CVE-2007-2446
published 2007-05-14CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.81%
99.5th percentile
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 3.0.25-1 (bookworm) | samba 3.0.25-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring DCE/RPC bind requests to the LSA interface UUID 12345778-1234-abcd-ef00-0123456789ab over the named pipe \LSARPC on SMB. ↗
- →The exploit sends an oversized LsarLookupSids request with 256–288 crafted 16-byte entries in the trans_names buffer; anomalously large entry counts in LsarLookupSids NDR payloads are a strong indicator. ↗
- →The exploit only succeeds when the Samba 'log level' parameter is 2 or lower; a log level above 2 prevents exploitation. Monitor for exploitation attempts against Samba 3.0.21–3.0.24 specifically. ↗
- →The exploit uses the TALLOC chunk overwrite technique; look for smbd crashes or unexpected process restarts on Samba 3.0.21–3.0.24 following LSA RPC calls. ↗
- →On OSX targets, the exploit overwrites the size() or free() pointer in the initial_malloc_zones structure via szone_free(); monitor for abnormal smbd memory corruption on macOS Samba 3.0.10. ↗
- →The exploit sets DCERPC::fake_bind_multi to false before binding; IDS rules can flag DCE/RPC bind requests to the LSA UUID that do not use multi-context bind. ↗
- →After successful exploitation the server disconnects the pipe with STATUS_PIPE_DISCONNECTED; this error following an LSA RPC call to smbd is a post-exploitation indicator. ↗
- ·The TALLOC chunk overwrite exploitation method only works against Samba versions 3.0.21–3.0.24; other versions in the vulnerable range (3.0.0–3.0.25rc3) require different exploitation approaches. ↗
- ·Setting Samba's 'log level' parameter higher than 2 prevents this specific exploit from working, providing a partial mitigation. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
vendor_ubuntu7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3hj-j528-h53w: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3
ghsa_unreviewed·2022-05-01
CVE-2007-2446 [HIGH] CWE-119 GHSA-h3hj-j528-h53w: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
OSV
CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3
osv·2007-05-14·CVSS 10.0
CVE-2007-2446 [CRITICAL] CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2007-05-16·CVSS 7.2
CVE-2007-2446 [HIGH] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Samba vulnerabilities
Paul Griffith and Andrew Hogue discovered that Samba did not fully drop
root privileges while translating SIDs. A remote authenticated user
could issue SMB operations during a small window of opportunity and gain
root privileges. (CVE-2007-2444)
Brian Schafer discovered that Samba did not handle NDR parsing
correctly. A remote attacker could send specially crafted MS-RPC
requests that could overwrite heap memory and execute arbitrary code.
(CVE-2007-2446)
It was discovered that Samba did not correctly escape input parameters
for external scripts defined in smb.conf. Remote authenticated users
could send specially crafted MS-RPC requests and execute arbitrary shell
commands. (CVE-2007-2447)
Instructions: In general, a standard
Red Hat
samba heap overflows
vendor_redhat·2007-05-14·CVSS 10.0
CVE-2007-2446 [CRITICAL] samba heap overflows
samba heap overflows
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Debian
CVE-2007-2446: samba - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 t...
vendor_debian·2007·CVSS 10.0
CVE-2007-2446 [CRITICAL] CVE-2007-2446: samba - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 t...
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Scope: local
bookworm: resolved (fixed in 3.0.25-1)
bullseye: resolved (fixed in 3.0.25-1)
forky: resolved (fixed in 3.0.25-1)
sid: resolved (fixed in 3.0.25-1)
trixie: resolved (fixed in 3.0.25-1)
No detection rules found.
Exploit-DB
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
exploitdb·2010-07-14
CVE-2007-2446 Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
---
##
# $Id: lsa_transnames_heap.rb 9828 2010-07-14 17:27:23Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
of the Samba daemon. This module uses the TALLOC chunk overwrite
method (credit Ramon and Adriano), which only works with Samba
versions 3.0.21-3.0.24. Additonally, this module will not work
when the Samba "log level" parameter is hig
Exploit-DB
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
exploitdb·2010-04-05
CVE-2007-2446 Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
---
##
# $Id: lsa_transnames_heap.rb 9021 2010-04-05 23:34:10Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
of the Samba daemon. This module uses the TALLOC chunk overwrite
method (credit Ramon and Adriano), which only works with Samba
versions 3.0.21-3.0.24. Additionally, this module will not work
when the Samba "log level" parameter is
Exploit-DB
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
exploitdb·2010-04-05
CVE-2007-2446 Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
---
##
# $Id: lsa_transnames_heap.rb 9021 2010-04-05 23:34:10Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
of the Samba daemon. This module uses the szone_free() to overwrite
the size() or free() pointer in initial_malloc_zones structure.
},
'Author' =>
[
'ramon',
'Adriano Lima ',
'hdm'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9
Exploit-DB
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)
exploitdb·2007-05-14
CVE-2007-2446 Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)
Samba 3.0.21 'Samba lsa_io_trans_names Heap Overflow',
'Description' => %q{
This module triggers a heap overflow in the LSA RPC service
of the Samba daemon. This module uses the TALLOC chunk overwrite
method (credit Ramon and Adriano), which only works with Samba
versions 3.0.21-3.0.24. Additonally, this module will not work
when the Samba "log level" parameter is higher than "2".
},
'Author' =>
[
'ramon',
'Adriano Lima ',
'hdm'
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-2446'],
['OSVDB', '34699'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024, # no limit really
},
'Platform' => 'linux',
'DefaultOptions' =>
{
'PrependSetresuid' => true,
'PrependSetreuid' => true,
'PrependSetuid' => true,
},
'Targets' =>
[
['Linux vsyscall',
{
'Platform
Metasploit
Samba lsa_io_trans_names Heap Overflow
metasploit
Samba lsa_io_trans_names Heap Overflow
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Metasploit
Samba lsa_io_trans_names Heap Overflow
metasploit
Samba lsa_io_trans_names Heap Overflow
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.
Metasploit
Samba lsa_io_privilege_set Heap Overflow
metasploit
Samba lsa_io_privilege_set Heap Overflow
Samba lsa_io_privilege_set Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon.
Metasploit
Samba lsa_io_trans_names Heap Overflow
metasploit
Samba lsa_io_trans_names Heap Overflow
Samba lsa_io_trans_names Heap Overflow
This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".
http://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.htmlhttp://lists.suse.com/archive/suse-security-announce/2007-May/0006.htmlhttp://osvdb.org/34699http://osvdb.org/34731http://osvdb.org/34733http://secunia.com/advisories/25232http://secunia.com/advisories/25241http://secunia.com/advisories/25246http://secunia.com/advisories/25251http://secunia.com/advisories/25255http://secunia.com/advisories/25256http://secunia.com/advisories/25257http://secunia.com/advisories/25259http://secunia.com/advisories/25270http://secunia.com/advisories/25289http://secunia.com/advisories/25391/http://secunia.com/advisories/25567http://secunia.com/advisories/25675http://secunia.com/advisories/25772http://secunia.com/advisories/26235http://secunia.com/advisories/26909http://secunia.com/advisories/27706http://secunia.com/advisories/28292http://security.gentoo.org/glsa/glsa-200705-15.xmlhttp://securityreason.com/securityalert/2702http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1http://www.debian.org/security/2007/dsa-1291http://www.kb.cert.org/vuls/id/773720http://www.mandriva.com/security/advisories?name=MDKSA-2007:104http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.htmlhttp://www.osvdb.org/34732http://www.redhat.com/support/errata/RHSA-2007-0354.htmlhttp://www.samba.org/samba/security/CVE-2007-2446.htmlhttp://www.securityfocus.com/archive/1/468542/100/0/threadedhttp://www.securityfocus.com/archive/1/468670/100/0/threadedhttp://www.securityfocus.com/archive/1/468672/100/0/threadedhttp://www.securityfocus.com/archive/1/468673/100/0/threadedhttp://www.securityfocus.com/archive/1/468674/100/0/threadedhttp://www.securityfocus.com/archive/1/468675/100/0/threadedhttp://www.securityfocus.com/archive/1/468680/100/0/threadedhttp://www.securityfocus.com/bid/23973http://www.securityfocus.com/bid/24195http://www.securityfocus.com/bid/24196http://www.securityfocus.com/bid/24197http://www.securityfocus.com/bid/24198http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018050http://www.trustix.org/errata/2007/0017/http://www.ubuntu.com/usn/usn-460-1http://www.vupen.com/english/advisories/2007/1805http://www.vupen.com/english/advisories/2007/2079http://www.vupen.com/english/advisories/2007/2210http://www.vupen.com/english/advisories/2007/2281http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3229http://www.vupen.com/english/advisories/2008/0050http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdfhttp://www.zerodayinitiative.com/advisories/ZDI-07-029.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-030.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-031.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-032.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-07-033.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/34309https://exchange.xforce.ibmcloud.com/vulnerabilities/34311https://exchange.xforce.ibmcloud.com/vulnerabilities/34312https://exchange.xforce.ibmcloud.com/vulnerabilities/34314https://exchange.xforce.ibmcloud.com/vulnerabilities/34316https://issues.rpath.com/browse/RPL-1366https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11415http://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.htmlhttp://lists.suse.com/archive/suse-security-announce/2007-May/0006.htmlhttp://osvdb.org/34699http://osvdb.org/34731http://osvdb.org/34733http://secunia.com/advisories/25232http://secunia.com/advisories/25241http://secunia.com/advisories/25246http://secunia.com/advisories/25251http://secunia.com/advisories/25255http://secunia.com/advisories/25256http://secunia.com/advisories/25257http://secunia.com/advisories/25259http://secunia.com/advisories/25270http://secunia.com/advisories/25289http://secunia.com/advisories/25391/http://secunia.com/advisories/25567http://secunia.com/advisories/25675http://secunia.com/advisories/25772http://secunia.com/advisories/26235http://secunia.com/advisories/26909
+ 50 more references
2007-05-14
Published