cbcvebase.
CVE-2012-1182
published 2012-04-10

CVE-2012-1182: The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.03%
99.4th percentile
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.

Affected

126 ranges· showing 25
VendorProductVersion rangeFixed in
debiansamba< samba 2:3.6.4-1 (bookworm)samba 2:3.6.4-1 (bookworm)
sambasamba<= 3.4.15
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba
sambasamba

Detection & IOCsextracted from sources · hover to see the quote

commandSetInformationPolicy (PolicyAuditEventsInformation) LSA RPC heap overflow call
port445
processsmbd
path/usr/sbin/smbd
  • Detect unauthenticated DCE/RPC LSA SetInformationPolicy calls with PolicyAuditEventsInformation class targeting smbd; these are the exploit's trigger mechanism.
  • Monitor for rapid repeated DCE/RPC connections to the LSA pipe (brute-force pattern) — the exploit iterates return addresses in 0x1000 steps across a large range to bypass NX, generating many short-lived connections.
  • Alert on STATUS_PIPE_DISCONNECTED responses from smbd during LSA RPC sessions — the exploit code explicitly handles this as an expected crash/disconnect indicator during brute force.
  • The exploit targets the LSA RPC service (lsarpc named pipe) over SMB; monitor for unauthenticated SMB sessions binding to the lsarpc pipe followed by SetInformationPolicy opnum calls.
  • Version fingerprinting: scan for Samba versions matching 3.x < 3.4.16, 3.5.x < 3.5.14, or 3.6.x < 3.6.4 via SMB peer LM string — the exploit itself performs this check before launching.
  • ·The exploit uses brute-force return address guessing across a very wide range (e.g., 0x00230b20–0x22a00b20 in 0x1000 steps); detection based on connection count thresholds must account for this large iteration space to avoid false negatives.
  • ·The vulnerability is exploitable by a remote, unauthenticated attacker — no SMB credentials are required, so authentication-based controls alone are insufficient.
  • ·Payload delivery requires cmd-type payloads (generic bash, telnet, python, perl) with a space of 811 bytes; payloads outside these types will not work with the published exploit module.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.