CVE-2008-1105
published 2008-05-29CVE-2008-1105: Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.08%
99.3th percentile
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 1:3.0.30-1 (bookworm) | samba 1:3.0.30-1 (bookworm) |
| samba | samba | >= 0 < 1:3.0.30-1 | 1:3.0.30-1 |
| samba | samba | >= 0 < 1:3.0.30-1 | 1:3.0.30-1 |
| samba | samba | >= 0 < 1:3.0.30-1 | 1:3.0.30-1 |
| samba | samba | >= 0 < 1:3.0.30-1 | 1:3.0.30-1 |
| samba | samba | 3.0.0 – 3.0.29 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01\xff\xff\x41(x131071)
- →A malicious SMB server (rogue listener on TCP/445) sends an oversized crafted SMB response packet beginning with \x00\x01\xff\xff followed by ~131071 bytes of padding ('A') to trigger the heap overflow in receive_smb_raw() on the connecting Samba client. ↗
- →The vulnerability is in the Samba client library (smbclient); exploitation requires the victim client to connect to an attacker-controlled SMB server. Monitor outbound SMB connections (TCP/445) from Samba clients to untrusted hosts. ↗
- →Samba versions 3.0.0 through 3.0.29 are affected; presence of these versions on a host indicates exposure. Detection should flag Samba client binaries older than 3.0.30. ↗
- →The crafted SMB reply carries an abnormally large declared packet length (0x01ffff = 131071 bytes). Network-level detection should alert on inbound SMB NetBIOS Session Service packets where the length field exceeds normal bounds. ↗
- ·CVE-2007-4572 (nmbd GETDC overrun) is only exploitable when Samba is configured as a Primary or Backup Domain Controller; CVE-2008-1105 is a separate client-side flaw and is not limited to DC configurations. ↗
- ·The upstream patch for CVE-2008-1105 introduced a regression causing smbclient to report 'invalid packet length' errors when accessing large files; ensure the regression-fix update (USN-617-2) is also applied. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_ubuntu9.3CRITICAL
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba regression
vendor_ubuntu·2008-06-30·CVSS 9.3
CVE-2008-1105 [CRITICAL] Samba regression
Title: Samba regression
Summary: Samba regression
USN-617-1 fixed vulnerabilities in Samba. The upstream patch
introduced a regression where under certain circumstances accessing
large files might cause the client to report an invalid packet
length error. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Samba developers discovered that nmbd could be made to overrun
a buffer during the processing of GETDC logon server requests.
When samba is configured as a Primary or Backup Domain Controller,
a remote attacker could send malicious logon requests and possibly
cause a denial of service. (CVE-2007-4572)
Alin Rad Pop of Secunia Research discovered that Samba did not
properly perform bounds checking when parsing SMB replies. A remote
attacker c
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2008-06-17·CVSS 9.3
CVE-2008-1105 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Samba vulnerabilities
Samba developers discovered that nmbd could be made to overrun
a buffer during the processing of GETDC logon server requests.
When samba is configured as a Primary or Backup Domain Controller,
a remote attacker could send malicious logon requests and possibly
cause a denial of service. (CVE-2007-4572)
Alin Rad Pop of Secunia Research discovered that Samba did not
properly perform bounds checking when parsing SMB replies. A remote
attacker could send crafted SMB packets and execute arbitrary code.
(CVE-2008-1105)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
Samba client buffer overflow
vendor_redhat·2008-05-28·CVSS 7.5
CVE-2008-1105 [HIGH] Samba client buffer overflow
Samba client buffer overflow
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.
Debian
CVE-2008-1105: samba - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Sam...
vendor_debian·2008·CVSS 7.5
CVE-2008-1105 [HIGH] CVE-2008-1105: samba - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Sam...
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.
Scope: local
bookworm: resolved (fixed in 1:3.0.30-1)
bullseye: resolved (fixed in 1:3.0.30-1)
forky: resolved (fixed in 1:3.0.30-1)
sid: resolved (fixed in 1:3.0.30-1)
trixie: resolved (fixed in 1:3.0.30-1)
GHSA
GHSA-38xm-32fr-cm7j: Heap-based buffer overflow in the receive_smb_raw function in util/sock
ghsa_unreviewed·2022-05-01
CVE-2008-1105 [HIGH] CWE-119 GHSA-38xm-32fr-cm7j: Heap-based buffer overflow in the receive_smb_raw function in util/sock
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.
OSV
CVE-2008-1105: Heap-based buffer overflow in the receive_smb_raw function in util/sock
osv·2008-05-29·CVSS 7.5
CVE-2008-1105 [HIGH] CVE-2008-1105: Heap-based buffer overflow in the receive_smb_raw function in util/sock
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response.
No detection rules found.
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00000.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000023.htmlhttp://secunia.com/advisories/30228http://secunia.com/advisories/30385http://secunia.com/advisories/30396http://secunia.com/advisories/30442http://secunia.com/advisories/30449http://secunia.com/advisories/30478http://secunia.com/advisories/30489http://secunia.com/advisories/30543http://secunia.com/advisories/30736http://secunia.com/advisories/30802http://secunia.com/advisories/30835http://secunia.com/advisories/31246http://secunia.com/advisories/31911http://secunia.com/advisories/33696http://secunia.com/secunia_research/2008-20/advisory/http://security.gentoo.org/glsa/glsa-200805-23.xmlhttp://securitytracker.com/id?1020123http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473951http://sunsolve.sun.com/search/document.do?assetkey=1-26-249086-1http://support.apple.com/kb/HT2163http://wiki.rpath.com/Advisories:rPSA-2008-0180http://www.debian.org/security/2008/dsa-1590http://www.mandriva.com/security/advisories?name=MDVSA-2008:108http://www.redhat.com/support/errata/RHSA-2008-0288.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0289.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0290.htmlhttp://www.samba.org/samba/security/CVE-2008-1105.htmlhttp://www.securityfocus.com/archive/1/492683/100/0/threadedhttp://www.securityfocus.com/archive/1/492737/100/0/threadedhttp://www.securityfocus.com/archive/1/492903/100/0/threadedhttp://www.securityfocus.com/bid/29404http://www.securityfocus.com/bid/31255http://www.ubuntu.com/usn/usn-617-1http://www.ubuntu.com/usn/usn-617-2http://www.vupen.com/english/advisories/2008/1681http://www.vupen.com/english/advisories/2008/1908http://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.vupen.com/english/advisories/2008/2222/referenceshttp://www.vupen.com/english/advisories/2008/2639http://www.xerox.com/downloads/usa/en/c/cert_XRX08_009.pdfhttp://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657https://exchange.xforce.ibmcloud.com/vulnerabilities/42664https://exchange.xforce.ibmcloud.com/vulnerabilities/45251https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5733https://www.exploit-db.com/exploits/5712https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01006.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-May/msg01030.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-May/msg01082.htmlhttp://lists.apple.com/archives/security-announce/2008//Jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00000.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000023.htmlhttp://secunia.com/advisories/30228http://secunia.com/advisories/30385http://secunia.com/advisories/30396http://secunia.com/advisories/30442http://secunia.com/advisories/30449http://secunia.com/advisories/30478http://secunia.com/advisories/30489http://secunia.com/advisories/30543http://secunia.com/advisories/30736http://secunia.com/advisories/30802http://secunia.com/advisories/30835http://secunia.com/advisories/31246http://secunia.com/advisories/31911http://secunia.com/advisories/33696http://secunia.com/secunia_research/2008-20/advisory/http://security.gentoo.org/glsa/glsa-200805-23.xmlhttp://securitytracker.com/id?1020123http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473951http://sunsolve.sun.com/search/document.do?assetkey=1-26-249086-1http://support.apple.com/kb/HT2163http://wiki.rpath.com/Advisories:rPSA-2008-0180http://www.debian.org/security/2008/dsa-1590http://www.mandriva.com/security/advisories?name=MDVSA-2008:108http://www.redhat.com/support/errata/RHSA-2008-0288.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0289.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0290.htmlhttp://www.samba.org/samba/security/CVE-2008-1105.htmlhttp://www.securityfocus.com/archive/1/492683/100/0/threadedhttp://www.securityfocus.com/archive/1/492737/100/0/threadedhttp://www.securityfocus.com/archive/1/492903/100/0/threadedhttp://www.securityfocus.com/bid/29404http://www.securityfocus.com/bid/31255http://www.ubuntu.com/usn/usn-617-1http://www.ubuntu.com/usn/usn-617-2http://www.vupen.com/english/advisories/2008/1681http://www.vupen.com/english/advisories/2008/1908http://www.vupen.com/english/advisories/2008/1981/referenceshttp://www.vupen.com/english/advisories/2008/2222/referenceshttp://www.vupen.com/english/advisories/2008/2639http://www.xerox.com/downloads/usa/en/c/cert_XRX08_009.pdfhttp://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01475657https://exchange.xforce.ibmcloud.com/vulnerabilities/42664https://exchange.xforce.ibmcloud.com/vulnerabilities/45251https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5733
+ 4 more references
2008-05-29
Published