full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [OpenPKG-SA-2007.012] Open

[Full-disclosure] [OpenPKG-SA-2007.012] OpenPKG Security Advisory (samba)

From: OpenPKG GmbH <openpkg-noreply_at_nospam>
Date: Thu May 17 2007 - 17:46:47 GMT
To: full-disclosure@lists.grok.org.uk

Hash: SHA1

Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.012 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.012 Advisory Published: 2007-05-17 19:46 UTC Issue Id (internal): OpenPKG-SI-20070517.01 Issue First Created: 2007-05-17 Issue Last Modified: 2007-05-17 Issue Revision: 04 ____________________________________________________________________________ Subject Name: Samba Subject Summary: CIFS/SMB Server Subject Home: http://www.samba.org/ Subject Versions: 3..* <= 3.0.24 Vulnerability Id: CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-2453, CVE-2007-2454 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, privilege escalation, arbitrary code execution


    Multiple vulnerabilities were found in the CIFS/SMB server     implementation Samba [0]:     

  1. A logic error in the SID/Name translation functionality in smbd(8) allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the "root" user (CVE-2007-2444) [1].
  2. Multiple heap-based buffer overflows in the NDR parsing in smbd(8) allow remote attackers to execute arbitrary code via crafted MS-RPC requests (CVE-2007-2446) [2].
  3. The MS-RPC functionality in smbd(8) allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) "SamrChangePassword" function, when the "username map script" "smb.conf" option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management (CVE-2007-2447) [3].
  4. A buffer overflow in the "nss_winbind" library, as used in the winbindd(8) daemon, allows attackers to execute arbitrary code via the gethostbyname(3) and getipnodebyname(3) functions (CVE-2007-0453) [4].
  5. A format string vulnerability in the "afsacl" VFS module in allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping (CVE-2007-0454)


[0] http://www.samba.org/
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2444
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2447
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2453
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2454

Primary Package Name: samba
Primary Package Home: http://openpkg.org/go/package/samba

Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID samba-3.0.23c-E1.0.1

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document.

Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGTJT1ZwQuyWG3rjQRAsjvAKCjc+e+hANJ3QBHWMm9aZq8oMzDYwCgy9Ht fbbMBTfSWcXumeopl5JdD10=

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/