Exploits

## # $Id: lsa_transnames_heaprb 9021 2010-04-05 23:34:10Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cl ...
## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Ms ...
## # $Id: lsa_transnames_heaprb 9021 2010-04-05 23:34:10Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cl ...
## # $Id: lsa_transnames_heaprb 9828 2010-07-14 17:27:23Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' cl ...

Metasploit Modules

Samba lsa_io_privilege_set Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon.

msf > use auxiliary/dos/samba/lsa_addprivs_heap
      msf auxiliary(lsa_addprivs_heap) > show actions
            ...actions...
      msf auxiliary(lsa_addprivs_heap) > set ACTION <action-name>
      msf auxiliary(lsa_addprivs_heap) > show options
            ...show and set options...
      msf auxiliary(lsa_addprivs_heap) > run
Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.

msf > use exploit/osx/samba/lsa_transnames_heap
      msf exploit(lsa_transnames_heap) > show targets
            ...targets...
      msf exploit(lsa_transnames_heap) > set TARGET <target-id>
      msf exploit(lsa_transnames_heap) > show options
            ...show and set options...
      msf exploit(lsa_transnames_heap) > exploit
Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

msf > use exploit/linux/samba/lsa_transnames_heap
      msf exploit(lsa_transnames_heap) > show targets
            ...targets...
      msf exploit(lsa_transnames_heap) > set TARGET <target-id>
      msf exploit(lsa_transnames_heap) > show options
            ...show and set options...
      msf exploit(lsa_transnames_heap) > exploit
Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon.

msf > use auxiliary/dos/samba/lsa_transnames_heap
      msf auxiliary(lsa_transnames_heap) > show actions
            ...actions...
      msf auxiliary(lsa_transnames_heap) > set ACTION <action-name>
      msf auxiliary(lsa_transnames_heap) > show options
            ...show and set options...
      msf auxiliary(lsa_transnames_heap) > run
Samba lsa_io_trans_names Heap Overflow

This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

msf > use exploit/solaris/samba/lsa_transnames_heap
      msf exploit(lsa_transnames_heap) > show targets
            ...targets...
      msf exploit(lsa_transnames_heap) > set TARGET <target-id>
      msf exploit(lsa_transnames_heap) > show options
            ...show and set options...
      msf exploit(lsa_transnames_heap) > exploit

Github Repositories

人生总有一个仓库来放琐碎的世: TFTP_RDDOS: TFTP反射放大攻击相关代码,原发表至Drops editor_tools: 在Drops时方便编辑的小脚本 pktcap: 使用scapy嗅探数据包的小玩意 port_scan: 使用scapy进行端口扫描的工具 puzzle2016: 我云puzzle 2016题解相关代码 cve_2007_2446_pcapng:CVE-2007-2446 msf攻击数据包 ble_hackmelock:

CyberCAPTOR Server [Cyber seCurity Attack graPh moniTORing - Server] CyberCAPTOR is an implementation of the Cyber Security Generic Enabler, the future developments of the Security Monitoring GE NOTE : This repository was adapted to fit the needs of the DOCTOR and 5G-ENSURE projects Namely, the container now embeds a monolithic version of CyberCAPTOR, with the API server, web

CyberCAPTOR Server FIWARE Cyber seCurity Attack graPh moniTORing - Server This project is part of FIWARE For more information, please consult FIWARE website CyberCAPTOR is an implementation of the Cyber Security Generic Enabler, the future developments of the Security Monitoring GE Build Status: Table of Contents CyberCAPTOR Server Development Version Installation Prereq

LinuxFlaw This repo records all the vulnerabilities of linux software I have reproduced in my local workspace If the vulnerability has both CVE-ID and EDB-ID, CVE-ID is preferred as its directory name All the vulnerable source code packages are stored in source-packages Vmware Workstation Images Image Name username password Ubuntu 810 exploit exploit Ubuntu 1004LTS

LinuxFlaw This repo records all the vulnerabilities of linux software I have reproduced in my local workspace If the vulnerability has both CVE-ID and EDB-ID, CVE-ID is preferred as its directory name All the vulnerable source code packages are stored in source-packages Vmware Workstation Images Image Name username password Ubuntu 810 exploit exploit Ubuntu 1004LTS

References

CWE-119http://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.htmlhttp://lists.suse.com/archive/suse-security-announce/2007-May/0006.htmlhttp://osvdb.org/34699http://osvdb.org/34731http://osvdb.org/34733http://secunia.com/advisories/25232http://secunia.com/advisories/25241http://secunia.com/advisories/25246http://secunia.com/advisories/25251http://secunia.com/advisories/25255http://secunia.com/advisories/25256http://secunia.com/advisories/25257http://secunia.com/advisories/25259http://secunia.com/advisories/25270http://secunia.com/advisories/25289http://secunia.com/advisories/25391/http://secunia.com/advisories/25567http://secunia.com/advisories/25675http://secunia.com/advisories/25772http://secunia.com/advisories/26235http://secunia.com/advisories/26909http://secunia.com/advisories/27706http://secunia.com/advisories/28292http://security.gentoo.org/glsa/glsa-200705-15.xmlhttp://securityreason.com/securityalert/2702http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1http://www.debian.org/security/2007/dsa-1291http://www.kb.cert.org/vuls/id/773720http://www.mandriva.com/security/advisories?name=MDKSA-2007:104http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.htmlhttp://www.osvdb.org/34732http://www.redhat.com/support/errata/RHSA-2007-0354.htmlhttp://www.samba.org/samba/security/CVE-2007-2446.htmlhttp://www.securityfocus.com/archive/1/468542/100/0/threadedhttp://www.securityfocus.com/archive/1/468670/100/0/threadedhttp://www.securityfocus.com/archive/1/468672/100/0/threadedhttp://www.securityfocus.com/archive/1/468673/100/0/threadedhttp://www.securityfocus.com/archive/1/468674/100/0/threadedhttp://www.securityfocus.com/archive/1/468675/100/0/threadedhttp://www.securityfocus.com/archive/1/468680/100/0/threadedhttp://www.securityfocus.com/bid/23973http://www.securityfocus.com/bid/24195http://www.securityfocus.com/bid/24196http://www.securityfocus.com/bid/24197http://www.securityfocus.com/bid/24198http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018050http://www.trustix.org/errata/2007/0017/http://www.ubuntu.com/usn/usn-460-1http://www.vupen.com/english/advisories/2007/1805http://www.vupen.com/english/advisories/2007/2079http://www.vupen.com/english/advisories/2007/2210http://www.vupen.com/english/advisories/2007/2281http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3229http://www.vupen.com/english/advisories/2008/0050http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdfhttp://www.zerodayinitiative.com/advisories/ZDI-07-029.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-030.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-031.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-032.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-033.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34309https://exchange.xforce.ibmcloud.com/vulnerabilities/34311https://exchange.xforce.ibmcloud.com/vulnerabilities/34312https://exchange.xforce.ibmcloud.com/vulnerabilities/34314https://exchange.xforce.ibmcloud.com/vulnerabilities/34316https://issues.rpath.com/browse/RPL-1366https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11415https://github.com/Larryxi/My_toolshttps://nvd.nist.govhttps://usn.ubuntu.com/460-1/https://www.exploit-db.com/exploits/16875/https://www.rapid7.com/db/vulnerabilities/sunpatch-112925https://www.kb.cert.org/vuls/id/773720