Samba 3.0.2 <= 3.0.4 Buffer Overflow Vulnerability (CVE-2004-0600)

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:samba:samba";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.150717");
  script_version("2021-09-30T11:17:22+0000");
  script_tag(name:"last_modification", value:"2021-09-30 11:17:22 +0000 (Thu, 30 Sep 2021)");
  script_tag(name:"creation_date", value:"2021-09-24 10:59:30 +0000 (Fri, 24 Sep 2021)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_cve_id("CVE-2004-0600");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Samba 3.0.2 <= 3.0.4 Buffer Overflow Vulnerability (CVE-2004-0600)");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
  script_family("Buffer overflow");
  script_dependencies("smb_nativelanman.nasl", "gb_samba_detect.nasl");
  script_mandatory_keys("samba/smb_or_ssh/detected");

  script_tag(name:"summary", value:"Potential Buffer Overrun in SWAT, Samba 3.0.2 - 3.0.4.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"The internal routine used by the Samba Web Administration
  Tool (SWAT v3.0.2 and later) to decode the base64 data
  during HTTP basic authentication is subject to a buffer
  overrun caused by an invalid base64 character.  It is
  recommended that all Samba v3.0.2 or later installations
  running SWAT either (a) upgrade to v3.0.5, or (b) disable
  the swat administration service as a temporary workaround.

  This same code is used internally to decode the
  sambaMungedDial attribute value when using the ldapsam
  passdb backend. While we do not believe that the base64
  decoding routines used by the ldapsam passdb backend can
  be exploited, sites using an LDAP directory service with
  Samba are strongly encouraged to verify that the DIT only
  allows write access to sambaSamAccount attributes by a
  sufficiently authorized user.");

  script_tag(name:"affected", value:"Samba versions 3.0.2 through 3.0.4.");

  script_tag(name:"solution", value:"Update to version 3.0.5 or later.");

  script_xref(name:"URL", value:"https://www.samba.org/samba/security/CVE-2004-0600.html");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range(version: version, test_version: "3.0.2", test_version2: "3.0.4")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "3.0.5", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);