Login

Background

Discovered: 2007-05-14
Published: 2007-05-14
Last modified: 2007-08-01

Description: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Impact: Availability, Confidentiality, Integrity, Security Protections

Where: From network, remote network

Status: Patch available

References

MANDRIVA - MDKSA-2007:104

SECUNIA - 25232

SECUNIA - 25241

SECUNIA - 25246

SECUNIA - 25251

SECUNIA - 25255

SECUNIA - 25256

SECUNIA - 25257

SECUNIA - 25259

SECUNIA - 25270

GENTOO - GLSA-200705-15

SLACKWARE - SSA:2007-134-01

DEBIAN - DSA-1291

FRSIRT - ADV-2007-1805

CERT-VN - VU#773720

REDHAT - RHSA-2007:0354

BUGTRAQ - 20070513 [SAMBA-SECURITY] CVE-2007-2446: Multiple Heap Overflows Allow Remote Code Execution Type: patch

BUGTRAQ - 20070515 FLEA-2007-0017-1: samba

BUGTRAQ - 20070515 ZDI-07-032: Samba sec_io_acl Heap Overflow Vulnerability

BUGTRAQ - 20070515 ZDI-07-031: Samba smb_io_notify_option_type_data Heap Overflow Vulnerability

BUGTRAQ - 20070515 ZDI-07-029: Samba lsa_io_privilege_set Heap Overflow Vulnerability

BUGTRAQ - 20070515 ZDI-07-030: Samba netdfs_io_dfs_EnumInfo_d Heap Overflow Vulnerability

BUGTRAQ - 20070515 ZDI-07-033: Samba lsa_io_trans_names Heap Overflow Vulnerability

BID - 23973

SECTRACK - 1018050

TRUSTIX - 2007-0017

UBUNTU - USN-460-1

XF - samba-lsaioprivilegeset-bo(34309)

XF - samba-netdfsiodfsenuminfod-bo(34311)

XF - samba-smbionotifyoptiontypedata-bo(34312)

XF - samba-secioacl-bo(34314)

XF - samba-lsaiotransnames-bo(34316)

Vendors: Samba

Affected Products

Samba 3.0.23d

Samba 3.0.23c

Samba 3.0.23b

Samba 3.0.23a

Samba 3.0.23

Samba 3.0.22

Samba 3.0.21c

Samba 3.0.21b

Samba 3.0.21a

Samba 3.0.21

Samba 3.0.20b

Samba 3.0.20a

Samba 3.0.20

Samba 3.0.14a

Samba 3.0.13

Samba 3.0.12

Samba 3.0.11

Samba 3.0.10

Samba 3.0.9

Samba 3.0.8

Samba 3.0.7

Samba 3.0.6

Samba 3.0.14

Samba 3.0.1

Samba 3.0.2 a

Samba 3.0.2

Samba 3.0.3

Samba 3.0.4

Samba 3.0.5

Samba 3.0.4 -r1

Samba 3.0.15

Samba 3.0.16

Samba 3.0.17

Samba 3.0.18

Samba 3.0.19

Samba 3.0.25 pre2

Samba 3.0.0

Samba 3.0.24

Samba 3.0.25pre1

Samba 3.0.25rc1

Samba 3.0.25rc2

Samba 3.0.25rc3

Samba 3.0.2a

Samba 3.0.25 pre1

Samba 3.0.25 rc1

Samba 3.0.25 rc2

Samba 3.0.25 rc3

Samba 3.0.4 r1

TCP/IP Services

UDP/138

TCP/445

TCP/593

UDP/135

TCP/139

TCP/135

NVD Entry: CVE-2007-2446