CVE-2012-1182
published 2012-04-10CVE-2012-1182: The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.03%
99.4th percentile
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
Affected
126 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | samba | < samba 2:3.6.4-1 (bookworm) | samba 2:3.6.4-1 (bookworm) |
| samba | samba | <= 3.4.15 | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated DCE/RPC LSA SetInformationPolicy calls with PolicyAuditEventsInformation class targeting smbd; these are the exploit's trigger mechanism. ↗
- →Monitor for rapid repeated DCE/RPC connections to the LSA pipe (brute-force pattern) — the exploit iterates return addresses in 0x1000 steps across a large range to bypass NX, generating many short-lived connections. ↗
- →Alert on STATUS_PIPE_DISCONNECTED responses from smbd during LSA RPC sessions — the exploit code explicitly handles this as an expected crash/disconnect indicator during brute force. ↗
- →The exploit targets the LSA RPC service (lsarpc named pipe) over SMB; monitor for unauthenticated SMB sessions binding to the lsarpc pipe followed by SetInformationPolicy opnum calls. ↗
- →Version fingerprinting: scan for Samba versions matching 3.x < 3.4.16, 3.5.x < 3.5.14, or 3.6.x < 3.6.4 via SMB peer LM string — the exploit itself performs this check before launching. ↗
- ·The exploit uses brute-force return address guessing across a very wide range (e.g., 0x00230b20–0x22a00b20 in 0x1000 steps); detection based on connection count thresholds must account for this large iteration space to avoid false negatives. ↗
- ·The vulnerability is exploitable by a remote, unauthenticated attacker — no SMB credentials are required, so authentication-based controls alone are insufficient. ↗
- ·Payload delivery requires cmd-type payloads (generic bash, telnet, python, perl) with a space of 811 bytes; payloads outside these types will not work with the published exploit module. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerability
vendor_ubuntu·2012-04-13·CVSS 10.0
CVE-2012-1182 [CRITICAL] Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to run programs as the administrator if it received
specially crafted network traffic.
Brian Gorenc discovered that Samba incorrectly calculated array bounds when
handling remote procedure calls (RPC) over the network. A remote,
unauthenticated attacker could exploit this to execute arbitrary code as the
root user. (CVE-2012-1182)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
vendor_redhat·2012-04-10·CVSS 10.0
CVE-2012-1182 [CRITICAL] CWE-228 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
Debian
CVE-2012-1182: samba - The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6....
vendor_debian·2012·CVSS 10.0
CVE-2012-1182 [CRITICAL] CVE-2012-1182: samba - The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6....
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
Scope: local
bookworm: resolved (fixed in 2:3.6.4-1)
bullseye: resolved (fixed in 2:3.6.4-1)
forky: resolved (fixed in 2:3.6.4-1)
sid: resolved (fixed in 2:3.6.4-1)
trixie: resolved (fixed in 2:3.6.4-1)
GHSA
GHSA-9w2v-pc9r-gpj4: The RPC code generator in Samba 3
ghsa_unreviewed·2022-05-14
CVE-2012-1182 [HIGH] GHSA-9w2v-pc9r-gpj4: The RPC code generator in Samba 3
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
OSV
CVE-2012-1182: The RPC code generator in Samba 3
osv·2012-04-10·CVSS 10.0
CVE-2012-1182 [CRITICAL] CVE-2012-1182: The RPC code generator in Samba 3
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.
No detection rules found.
Exploit-DB
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit)
exploitdb·2012-10-10
CVE-2012-1182 Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit)
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Samba SetInformationPolicy AuditEventsInfo Heap Overflow',
'Description' => %q{
This module triggers a vulnerability in the LSA RPC service of the Samba daemon
because of an error on the PIDL auto-generated code. Making a specially crafted
call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to
trigger a heap overflow and finally execute arbitrary code with root privileges.
The module uses brute for
Metasploit
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
metasploit
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
Samba SetInformationPolicy AuditEventsInfo Heap Overflow
This module triggers a vulnerability in the LSA RPC service of the Samba daemon because of an error on the PIDL auto-generated code. Making a specially crafted call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to trigger a heap overflow and finally execute arbitrary code with root privileges. The module uses brute force to guess the stackpivot/rop chain or the system() address and redirect flow there in order to bypass NX. The start and stop addresses for brute forcing have been calculated empirically. On the other hand the module provides the StartBrute and StopBrute which allow the user to configure his own addresses.
Bugzilla
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
bugzilla·2012-04-13·CVSS 10.0
CVE-2012-1182 [CRITICAL] CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https:
Bugzilla
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
bugzilla·2012-04-10·CVSS 10.0
CVE-2012-1182 [CRITICAL] CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https:
Bugzilla
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
bugzilla·2012-03-16·CVSS 10.0
CVE-2012-1182 [CRITICAL] CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
CVE-2012-1182 samba: Multiple heap-based buffer overflows in memory management based on NDR marshalling code output
Multiple heap-based buffer overflow flaws were found in the way the code generated by Perl-based DCE/RPC IDL (PIDL) compiler of the Samba suite performed array memory allocation. Memory for an array having an is_size() attribute has been allocated based on the array length, which was provided by the Network Data Representation (NDR) marshalling code (converting parameters provided to the RPC call by the client to the NDR). On the other hand the loop retrieving array elements for a particular array used variable indicated by the size_is() attribute. A remote attacker could provide a specially-crafted remote procedure call (RPC) parameters, which once processed by the marshall
http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078258.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078726.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078836.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080567.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00014.htmlhttp://marc.info/?l=bugtraq&m=133951282306605&w=2http://marc.info/?l=bugtraq&m=134323086902585&w=2http://secunia.com/advisories/48751http://secunia.com/advisories/48754http://secunia.com/advisories/48816http://secunia.com/advisories/48818http://secunia.com/advisories/48844http://secunia.com/advisories/48873http://secunia.com/advisories/48879http://secunia.com/advisories/48999http://support.apple.com/kb/HT5281http://www.collax.com/produkte/AllinOne-server-for-small-businesses#id2565578http://www.debian.org/security/2012/dsa-2450http://www.mandriva.com/security/advisories?name=MDVSA-2012:055http://www.samba.org/samba/history/samba-3.6.4.htmlhttp://www.securitytracker.com/id?1026913http://www.ubuntu.com/usn/USN-1423-1https://www.samba.org/samba/security/CVE-2012-1182http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078258.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078726.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078836.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080567.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-04/msg00014.htmlhttp://marc.info/?l=bugtraq&m=133951282306605&w=2http://marc.info/?l=bugtraq&m=134323086902585&w=2http://secunia.com/advisories/48751http://secunia.com/advisories/48754http://secunia.com/advisories/48816http://secunia.com/advisories/48818http://secunia.com/advisories/48844http://secunia.com/advisories/48873http://secunia.com/advisories/48879http://secunia.com/advisories/48999http://support.apple.com/kb/HT5281http://www.collax.com/produkte/AllinOne-server-for-small-businesses#id2565578http://www.debian.org/security/2012/dsa-2450http://www.mandriva.com/security/advisories?name=MDVSA-2012:055http://www.samba.org/samba/history/samba-3.6.4.htmlhttp://www.securitytracker.com/id?1026913http://www.ubuntu.com/usn/USN-1423-1https://www.samba.org/samba/security/CVE-2012-1182
2012-04-10
Published