cbcvebase.
CVE-2007-6015
published 2007-12-13

CVE-2007-6015: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.48%
97.8th percentile
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.

Affected

61 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 3.0.28-1 (bookworm)samba 3.0.28-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

path\MAILSLOT\NET\NTLOGON
commandSAMLOGON domain logon packet with empty Unicode username at odd offset followed by overly long GETDC string
port138/udp (NetBIOS Datagram Service)
bytes
\x41\x00\x41\x00\x00\x00 followed by \x42\x00\x42\x00\x00\x00 followed by 260 bytes of \x43
  • Detect oversized UDP datagrams (up to MAX_DGRAM_SIZE 576 bytes) targeting NetBIOS Datagram port 138 containing a SAMLOGON opcode (0x12 / decimal 18) with a GETDC mailslot request to \MAILSLOT\NET\NTLOGON where the total payload length exceeds the 576-35 byte buffer.
  • Flag SAMLOGON NetBIOS datagram packets where a two-byte zero (empty Unicode) username appears at an odd byte offset within the packet — this is the trigger condition that allows pull_ucs2_pstring() to convert the entire GETDC string and cause the overflow.
  • Monitor nmbd process for crashes or unexpected code execution; the vulnerability is only exploitable when 'domain logons = yes' is set in smb.conf — alert on this configuration combined with exposure to untrusted networks.
  • ·Affected Samba versions are 3.0.0 through 3.0.27a; the fix was introduced in 3.0.28. Deployments running any version in this range with domain logons enabled are at risk.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3HIGH
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.