CVE-2008-1105

Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.

Desbordamiento de búfer basado en montículo en la función receive_smb_raw de util/sock.c en Samba 3.0.0 hasta 3.0.29, permite a atacantes remotos ejecutar código de su elección a través de una respuesta SMB manipulada.

USN-617-1 fixed vulnerabilities in Samba. The upstream patch introduced a regression where under certain circumstances accessing large files might cause the client to report an invalid packet length error. This update fixes the problem. Samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. When samba is configured as a Primary or Backup Domain Controller, a remote attacker could send malicious logon requests and possibly cause a denial of service. Alin Rad Pop of Secunia Research discovered that Samba did not properly perform bounds checking when parsing SMB replies. A remote attacker could send crafted SMB packets and execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-02-29 CVE Reserved
2008-05-29 CVE Published
2024-08-07 CVE Updated
2024-08-07 First Exploit
2025-04-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (49)

URL	Tag	Source
http://lists.vmware.com/pipermail/security-announce/2008/000023.html	Mailing List
http://secunia.com/advisories/30228	Third Party Advisory
http://secunia.com/advisories/30385	Third Party Advisory
http://secunia.com/advisories/30396	Third Party Advisory
http://secunia.com/advisories/30442	Third Party Advisory
http://secunia.com/advisories/30449	Third Party Advisory
http://secunia.com/advisories/30478	Third Party Advisory
http://secunia.com/advisories/30489	Third Party Advisory
http://secunia.com/advisories/30543	Third Party Advisory
http://secunia.com/advisories/30736	Third Party Advisory
http://secunia.com/advisories/30802	Third Party Advisory
http://secunia.com/advisories/30835	Third Party Advisory
http://secunia.com/advisories/31246	Third Party Advisory
http://secunia.com/advisories/31911	Third Party Advisory
http://secunia.com/advisories/33696	Third Party Advisory
http://securitytracker.com/id?1020123	Third Party Advisory
http://support.apple.com/kb/HT2163	Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0180	Broken Link
http://www.securityfocus.com/archive/1/492683/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/492737/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/492903/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/31255	Third Party Advisory
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_009.pdf	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/42664	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/45251	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10020	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5733	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/5712	2024-08-07

URL	Date	SRC
http://www.securityfocus.com/bid/29404	2022-08-29

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00000.html	2022-08-29
http://secunia.com/secunia_research/2008-20/advisory	2022-08-29
http://security.gentoo.org/glsa/glsa-200805-23.xml	2022-08-29
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473951	2022-08-29
http://sunsolve.sun.com/search/document.do?assetkey=1-26-249086-1	2022-08-29
http://www.debian.org/security/2008/dsa-1590	2022-08-29
http://www.mandriva.com/security/advisories?name=MDVSA-2008:108	2022-08-29
http://www.redhat.com/support/errata/RHSA-2008-0288.html	2022-08-29
http://www.redhat.com/support/errata/RHSA-2008-0289.html	2022-08-29
http://www.redhat.com/support/errata/RHSA-2008-0290.html	2022-08-29
http://www.samba.org/samba/security/CVE-2008-1105.html	2022-08-29
http://www.ubuntu.com/usn/usn-617-1	2022-08-29
http://www.ubuntu.com/usn/usn-617-2	2022-08-29
http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657	2022-08-29
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01006.html	2022-08-29
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01030.html	2022-08-29
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01082.html	2022-08-29
https://access.redhat.com/security/cve/CVE-2008-1105	2008-05-28
https://bugzilla.redhat.com/show_bug.cgi?id=446724	2008-05-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 3.0.0 <= 3.0.29 Search vendor "Samba" for product "Samba" and version " >= 3.0.0 <= 3.0.29"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				7.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "7.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				7.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "7.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0"		-		Affected