CVE-2009-1886
published 2009-06-25CVE-2009-1886: Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
12.22%
95.7th percentile
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 2:3.3.6-1 (bookworm) | samba 2:3.3.6-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | >= 0 < 2:3.3.6-1 | 2:3.3.6-1 |
| samba | samba | >= 0 < 2:3.3.6-1 | 2:3.3.6-1 |
| samba | samba | >= 0 < 2:3.3.6-1 | 2:3.3.6-1 |
| samba | samba | >= 0 < 2:3.3.6-1 | 2:3.3.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect smbclient sessions where filenames contain format string specifiers (e.g., %s, %n, %x) — the vulnerability is triggered via malicious filename handling in client/client.c ↗
- →Monitor smbclient 'put' commands where the filename contains URL-encoded or literal format string characters (e.g., %3F, %s, %n), as demonstrated in the PoC ↗
- →Vulnerable component is specifically client/client.c in smbclient; focus detection on the smbclient process rather than smbd ↗
- →Exploitation may cause smbclient to crash; monitor for unexpected smbclient process termination when handling file names from untrusted sources ↗
- ·Affected versions are Samba 3.2.0 through 3.2.12 (smbclient only); Samba 3.0.x as shipped with RHEL 3/4/5 is NOT vulnerable ↗
- ·The vulnerability is in the smbclient utility (client-side), not in the smbd server daemon — server-side detections are not applicable ↗
- ·On Ubuntu, exploitation is limited due to OS-level security features; impact may be limited to DoS (crash) rather than code execution in hardened environments ↗
- ·Fixed in Debian at version 2:3.3.6-1; ensure smbclient is patched to at least this version on Debian-based systems ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gxc7-qp7g-rcxj: Multiple format string vulnerabilities in client/client
ghsa_unreviewed·2022-05-02
CVE-2009-1886 [HIGH] CWE-134 GHSA-gxc7-qp7g-rcxj: Multiple format string vulnerabilities in client/client
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
OSV
CVE-2009-1886: Multiple format string vulnerabilities in client/client
osv·2009-06-25·CVSS 9.3
CVE-2009-1886 [CRITICAL] CVE-2009-1886: Multiple format string vulnerabilities in client/client
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2009-10-01·CVSS 9.3
CVE-2009-1886 [CRITICAL] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Samba vulnerabilities
J. David Hester discovered that Samba incorrectly handled users that lack
home directories when the automated [homes] share is enabled. An
authenticated user could connect to that share name and gain access to the
whole filesystem. (CVE-2009-2813)
Tim Prouty discovered that the smbd daemon in Samba incorrectly handled
certain unexpected network replies. A remote attacker could send malicious
replies to the server and cause smbd to use all available CPU, leading to a
denial of service. (CVE-2009-2906)
Ronald Volgers discovered that the mount.cifs utility, when installed as a
setuid program, would not verify user permissions before opening a
credentials file. A local user could exploit this to use or read the
contents of unautho
Red Hat
samba format string vulnerabilities
vendor_redhat·2009-06-23·CVSS 9.3
CVE-2009-1886 [CRITICAL] samba format string vulnerabilities
samba format string vulnerabilities
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
Statement: Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Debian
CVE-2009-1886: samba - Multiple format string vulnerabilities in client/client.c in smbclient in Samba ...
vendor_debian·2009·CVSS 9.3
CVE-2009-1886 [CRITICAL] CVE-2009-1886: samba - Multiple format string vulnerabilities in client/client.c in smbclient in Samba ...
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.
Scope: local
bookworm: resolved (fixed in 2:3.3.6-1)
bullseye: resolved (fixed in 2:3.3.6-1)
forky: resolved (fixed in 2:3.3.6-1)
sid: resolved (fixed in 2:3.3.6-1)
trixie: resolved (fixed in 2:3.3.6-1)
No detection rules found.
http://secunia.com/advisories/35539http://secunia.com/advisories/35573http://secunia.com/advisories/35606http://secunia.com/advisories/36918http://www.debian.org/security/2009/dsa-1823http://www.mandriva.com/security/advisories?name=MDVSA-2009:196http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1886.patchhttp://www.samba.org/samba/security/CVE-2009-1886.htmlhttp://www.securityfocus.com/bid/35472http://www.securitytracker.com/id?1022441http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.521591http://www.ubuntu.com/usn/USN-839-1http://www.vupen.com/english/advisories/2009/1664https://bugzilla.samba.org/show_bug.cgi?id=6478https://exchange.xforce.ibmcloud.com/vulnerabilities/51328http://secunia.com/advisories/35539http://secunia.com/advisories/35573http://secunia.com/advisories/35606http://secunia.com/advisories/36918http://www.debian.org/security/2009/dsa-1823http://www.mandriva.com/security/advisories?name=MDVSA-2009:196http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1886.patchhttp://www.samba.org/samba/security/CVE-2009-1886.htmlhttp://www.securityfocus.com/bid/35472http://www.securitytracker.com/id?1022441http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.521591http://www.ubuntu.com/usn/USN-839-1http://www.vupen.com/english/advisories/2009/1664https://bugzilla.samba.org/show_bug.cgi?id=6478https://exchange.xforce.ibmcloud.com/vulnerabilities/51328
2009-06-25
Published