Samba 4.0.0 Bypass Restriction Vulnerability (CVE-2013-0172)

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

CPE = "cpe:/a:samba:samba";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.150731");
  script_version("2021-09-29T04:35:02+0000");
  script_tag(name:"last_modification", value:"2021-09-29 04:35:02 +0000 (Wed, 29 Sep 2021)");
  script_tag(name:"creation_date", value:"2021-09-24 10:59:30 +0000 (Fri, 24 Sep 2021)");
  script_tag(name:"cvss_base", value:"3.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:S/C:N/I:P/A:N");

  script_cve_id("CVE-2013-0172");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Samba 4.0.0 Bypass Restriction Vulnerability (CVE-2013-0172)");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2021 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("smb_nativelanman.nasl", "gb_samba_detect.nasl");
  script_mandatory_keys("samba/smb_or_ssh/detected");

  script_tag(name:"summary", value:"Samba 4.0.0 as an AD DC may provide authenticated users with
  write access to LDAP directory objects.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"In AD, Access Control Entries can be assigned based on the objectClass
of the object.  If a user or a group the user is a member of has any
access based on the objectClass, then that user has write access to that
object.

Additionally, if a user has write access to any attribute on the object,
they may have access to write to all attributes.

An important mitigation is that anonymous access is totally disabled by
default.  The second important mitigation is that normal users are
typically only given the problematic per-objectClass right via the
'pre-windows 2000 compatible access' group, and Samba 4.0.0 incorrectly
does not make 'authenticated users' part of this group.");

  script_tag(name:"affected", value:"Samba version 4.0.0.");

  script_tag(name:"solution", value:"Update to version 4.0.1 or later.");

  script_xref(name:"URL", value:"https://www.samba.org/samba/security/CVE-2013-0172.html");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_equal(version: version, test_version: "4.0.0")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "4.0.1", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);