CVE-2007-2447 – Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution
https://notcve.org/view.php?id=CVE-2007-2447
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. La funcionalidad MS-RPC en mbd en Samba 3.0.0 hasta la 3.0.25rc3 permite a atacantes remotos ejecutar comandos de su elección a través del intérprete de comandos (shell) de metacaracteres afectando a la (1) función SamrChangePassword, cuando la opción "secuencia de comandos del mapa del nombre de usuario" smb.conf está activada, y permite a usuarios remotos validados ejecutar comandos a través del intérprete de comandos (shell) de metacaracteres afectando a otras funciones MS-RPC en la (2)impresora remota y (3)gestión de ficheros compartidos. • https://www.exploit-db.com/exploits/16320 https://github.com/amriunix/CVE-2007-2447 https://github.com/Ziemni/CVE-2007-2447-in-Python https://github.com/ozuma/CVE-2007-2447 https://github.com/Alien0ne/CVE-2007-2447 https://github.com/N3rdyN3xus/CVE-2007-2447 https://github.com/un4gi/CVE-2007-2447 https://github.com/xbufu/CVE-2007-2447 https://github.com/mr-l0n3lly/CVE-2007-2447 https://github.com/0xKn/CVE-2007-2447 https://github.com/xlcc4096/exploit-C •
CVE-2007-2446 – Samba lsa_io_trans_names Heap Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2007-2446
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names). Múltiples desbordamientos de búfer en la región heap de la memoria en el análisis NDR en smbd en Samba versión 3.0.0 hasta 3.0.25rc3 permiten que los atacantes remotos ejecuten código arbitrario por medio de peticiones MS-RPC creadas que involucran (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), o (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_name). This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability. The specific flaw exists in the parsing of RPC requests to the LSA RPC interface. When parsing a request to LsarLookupSids/LsarLookupSids2, heap allocation is calculated based on user input. • https://www.exploit-db.com/exploits/9950 https://www.exploit-db.com/exploits/16859 https://www.exploit-db.com/exploits/16875 https://www.exploit-db.com/exploits/16329 http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2007-0454
https://notcve.org/view.php?id=CVE-2007-0454
Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. Una vulnerabilidad de cadena de formato en el módulo VFS afsacl.so en Samba versión 3.0.6 hasta 3.0.23d permite a los atacantes dependiendo del contexto ejecutar código arbitrario por medio de especificadores de cadena de formato en un nombre de archivo sobre un sistema de archivos AFS, que no se maneja apropiadamente durante la asignación ACL de Windows. • http://osvdb.org/33101 http://secunia.com/advisories/24021 http://secunia.com/advisories/24046 http://secunia.com/advisories/24060 http://secunia.com/advisories/24067 http://secunia.com/advisories/24101 http://secunia.com/advisories/24145 http://secunia.com/advisories/24151 http://securitytracker.com/id?1017588 http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916 http://us1.samba.org/samba/security/CVE-2007-0454.html http://www. • CWE-134: Use of Externally-Controlled Format String •
CVE-2007-0453
https://notcve.org/view.php?id=CVE-2007-0453
Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. Desbordamiento de búfer en la librería nss_winbind.so.1 de Samba 3.0.21 hasta 3.0.23d, como se usa en el demonio winbindd de Solaris, permite a los atacantes ejecutar código de su elección a través de las funciones (1) gethostbyame y (2) getipnodebyname. • http://osvdb.org/33098 http://secunia.com/advisories/24043 http://secunia.com/advisories/24101 http://secunia.com/advisories/24151 http://securitytracker.com/id?1017589 http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.476916 http://us1.samba.org/samba/security/CVE-2007-0453.html http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html http://www.securityfocus.com/archive/1/459168/100/0/threaded http://www.securityfocus.com/ar •
CVE-2007-0452
https://notcve.org/view.php?id=CVE-2007-0452
smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. smbd en Samba 3.0.6 hasta 3.0.23d permite a usuarios autenticados remotamente provocar una denegación de servicio (agotamiento de memoria y CPU) renombrando un archivo de una forma que previene que una petición sea eliminada de la cola abierta referenciada, lo cual dispara un bucle infinito. • ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.asc http://fedoranews.org/cms/node/2579 http://fedoranews.org/cms/node/2580 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00943462 http://lists.suse.com/archive/suse-security-announce/2007-Feb/0002.html http://osvdb.org/33100 http://secunia.com/advisories/24021 http://secunia.com/advisories/24030 http://secunia.com/advisories/24046 http://secunia.com/advisories/24060 http://sec •