cbcvebase.
CVE-2007-2447
published 2007-05-14

CVE-2007-2447: The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the…

PriorityP266medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
49.76%
98.8th percentile
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

Affected

42 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 3.0.25-1 (bookworm)samba 3.0.25-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

commandpython usermap_script.py 10.10.10.3 139 10.10.14.18 443
port445/tcp
commanduse exploit/multi/samba/usermap_script
versionSamba 3.0.20-Debian
  • CVE-2007-2447 is exploited via shell metacharacters injected through the MS-RPC SamrChangePassword function when the 'username map script' option is enabled in smb.conf. Detect by monitoring SMB/RPC traffic on ports 139/445 for shell metacharacter sequences in username fields.
  • The Metasploit module 'exploit/multi/samba/usermap_script' (disclosure date 2007-05-14) is the canonical exploit for CVE-2007-2447. Detect its use by monitoring for the module's characteristic SMB authentication attempts with shell metacharacters in the username field.
  • Exploitation also covers remote authenticated users via MS-RPC functions in remote printer and file share management — not limited to unauthenticated SamrChangePassword path.
  • Successful exploitation of CVE-2007-2447 against Samba 3.0.20 yields a root shell. Correlate unexpected outbound connections from the Samba process (smbd) to attacker-controlled IPs immediately after SMB authentication events.
  • ·CVE-2007-2447 via SamrChangePassword is only exploitable (unauthenticated path) when the 'username map script' option is explicitly enabled in smb.conf. Without this option, the unauthenticated vector does not apply, though authenticated RPC vectors (printer/file share management) remain.
  • ·Affected Samba versions are 3.0.0 through 3.0.25rc3. Samba 3.0.20-Debian is confirmed vulnerable and exploitable to root.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_ubuntu7.2HIGH
vendor_debian6.0HIGH
vendor_redhat6.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.