CVE-2007-6015
published 2007-12-13CVE-2007-6015: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.48%
97.8th percentile
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 3.0.28-1 (bookworm) | samba 3.0.28-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandSAMLOGON domain logon packet with empty Unicode username at odd offset followed by overly long GETDC string↗
bytes↗
\x41\x00\x41\x00\x00\x00 followed by \x42\x00\x42\x00\x00\x00 followed by 260 bytes of \x43
- →Detect oversized UDP datagrams (up to MAX_DGRAM_SIZE 576 bytes) targeting NetBIOS Datagram port 138 containing a SAMLOGON opcode (0x12 / decimal 18) with a GETDC mailslot request to \MAILSLOT\NET\NTLOGON where the total payload length exceeds the 576-35 byte buffer. ↗
- →Flag SAMLOGON NetBIOS datagram packets where a two-byte zero (empty Unicode) username appears at an odd byte offset within the packet — this is the trigger condition that allows pull_ucs2_pstring() to convert the entire GETDC string and cause the overflow. ↗
- →Monitor nmbd process for crashes or unexpected code execution; the vulnerability is only exploitable when 'domain logons = yes' is set in smb.conf — alert on this configuration combined with exposure to untrusted networks. ↗
- ·Affected Samba versions are 3.0.0 through 3.0.27a; the fix was introduced in 3.0.28. Deployments running any version in this range with domain logons enabled are at risk. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3HIGH
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hhrv-j6cc-jr4p: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3
ghsa_unreviewed·2022-05-01
CVE-2007-6015 [HIGH] CWE-119 GHSA-hhrv-j6cc-jr4p: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
OSV
CVE-2007-6015: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3
osv·2007-12-13·CVSS 9.3
CVE-2007-6015 [CRITICAL] CVE-2007-6015: Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
Ubuntu
Samba vulnerability
vendor_ubuntu·2007-12-18
CVE-2007-6015 Samba vulnerability
Title: Samba vulnerability
Summary: Samba vulnerability
Alin Rad Pop discovered that Samba did not correctly check the size
of reply packets to mailslot requests. If a server was configured
with domain logon enabled, an unauthenticated remote attacker could send
a specially crafted domain logon packet and execute arbitrary code or
crash the Samba service. By default, domain logon is disabled in Ubuntu.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
samba: send_mailslot() buffer overflow
vendor_redhat·2007-12-10·CVSS 9.3
CVE-2007-6015 [CRITICAL] samba: send_mailslot() buffer overflow
samba: send_mailslot() buffer overflow
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
Debian
CVE-2007-6015: samba - Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0...
vendor_debian·2007·CVSS 9.3
CVE-2007-6015 [CRITICAL] CVE-2007-6015: samba - Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0...
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.
Scope: local
bookworm: resolved (fixed in 3.0.28-1)
bullseye: resolved (fixed in 3.0.28-1)
forky: resolved (fixed in 3.0.28-1)
sid: resolved (fixed in 3.0.28-1)
trixie: resolved (fixed in 3.0.28-1)
No detection rules found.
Bugzilla
CVE-2007-6015 samba: send_mailslot() buffer overflow
bugzilla·2007-12-10·CVSS 9.3
CVE-2007-6015 [CRITICAL] CVE-2007-6015 samba: send_mailslot() buffer overflow
CVE-2007-6015 samba: send_mailslot() buffer overflow
samba-3.0.28-0.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-6015 samba: send_mailslot() buffer overflow
bugzilla·2007-12-10·CVSS 9.3
CVE-2007-6015 [CRITICAL] CVE-2007-6015 samba: send_mailslot() buffer overflow
CVE-2007-6015 samba: send_mailslot() buffer overflow
samba-3.0.28-0.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-6015 samba: send_mailslot() buffer overflow
bugzilla·2007-11-23·CVSS 9.3
CVE-2007-6015 [CRITICAL] CVE-2007-6015 samba: send_mailslot() buffer overflow
CVE-2007-6015 samba: send_mailslot() buffer overflow
Alin Rad Pop of Secunia Research discovered and reported following security
vulnerability in Samba:
Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the
"send_mailslot()" function. This can be exploited to cause a stack-based
buffer overflow with zero bytes via a specially crafted "SAMLOGON"
domain logon packet containing a username string placed at an odd offset
followed by an overly long GETDC string.
Successful exploitation allows execution of arbitrary code, but requires
that the "domain logon" option is enabled.
The vulnerability is confirmed in version 3.0.27a. Other versions may
al
http://bugs.gentoo.org/show_bug.cgi?id=200773http://docs.info.apple.com/article.html?artnum=307430http://lists.apple.com/archives/security-announce/2008/Feb/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000005.htmlhttp://marc.info/?l=bugtraq&m=120524782005154&w=2http://secunia.com/advisories/27760http://secunia.com/advisories/27894http://secunia.com/advisories/27977http://secunia.com/advisories/27993http://secunia.com/advisories/27999http://secunia.com/advisories/28003http://secunia.com/advisories/28028http://secunia.com/advisories/28029http://secunia.com/advisories/28037http://secunia.com/advisories/28067http://secunia.com/advisories/28089http://secunia.com/advisories/28891http://secunia.com/advisories/29032http://secunia.com/advisories/29341http://secunia.com/advisories/30484http://secunia.com/advisories/30835http://secunia.com/secunia_research/2007-99/advisory/http://security.gentoo.org/glsa/glsa-200712-10.xmlhttp://securityreason.com/securityalert/3438http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.451554http://sunsolve.sun.com/search/document.do?assetkey=1-26-238251-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1019295.1-1http://support.avaya.com/elmodocs2/security/ASA-2007-520.htmhttp://www.debian.org/security/2007/dsa-1427http://www.kb.cert.org/vuls/id/438395http://www.mandriva.com/security/advisories?name=MDKSA-2007:244http://www.novell.com/linux/security/advisories/2007_68_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1114.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1117.htmlhttp://www.samba.org/samba/security/CVE-2007-6015.htmlhttp://www.securityfocus.com/archive/1/484818/100/0/threadedhttp://www.securityfocus.com/archive/1/484825/100/0/threadedhttp://www.securityfocus.com/archive/1/484827/100/0/threadedhttp://www.securityfocus.com/archive/1/485144/100/0/threadedhttp://www.securityfocus.com/archive/1/488457/100/0/threadedhttp://www.securityfocus.com/bid/26791http://www.securitytracker.com/id?1019065http://www.ubuntu.com/usn/usn-556-1http://www.us-cert.gov/cas/techalerts/TA08-043B.htmlhttp://www.vupen.com/english/advisories/2007/4153http://www.vupen.com/english/advisories/2008/0495/referenceshttp://www.vupen.com/english/advisories/2008/0637http://www.vupen.com/english/advisories/2008/0859/referenceshttp://www.vupen.com/english/advisories/2008/1712/referenceshttp://www.vupen.com/english/advisories/2008/1908http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657https://exchange.xforce.ibmcloud.com/vulnerabilities/38965https://issues.rpath.com/browse/RPL-1976https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11572https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5605https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00304.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-December/msg00308.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=200773http://docs.info.apple.com/article.html?artnum=307430http://lists.apple.com/archives/security-announce/2008/Feb/msg00002.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000005.htmlhttp://marc.info/?l=bugtraq&m=120524782005154&w=2http://secunia.com/advisories/27760http://secunia.com/advisories/27894http://secunia.com/advisories/27977http://secunia.com/advisories/27993http://secunia.com/advisories/27999http://secunia.com/advisories/28003http://secunia.com/advisories/28028http://secunia.com/advisories/28029http://secunia.com/advisories/28037http://secunia.com/advisories/28067http://secunia.com/advisories/28089http://secunia.com/advisories/28891http://secunia.com/advisories/29032http://secunia.com/advisories/29341http://secunia.com/advisories/30484http://secunia.com/advisories/30835http://secunia.com/secunia_research/2007-99/advisory/http://security.gentoo.org/glsa/glsa-200712-10.xmlhttp://securityreason.com/securityalert/3438http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.451554http://sunsolve.sun.com/search/document.do?assetkey=1-26-238251-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1019295.1-1http://support.avaya.com/elmodocs2/security/ASA-2007-520.htmhttp://www.debian.org/security/2007/dsa-1427http://www.kb.cert.org/vuls/id/438395http://www.mandriva.com/security/advisories?name=MDKSA-2007:244http://www.novell.com/linux/security/advisories/2007_68_samba.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1114.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1117.htmlhttp://www.samba.org/samba/security/CVE-2007-6015.htmlhttp://www.securityfocus.com/archive/1/484818/100/0/threadedhttp://www.securityfocus.com/archive/1/484825/100/0/threadedhttp://www.securityfocus.com/archive/1/484827/100/0/threadedhttp://www.securityfocus.com/archive/1/485144/100/0/threadedhttp://www.securityfocus.com/archive/1/488457/100/0/threadedhttp://www.securityfocus.com/bid/26791http://www.securitytracker.com/id?1019065http://www.ubuntu.com/usn/usn-556-1
+ 14 more references
2007-12-13
Published