CVE-2007-2446
Samba lsa_io_trans_names Heap Overflow Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
9Exploited in Wild
-Decision
Descriptions
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Múltiples desbordamientos de búfer en la región heap de la memoria en el análisis NDR en smbd en Samba versión 3.0.0 hasta 3.0.25rc3 permiten que los atacantes remotos ejecuten código arbitrario por medio de peticiones MS-RPC creadas que involucran (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), o (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_name).
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Samba. User interaction is not required to exploit this vulnerability.
The specific flaw exists in the parsing of RPC requests to the LSA RPC interface. When parsing a request to LsarLookupSids/LsarLookupSids2, heap allocation is calculated based on user input. By specifying invalid values, heap blocks can be overwritten leading to remote code execution.
Several issues have been identified in Samba, the SMB/CIFS file and print server implementation for GNU/Linux. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish addition means of gaining root access to the server. Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-05-02 CVE Reserved
- 2007-05-14 CVE Published
- 2007-07-26 First Exploit
- 2024-08-07 CVE Updated
- 2025-08-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (86)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/180539 | 2024-08-31 | |
| https://packetstorm.news/files/id/58065 | 2007-07-26 | |
| https://packetstorm.news/files/id/58066 | 2007-07-26 | |
| https://packetstorm.news/files/id/58067 | 2007-07-26 | |
| https://packetstorm.news/files/id/82250 | 2009-10-27 | |
| https://www.exploit-db.com/exploits/16859 | 2016-12-01 | |
| https://www.exploit-db.com/exploits/16875 | 2016-12-01 | |
| https://www.exploit-db.com/exploits/16329 | 2016-12-01 | |
| https://www.exploit-db.com/exploits/9950 | 2016-09-23 |
| URL | Date | SRC |
|---|---|---|
| http://www.samba.org/samba/security/CVE-2007-2446.html | 2018-10-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.0 Search vendor "Samba" for product "Samba" and version "3.0.0" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.1 Search vendor "Samba" for product "Samba" and version "3.0.1" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.2 Search vendor "Samba" for product "Samba" and version "3.0.2" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.2a Search vendor "Samba" for product "Samba" and version "3.0.2a" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.10 Search vendor "Samba" for product "Samba" and version "3.0.10" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.11 Search vendor "Samba" for product "Samba" and version "3.0.11" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.12 Search vendor "Samba" for product "Samba" and version "3.0.12" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.13 Search vendor "Samba" for product "Samba" and version "3.0.13" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.14 Search vendor "Samba" for product "Samba" and version "3.0.14" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.14a Search vendor "Samba" for product "Samba" and version "3.0.14a" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.15 Search vendor "Samba" for product "Samba" and version "3.0.15" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.16 Search vendor "Samba" for product "Samba" and version "3.0.16" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.17 Search vendor "Samba" for product "Samba" and version "3.0.17" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.18 Search vendor "Samba" for product "Samba" and version "3.0.18" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.19 Search vendor "Samba" for product "Samba" and version "3.0.19" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.20 Search vendor "Samba" for product "Samba" and version "3.0.20" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.20a Search vendor "Samba" for product "Samba" and version "3.0.20a" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.20b Search vendor "Samba" for product "Samba" and version "3.0.20b" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.21 Search vendor "Samba" for product "Samba" and version "3.0.21" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.21a Search vendor "Samba" for product "Samba" and version "3.0.21a" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.21b Search vendor "Samba" for product "Samba" and version "3.0.21b" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.21c Search vendor "Samba" for product "Samba" and version "3.0.21c" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.22 Search vendor "Samba" for product "Samba" and version "3.0.22" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.23 Search vendor "Samba" for product "Samba" and version "3.0.23" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.23a Search vendor "Samba" for product "Samba" and version "3.0.23a" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.23b Search vendor "Samba" for product "Samba" and version "3.0.23b" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.23c Search vendor "Samba" for product "Samba" and version "3.0.23c" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.23d Search vendor "Samba" for product "Samba" and version "3.0.23d" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.24 Search vendor "Samba" for product "Samba" and version "3.0.24" | - |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.25 Search vendor "Samba" for product "Samba" and version "3.0.25" | pre1 |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.25 Search vendor "Samba" for product "Samba" and version "3.0.25" | pre2 |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.25 Search vendor "Samba" for product "Samba" and version "3.0.25" | rc1 |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.25 Search vendor "Samba" for product "Samba" and version "3.0.25" | rc2 |
Affected
| ||||||
| Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | 3.0.25 Search vendor "Samba" for product "Samba" and version "3.0.25" | rc3 |
Affected
| ||||||