Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-2446Improper Restriction of Operations within the Bounds of a Memory Buffer in Samba

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer15 documents9 sources
Severity
10.0CRITICALNVD
EPSS
89.0%
top 0.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
SambaDebian Samba
Timeline
PublishedMay 14
Latest updateMay 1

Description

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

debiandebian/samba< samba 3.0.25-1 (bookworm)
Debiansamba/samba< 3.0.25-1+3
NVDsamba/samba30 versions+29

Patches

Patch: www.samba.orgPatch: www.samba.org

🔴Vulnerability Details

2
GHSA
GHSA-h3hj-j528-h53w: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 32022-05-01
OSV
CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 32007-05-14

💥Exploits & PoCs

8
Exploit-DB
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)2010-07-14
Exploit-DB
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)2010-04-05
Exploit-DB
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)2010-04-05
Exploit-DB
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)2007-05-14
Metasploit
Samba lsa_io_trans_names Heap Overflow

📋Vendor Advisories

3
Ubuntu
Samba vulnerabilities2007-05-16
Red Hat
samba heap overflows2007-05-14
Debian
CVE-2007-2446: samba - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 t...2007

💬Community

1
Bugzilla
CVE-2007-2446 samba heap overflows2007-05-08