cbcvebase.
CVE-2010-2063
published 2010-06-17

CVE-2010-2063: Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
78.70%
99.5th percentile
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiansamba< samba 2:3.4.0~pre1-1 (bookworm)samba 2:3.4.0~pre1-1 (bookworm)
sambasamba>= 0 < 2:3.4.0~pre1-12:3.4.0~pre1-1
sambasamba>= 0 < 2:3.4.0~pre1-12:3.4.0~pre1-1
sambasamba>= 0 < 2:3.4.0~pre1-12:3.4.0~pre1-1
sambasamba>= 0 < 2:3.4.0~pre1-12:3.4.0~pre1-1
sambasamba3.0.0 – 3.3.12

Detection & IOCsextracted from sources · hover to see the quote

port139
processsmbd
commandSMB_COM_SESSION_SETUP_ANDX (0x74 / SMBlogoffX chained packet with oversized offset)
bytes
\xff\x53\x4d\x42\x74 (SMB header + SMBlogoffX command 0x74 in chained packet)
  • Target TCP port 139 (NetBIOS/SMB); exploit sends crafted SMB1 chained packets (SMBlogoffX, command 0x74) with an oversized AndX offset to corrupt the talloc chunk destructor pointer in smbd.
  • Exploit loops up to 50 attempts against the same target (Samba forks per session), so repeated rapid SMB connections from one IP to port 139 targeting smbd should be treated as a brute-force exploitation indicator.
  • The exploit overwrites a talloc chunk destructor function pointer; on x86 Linux without NX, look for smbd crashes (SIGSEGV/SIGBUS) or unexpected child-process spawning from smbd as post-exploitation indicators.
  • Successful exploitation yields remote code execution as root; monitor for unexpected root-owned processes spawned as children of smbd.
  • ·Samba 3.0.x versions are NOT exploitable for code execution via this module despite being listed as vulnerable in the CVE; the InputBuffer size (0x20441) prevents exploitable heap corruption.
  • ·Code execution via this exploit requires the target x86 Linux system to lack NX (no-execute) memory protection; NX-enabled systems are not exploitable for RCE but may still be vulnerable to DoS.
  • ·The exploit payload space is limited to 0x600 bytes with no bad characters defined; payloads exceeding this space will fail.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.