CVE-2003-0085
published 2003-03-31CVE-2003-0085: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.92%
99.7th percentile
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 2.2.8 (bookworm) | samba 2.2.8 (bookworm) |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| hp | cifs-9000_server | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandSMB_COM_NT_TRANSACT followed by SMB_COM_NT_TRANSACT_SECONDARY with ParamCountTotal=12000 and crafted ParamDisplace↗
- →The exploit targets smbd running with root privileges via the SMB/CIFS packet fragment re-assembly code path. Monitor smbd processes for unexpected child processes spawning /bin/sh. ↗
- ·The vulnerability affects Samba before 2.2.8 and Samba-TNG before 0.3.1; systems running patched versions (2.2.8+) are not vulnerable. ↗
- ·The C exploit uses a brute-force stack displacement loop (BRUTESTEP 5120, range 0xbfffd000–0xbfffffff) meaning multiple connection attempts will be made; a single failed attempt does not rule out exploitation. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qxx9-28p4-39v8: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2
ghsa_unreviewed·2022-05-03
CVE-2003-0085 [HIGH] GHSA-qxx9-28p4-39v8: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
OSV
CVE-2003-0085: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2
osv·2003-03-31·CVSS 10.0
CVE-2003-0085 [CRITICAL] CVE-2003-0085: Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
Red Hat
security flaw
vendor_redhat·2003-03-15·CVSS 10.0
CVE-2003-0085 [CRITICAL] security flaw
security flaw
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
Debian
CVE-2003-0085: samba - Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon ...
vendor_debian·2003·CVSS 10.0
CVE-2003-0085 [CRITICAL] CVE-2003-0085: samba - Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon ...
Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 2.2.8)
bullseye: resolved (fixed in 2.2.8)
forky: resolved (fixed in 2.2.8)
sid: resolved (fixed in 2.2.8)
trixie: resolved (fixed in 2.2.8)
No detection rules found.
Exploit-DB
Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1)
exploitdb·2010-04-28
CVE-2003-0085 Samba 2.2.2 < 2.2.6 - 'nttrans' Remote Buffer Overflow (Metasploit) (1)
Samba 2.2.2 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
'Description' => %q{
This module attempts to exploit a buffer overflow vulnerability present in
versions 2.2.2 through 2.2.6 of Samba.
The Samba developers report this as:
"Bug in the length checking for encrypted password change requests from clients."
The bug was discovered and reported by the Debian Samba Maintainers.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9167 $',
'References' =>
[
[ 'CVE', '2003-0085' ],
[ 'OSVDB', '6323' ],
[ 'BID', '7106' ],
[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
[ "Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'lin
Exploit-DB
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)
exploitdb·2003-04-07
CVE-2003-0085 Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)
Samba 2.2.x - 'nttrans' Remote Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba nttrans Overflow',
'Description' => %q{
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2003-0085' ],
[ 'OSVDB', '6323' ],
[ 'BID', '7106' ],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
["Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Rets' => [0x01020304, 0x41424344],
Exploit-DB
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow
exploitdb·2003-03-15
CVE-2003-0085 Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow
Samba 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow
---
/*
source: https://www.securityfocus.com/bid/7106/info
Samba is prone to a buffer-overflow vulnerability when the '
' service tries to reassemble specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values.
Note that the smbd service runs with root privileges.
*/
/**
** sambash -- samba
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef unsigned char uint8;
typedef unsigned short uint16;
typedef unsigned long uint32;
/* h
ftp://patches.sgi.com/support/free/security/advisories/20030302-01-Ihttp://marc.info/?l=bugtraq&m=104792646416629&w=2http://marc.info/?l=bugtraq&m=104792723017768&w=2http://marc.info/?l=bugtraq&m=104801012929374&w=2http://secunia.com/advisories/8299http://secunia.com/advisories/8303http://www.debian.org/security/2003/dsa-262http://www.gentoo.org/security/en/glsa/glsa-200303-11.xmlhttp://www.kb.cert.org/vuls/id/298233http://www.mandriva.com/security/advisories?name=MDKSA-2003:032http://www.novell.com/linux/security/advisories/2003_016_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2003-095.htmlhttp://www.redhat.com/support/errata/RHSA-2003-096.htmlhttp://www.securityfocus.com/archive/1/316165/30/25370/threadedhttp://www.securityfocus.com/archive/1/316165/30/25370/threadedhttp://www.securityfocus.com/archive/1/317145/30/25220/threadedhttp://www.securityfocus.com/archive/1/317145/30/25220/threadedhttp://www.securityfocus.com/bid/7106https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A552ftp://patches.sgi.com/support/free/security/advisories/20030302-01-Ihttp://marc.info/?l=bugtraq&m=104792646416629&w=2http://marc.info/?l=bugtraq&m=104792723017768&w=2http://marc.info/?l=bugtraq&m=104801012929374&w=2http://secunia.com/advisories/8299http://secunia.com/advisories/8303http://www.debian.org/security/2003/dsa-262http://www.gentoo.org/security/en/glsa/glsa-200303-11.xmlhttp://www.kb.cert.org/vuls/id/298233http://www.mandriva.com/security/advisories?name=MDKSA-2003:032http://www.novell.com/linux/security/advisories/2003_016_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2003-095.htmlhttp://www.redhat.com/support/errata/RHSA-2003-096.htmlhttp://www.securityfocus.com/archive/1/316165/30/25370/threadedhttp://www.securityfocus.com/archive/1/316165/30/25370/threadedhttp://www.securityfocus.com/archive/1/317145/30/25220/threadedhttp://www.securityfocus.com/archive/1/317145/30/25220/threadedhttp://www.securityfocus.com/bid/7106https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A552
2003-03-31
Published