cbcvebase.
CVE-2007-2446
published 2007-05-14

CVE-2007-2446: Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.81%
99.5th percentile
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

Affected

35 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 3.0.25-1 (bookworm)samba 3.0.25-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

path\LSARPC
commandLsarLookupSids / LsarLookupSids2 (lsa_io_trans_names) MS-RPC heap overflow via crafted NDR
commandDFSEnum (netdfs_io_dfs_EnumInfo_d) MS-RPC heap overflow via crafted NDR
commandRFNPCNEX (smb_io_notify_option_type_data) MS-RPC heap overflow via crafted NDR
commandLsarAddPrivilegesToAccount (lsa_io_privilege_set) MS-RPC heap overflow via crafted NDR
commandNetSetFileSecurity (sec_io_acl) MS-RPC heap overflow via crafted NDR
  • Detect exploit attempts by monitoring DCE/RPC bind requests to the LSA interface UUID 12345778-1234-abcd-ef00-0123456789ab over the named pipe \LSARPC on SMB.
  • The exploit sends an oversized LsarLookupSids request with 256–288 crafted 16-byte entries in the trans_names buffer; anomalously large entry counts in LsarLookupSids NDR payloads are a strong indicator.
  • The exploit only succeeds when the Samba 'log level' parameter is 2 or lower; a log level above 2 prevents exploitation. Monitor for exploitation attempts against Samba 3.0.21–3.0.24 specifically.
  • The exploit uses the TALLOC chunk overwrite technique; look for smbd crashes or unexpected process restarts on Samba 3.0.21–3.0.24 following LSA RPC calls.
  • On OSX targets, the exploit overwrites the size() or free() pointer in the initial_malloc_zones structure via szone_free(); monitor for abnormal smbd memory corruption on macOS Samba 3.0.10.
  • The exploit sets DCERPC::fake_bind_multi to false before binding; IDS rules can flag DCE/RPC bind requests to the LSA UUID that do not use multi-context bind.
  • After successful exploitation the server disconnects the pipe with STATUS_PIPE_DISCONNECTED; this error following an LSA RPC call to smbd is a post-exploitation indicator.
  • ·The TALLOC chunk overwrite exploitation method only works against Samba versions 3.0.21–3.0.24; other versions in the vulnerable range (3.0.0–3.0.25rc3) require different exploitation approaches.
  • ·Setting Samba's 'log level' parameter higher than 2 prevents this specific exploit from working, providing a partial mitigation.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
vendor_ubuntu7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.