Detections
Analytics

FreeBSD : samba -- multiple vulnerabilities (3546a833-03ea-11dc-a51d-0019b95d4f14)

critical Nessus Plugin ID 25260

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The Samba Team reports :

A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root.

When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server.

Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.

Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.

This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the 'username map script' smb.conf option (which is not enabled by default).

After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the 'username map script' vulnerability, the remote file and printer management scripts require an authenticated user session.

Solution

Update the affected packages.

See Also

https://www.samba.org/samba/security/CVE-2007-2444.html

https://www.samba.org/samba/security/CVE-2007-2446.html

https://www.samba.org/samba/security/CVE-2007-2447.html

http://www.nessus.org/u?5bcbde7b

Plugin Details

Severity: Critical

ID: 25260

File Name: freebsd_pkg_3546a83303ea11dca51d0019b95d4f14.nasl

Version: 1.20

Type: local

Published: 5/20/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ja-samba, p-cpe:/a:freebsd:freebsd:samba, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/16/2007

Vulnerability Publication Date: 5/14/2007

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Samba "username map script" Command Execution)

Reference Information

CVE: CVE-2007-2444, CVE-2007-2446, CVE-2007-2447