CVE-2010-2063
published 2010-06-17CVE-2010-2063: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.70%
99.5th percentile
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 2:3.4.0~pre1-1 (bookworm) | samba 2:3.4.0~pre1-1 (bookworm) |
| samba | samba | >= 0 < 2:3.4.0~pre1-1 | 2:3.4.0~pre1-1 |
| samba | samba | >= 0 < 2:3.4.0~pre1-1 | 2:3.4.0~pre1-1 |
| samba | samba | >= 0 < 2:3.4.0~pre1-1 | 2:3.4.0~pre1-1 |
| samba | samba | >= 0 < 2:3.4.0~pre1-1 | 2:3.4.0~pre1-1 |
| samba | samba | 3.0.0 – 3.3.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\x53\x4d\x42\x74 (SMB header + SMBlogoffX command 0x74 in chained packet)
- →Target TCP port 139 (NetBIOS/SMB); exploit sends crafted SMB1 chained packets (SMBlogoffX, command 0x74) with an oversized AndX offset to corrupt the talloc chunk destructor pointer in smbd. ↗
- →Exploit loops up to 50 attempts against the same target (Samba forks per session), so repeated rapid SMB connections from one IP to port 139 targeting smbd should be treated as a brute-force exploitation indicator. ↗
- →The exploit overwrites a talloc chunk destructor function pointer; on x86 Linux without NX, look for smbd crashes (SIGSEGV/SIGBUS) or unexpected child-process spawning from smbd as post-exploitation indicators. ↗
- →Successful exploitation yields remote code execution as root; monitor for unexpected root-owned processes spawned as children of smbd. ↗
- ·Samba 3.0.x versions are NOT exploitable for code execution via this module despite being listed as vulnerable in the CVE; the InputBuffer size (0x20441) prevents exploitable heap corruption. ↗
- ·Code execution via this exploit requires the target x86 Linux system to lack NX (no-execute) memory protection; NX-enabled systems are not exploitable for RCE but may still be vulnerable to DoS. ↗
- ·The exploit payload space is limited to 0x600 bytes with no bad characters defined; payloads exceeding this space will fail. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ghx2-3q8p-8mw6: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process
ghsa_unreviewed·2022-05-14
CVE-2010-2063 [HIGH] CWE-119 GHSA-ghx2-3q8p-8mw6: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
OSV
CVE-2010-2063: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process
osv·2010-06-17·CVSS 7.5
CVE-2010-2063 [HIGH] CVE-2010-2063: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
Ubuntu
Samba vulnerability
vendor_ubuntu·2010-06-16
CVE-2010-2063 Samba vulnerability
Title: Samba vulnerability
Summary: Remote code execution as root via Samba.
Jun Mao discovered that Samba did not correctly validate SMB1 packet
contents. An unauthenticated remote attacker could send specially crafted
network traffic that could execute arbitrary code as the root user.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: memory corruption vulnerability
vendor_redhat·2010-06-16·CVSS 7.5
CVE-2010-2063 [HIGH] CWE-228 samba: memory corruption vulnerability
samba: memory corruption vulnerability
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
Debian
CVE-2010-2063: samba - Buffer overflow in the SMB1 packet chaining implementation in the chain_reply fu...
vendor_debian·2010·CVSS 7.5
CVE-2010-2063 [HIGH] CVE-2010-2063: samba - Buffer overflow in the SMB1 packet chaining implementation in the chain_reply fu...
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.
Scope: local
bookworm: resolved (fixed in 2:3.4.0~pre1-1)
bullseye: resolved (fixed in 2:3.4.0~pre1-1)
forky: resolved (fixed in 2:3.4.0~pre1-1)
sid: resolved (fixed in 2:3.4.0~pre1-1)
trixie: resolved (fixed in 2:3.4.0~pre1-1)
No detection rules found.
Exploit-DB
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
exploitdb·2010-09-04
CVE-2010-2063 Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
---
##
# $Id: chain_reply.rb 10238 2010-09-04 02:10:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Samba chain_reply Memory Corruption (Linux x86)',
'Description' => %q{
This exploits a memory corruption vulnerability present in Samba versions
prior to 3.3.13. When handling chained response packets, Samba fails to validate
the offset value used when building the next part. By setting this value to a
number larger than the destination buffer size, an attacke
Metasploit
Samba chain_reply Memory Corruption (Linux x86)
metasploit
Samba chain_reply Memory Corruption (Linux x86)
Samba chain_reply Memory Corruption (Linux x86)
This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to
Rapid7
Metasploit Wrap-Up 02/27/2026
blogs_rapid7·2026-02-27·CVSS 8.8
CVE-2024-37032 [HIGH] Metasploit Wrap-Up 02/27/2026
## No Prob-ollama
This release brings some serious firepower with multiple new exploit modules and critical vulnerability support! The standout additions are the Ollama path traversal RCE (CVE-2024-37032), a sophisticated exploit chaining arbitrary file writes into unauthenticated root RCE, and the Grandstream GXP1600 stack overflow (CVE-2026-2329), which targets VoIP devices with accompanying credential harvesting and SIP interception post-modules.
The BeyondTrust PRA/RS module got upgraded with support for the new CVE-2026-1731 command injection vulnerability along with legacy CVE support. On the evasion front, there's fresh ARM64 RC4 encryption support with sleep-based detection bypass. Classic vulnerability modules like Unreal IRCd and vsftpd backdoors got quality-of-life improvement
Bugzilla
CVE-2010-2192 pmount: symlink attacks via lockfile files
bugzilla·2010-06-18·CVSS 1.9
CVE-2010-2192 [LOW] CVE-2010-2192 pmount: symlink attacks via lockfile files
CVE-2010-2192 pmount: symlink attacks via lockfile files
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2192 to
the following vulnerability:
Name: CVE-2010-2192
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2192
Assigned: 20100607
Reference: CONFIRM: http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1.diff.gz
Reference: DEBIAN:DSA-2063
Reference: URL: http://www.debian.org/security/2010/dsa-2063
The make_lockdir_name function in policy.c in pmount 0.9.18 allow
local users to overwrite arbitrary files via a symlink attack on a
file in /var/lock/.
This bug was reported to Ubuntu [1]. The entire premise of this vulnerability requires /var/lock be world-writable (in Debian and Ubuntu /var/lock is world-writable with a sticky bit
Bugzilla
CVE-2010-2063 samba: memory corruption vulnerability
bugzilla·2010-06-07·CVSS 7.5
CVE-2010-2063 [HIGH] CVE-2010-2063 samba: memory corruption vulnerability
CVE-2010-2063 samba: memory corruption vulnerability
A memory corruption vulnerability exists in the chain_reply() function in Samba 3.3.12 and earlier. 3.4.x and later are not affected. This flaw could allow a remote, unauthenticated attacker, to crash the samba server or, possibly, execute arbitrary code with the privileges of the samba server.
Acknowledgements:
Red Hat would like to thank the Samba team for responsibly reporting this issue. Upstream acknowledges Jun Mao as the original reporter.
Discussion:
This is now public:
http://www.samba.org/samba/security/CVE-2010-2063.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 5.3.Z - Server Only
Red Hat Enterprise
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
arxiv_fulltext·2022-12-29
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware
## Abstract
Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement , which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on , we present the first l
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=bugtraq&m=129138831608422&w=2http://marc.info/?l=bugtraq&m=130835366526620&w=2http://marc.info/?l=samba-announce&m=127668712312761&w=2http://osvdb.org/65518http://secunia.com/advisories/40145http://secunia.com/advisories/40210http://secunia.com/advisories/40221http://secunia.com/advisories/40293http://secunia.com/advisories/42319http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.471914http://support.apple.com/kb/HT4312http://ubuntu.com/usn/usn-951-1http://www.debian.org/security/2010/dsa-2061http://www.mandriva.com/security/advisories?name=MDVSA-2010:119http://www.redhat.com/support/errata/RHSA-2010-0488.htmlhttp://www.samba.org/samba/ftp/history/samba-3.3.13.htmlhttp://www.samba.org/samba/ftp/patches/security/samba-3.0.37-CVE-2010-2063.patchhttp://www.samba.org/samba/ftp/patches/security/samba-3.3.12-CVE-2010-2063.patchhttp://www.samba.org/samba/security/CVE-2010-2063.htmlhttp://www.securityfocus.com/bid/40884http://www.securitytracker.com/id?1024107http://www.vupen.com/english/advisories/2010/1486http://www.vupen.com/english/advisories/2010/1504http://www.vupen.com/english/advisories/2010/1505http://www.vupen.com/english/advisories/2010/1507http://www.vupen.com/english/advisories/2010/1517http://www.vupen.com/english/advisories/2010/3063https://exchange.xforce.ibmcloud.com/vulnerabilities/59481https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12427https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7115https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9859http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlhttp://marc.info/?l=bugtraq&m=129138831608422&w=2http://marc.info/?l=bugtraq&m=130835366526620&w=2http://marc.info/?l=samba-announce&m=127668712312761&w=2http://osvdb.org/65518http://secunia.com/advisories/40145http://secunia.com/advisories/40210http://secunia.com/advisories/40221http://secunia.com/advisories/40293http://secunia.com/advisories/42319http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.471914http://support.apple.com/kb/HT4312http://ubuntu.com/usn/usn-951-1http://www.debian.org/security/2010/dsa-2061http://www.mandriva.com/security/advisories?name=MDVSA-2010:119http://www.redhat.com/support/errata/RHSA-2010-0488.htmlhttp://www.samba.org/samba/ftp/history/samba-3.3.13.htmlhttp://www.samba.org/samba/ftp/patches/security/samba-3.0.37-CVE-2010-2063.patchhttp://www.samba.org/samba/ftp/patches/security/samba-3.3.12-CVE-2010-2063.patchhttp://www.samba.org/samba/security/CVE-2010-2063.htmlhttp://www.securityfocus.com/bid/40884http://www.securitytracker.com/id?1024107http://www.vupen.com/english/advisories/2010/1486http://www.vupen.com/english/advisories/2010/1504http://www.vupen.com/english/advisories/2010/1505http://www.vupen.com/english/advisories/2010/1507http://www.vupen.com/english/advisories/2010/1517http://www.vupen.com/english/advisories/2010/3063https://exchange.xforce.ibmcloud.com/vulnerabilities/59481https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12427https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7115https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9859
2010-06-17
Published