cbcvebase.
CVE-2008-1105
published 2008-05-29

CVE-2008-1105: Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.08%
99.3th percentile
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiansamba< samba 1:3.0.30-1 (bookworm)samba 1:3.0.30-1 (bookworm)
sambasamba>= 0 < 1:3.0.30-11:3.0.30-1
sambasamba>= 0 < 1:3.0.30-11:3.0.30-1
sambasamba>= 0 < 1:3.0.30-11:3.0.30-1
sambasamba>= 0 < 1:3.0.30-11:3.0.30-1
sambasamba3.0.0 – 3.0.29

Detection & IOCsextracted from sources · hover to see the quote

port445
bytes
\x00\x01\xff\xff\x41(x131071)
  • A malicious SMB server (rogue listener on TCP/445) sends an oversized crafted SMB response packet beginning with \x00\x01\xff\xff followed by ~131071 bytes of padding ('A') to trigger the heap overflow in receive_smb_raw() on the connecting Samba client.
  • The vulnerability is in the Samba client library (smbclient); exploitation requires the victim client to connect to an attacker-controlled SMB server. Monitor outbound SMB connections (TCP/445) from Samba clients to untrusted hosts.
  • Samba versions 3.0.0 through 3.0.29 are affected; presence of these versions on a host indicates exposure. Detection should flag Samba client binaries older than 3.0.30.
  • The crafted SMB reply carries an abnormally large declared packet length (0x01ffff = 131071 bytes). Network-level detection should alert on inbound SMB NetBIOS Session Service packets where the length field exceeds normal bounds.
  • ·CVE-2007-4572 (nmbd GETDC overrun) is only exploitable when Samba is configured as a Primary or Backup Domain Controller; CVE-2008-1105 is a separate client-side flaw and is not limited to DC configurations.
  • ·The upstream patch for CVE-2008-1105 introduced a regression causing smbclient to report 'invalid packet length' errors when accessing large files; ensure the regression-fix update (USN-617-2) is also applied.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_ubuntu9.3CRITICAL
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.