Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2007-2446

Disclosure Date: May 14, 2007 •

Description

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Metasploit Modules

Samba lsa_io_trans_names Heap Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/lsa_transnames_heap.rb)

Samba lsa_io_privilege_set Heap Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb)

Samba lsa_io_trans_names Heap Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/samba/lsa_transnames_heap.rb)

Samba lsa_io_trans_names Heap Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb)

Samba lsa_io_trans_names Heap Overflow (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/samba/lsa_transnames_heap.rb)

References

Canonical

CVE-2007-2446 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446)

BID-24198 (http://www.securityfocus.com/bid/24198)

BID-23973 (http://www.securityfocus.com/bid/23973)

BID-24197 (http://www.securityfocus.com/bid/24197)

BID-25159 (http://www.securityfocus.com/bid/25159)

BID-24196 (http://www.securityfocus.com/bid/24196)

BID-24195 (http://www.securityfocus.com/bid/24195)

Advisory

GLSA-200705-15 (http://security.gentoo.org/glsa/glsa-200705-15.xml)

20070515 ZDI-07-032: Samba sec_io_acl Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/468672/100/0/threaded)

SECUNIA-25289 (http://secunia.com/advisories/25289)

20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player (http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html)

20070515 ZDI-07-031: Samba smb_io_notify_option_type_data Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/468673/100/0/threaded)

20070515 ZDI-07-029: Samba lsa_io_privilege_set Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/468674/100/0/threaded)

http://www.samba.org/samba/security/CVE-2007-2446.html

XF-samba-lsaiotransnames-bo(34316) (https://exchange.xforce.ibmcloud.com/vulnerabilities/34316)

http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdf

ADV-2007-2732 (http://www.vupen.com/english/advisories/2007/2732)

ADV-2007-1805 (http://www.vupen.com/english/advisories/2007/1805)

ADV-2007-3229 (http://www.vupen.com/english/advisories/2007/3229)

SECUNIA-25772 (http://secunia.com/advisories/25772)

HPSBUX02218 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768)

SECUNIA-25257 (http://secunia.com/advisories/25257)

SECUNIA-25391 (http://secunia.com/advisories/25391)

20070515 ZDI-07-030: Samba netdfs_io_dfs_EnumInfo_d Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/468675/100/0/threaded)

http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html

SECUNIA-25270 (http://secunia.com/advisories/25270)

20070515 FLEA-2007-0017-1: samba (http://www.securityfocus.com/archive/1/468670/100/0/threaded)

APPLE-SA-2007-07-31 (http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html)

XF-samba-secioacl-bo(34314) (https://exchange.xforce.ibmcloud.com/vulnerabilities/34314)

ADV-2007-2281 (http://www.vupen.com/english/advisories/2007/2281)

ADV-2007-2210 (http://www.vupen.com/english/advisories/2007/2210)

HPSBTU02218 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980)

XF-samba-netdfsiodfsenuminfod-bo(34311) (https://exchange.xforce.ibmcloud.com/vulnerabilities/34311)

USN-460-1 (http://www.ubuntu.com/usn/usn-460-1)

XF-samba-smbionotifyoptiontypedata-bo(34312) (https://exchange.xforce.ibmcloud.com/vulnerabilities/34312)

SREASON-2702 (http://securityreason.com/securityalert/2702)

SECUNIA-25567 (http://secunia.com/advisories/25567)

OSVDB-34731 (http://osvdb.org/34731)

OSVDB-34699 (http://osvdb.org/34699)

SECUNIA-25241 (http://secunia.com/advisories/25241)

SECUNIA-28292 (http://secunia.com/advisories/28292)

http://www.mandriva.com/security/advisories?name=MDKSA-2007:104

SECUNIA-25256 (http://secunia.com/advisories/25256)

https://issues.rpath.com/browse/RPL-1366

SECUNIA-25259 (http://secunia.com/advisories/25259)

XF-samba-lsaioprivilegeset-bo(34309) (https://exchange.xforce.ibmcloud.com/vulnerabilities/34309)

OSVDB-34732 (http://www.osvdb.org/34732)

SUNALERT-102964 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1)

20070513 [SAMBA-SECURITY] CVE-2007-2446: Multiple Heap Overflows Allow Remote Code Execution (http://www.securityfocus.com/archive/1/468542/100/0/threaded)

SECTRACK-1018050 (http://www.securitytracker.com/id?1018050)

SECUNIA-26909 (http://secunia.com/advisories/26909)

ADV-2008-0050 (http://www.vupen.com/english/advisories/2008/0050)

SECUNIA-27706 (http://secunia.com/advisories/27706)

DSA-1291 (http://www.debian.org/security/2007/dsa-1291)

VU#773720 (http://www.kb.cert.org/vuls/id/773720)

http://docs.info.apple.com/article.html?artnum=306172

SECUNIA-25232 (http://secunia.com/advisories/25232)

SECUNIA-25251 (http://secunia.com/advisories/25251)

SUNALERT-200588 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1)

SECUNIA-25246 (http://secunia.com/advisories/25246)

20070515 ZDI-07-033: Samba lsa_io_trans_names Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/468680/100/0/threaded)

OSVDB-34733 (http://osvdb.org/34733)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11415

SECUNIA-25255 (http://secunia.com/advisories/25255)

http://www.redhat.com/support/errata/RHSA-2007-0354.html

SECUNIA-26235 (http://secunia.com/advisories/26235)

SECUNIA-25675 (http://secunia.com/advisories/25675)

ADV-2007-2079 (http://www.vupen.com/english/advisories/2007/2079)

Miscellaneous

OpenPKG-SA-2007.012 (http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html)

http://www.zerodayinitiative.com/advisories/ZDI-07-033.html

2007-0017 (http://www.trustix.org/errata/2007/0017)

http://www.zerodayinitiative.com/advisories/ZDI-07-031.html

http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906

http://www.zerodayinitiative.com/advisories/ZDI-07-030.html

http://www.zerodayinitiative.com/advisories/ZDI-07-032.html

http://www.zerodayinitiative.com/advisories/ZDI-07-029.html

Rapid7

Technical Analysis