cbcvebase.
CVE-2009-1886
published 2009-06-25

CVE-2009-1886: Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.22%
95.7th percentile
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiansamba< samba 2:3.3.6-1 (bookworm)samba 2:3.3.6-1 (bookworm)
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba>= 0 < 2:3.3.6-12:3.3.6-1
sambasamba>= 0 < 2:3.3.6-12:3.3.6-1
sambasamba>= 0 < 2:3.3.6-12:3.3.6-1
sambasamba>= 0 < 2:3.3.6-12:3.3.6-1

Detection & IOCsextracted from sources · hover to see the quote

commandput aa%3Fbb
  • Detect smbclient sessions where filenames contain format string specifiers (e.g., %s, %n, %x) — the vulnerability is triggered via malicious filename handling in client/client.c
  • Monitor smbclient 'put' commands where the filename contains URL-encoded or literal format string characters (e.g., %3F, %s, %n), as demonstrated in the PoC
  • Vulnerable component is specifically client/client.c in smbclient; focus detection on the smbclient process rather than smbd
  • Exploitation may cause smbclient to crash; monitor for unexpected smbclient process termination when handling file names from untrusted sources
  • ·Affected versions are Samba 3.2.0 through 3.2.12 (smbclient only); Samba 3.0.x as shipped with RHEL 3/4/5 is NOT vulnerable
  • ·The vulnerability is in the smbclient utility (client-side), not in the smbd server daemon — server-side detections are not applicable
  • ·On Ubuntu, exploitation is limited due to OS-level security features; impact may be limited to DoS (crash) rather than code execution in hardened environments
  • ·Fixed in Debian at version 2:3.3.6-1; ensure smbclient is patched to at least this version on Debian-based systems

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.