Potential access to "/" in setups with

Description When connecting to a share called "" empty string using an older version of smbclient before 3.0.28 for example with: 'smbclient //server/ -U user%pass' access to the root filesystem is granted with the privileges of the authenticated user. This only happens in setups with registry...

Potential leak of arbitrary memory contents

Description Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers a...

Wrong permissions of group_mapping.ldb

Description The file groupmapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a...

Boundary failure when parsing SMB responses

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in smbd. This defect is is a result of an incorrect buffer size when parsing SMB replies in the routine receivesmbraw. Patch Availability A patch addressing this defect has been posted to...

Boundary failure in GETDC mailslot

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect is only be exploited when the "domain logons" parameter has been enabled in smb.conf. Patch Availability A patch addressing this defect has been posted to...

Remote code execution in Samba's WINS

Description Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. Patch Availability A patch addressing this defect has been posted to...

Stack buffer overflow in nmbd's logon

Description Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller. Patch Availability A patch addressin...

Incorrect primary group assignment for

Description The idmapad.so library provides an nssinfo extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or...

Local SID/Name translation bug can result

Description When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol...

Multiple Heap Overflows Allow Remote

Description Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. Patch Availability A patch against Samba 3.0.24 has been posted at http://www.samba.org/samba/security/ Workaround There is no...

Remote Command Injection Vulnerability

Description This bug was originally reported against the anonymous calls to the SamrChangePassword MS-RPC function in combination with the "username map script" smb.conf option which is not enabled by default. After further investigation by Samba developers, it was determined that the problem was...

Format string bug in afsacl.so VFS plugin.

Description NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the format string in...

Potential Denial of Service bug in smbd

Description Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never remove...

Buffer overrun in NSS host lookup Winbind

Description NOTE: This security advisory only affects Sun Solaris systems running Samba's winbindd daemon and configured to make use of the nsswinbind.so.1 library for gethostbyname and getipnodebyname name resolution queries. For example, /etc/nsswitch.conf ... ipnodes: files winbind hosts: file...

Memory exhaustion DoS against smbd

Description The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect...

Exposed clear text of domain machine

Description The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users...

Possible remote code execution

Description Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges...

Possible Buffer Overrun in smbd

Summary: A possible buffer overrun in smbd could lead to code execution by a remote user Patch Availability A patch for Samba 3.0.7 samba-3.0.7-CAN-2004-0882.patch is available from http://www.samba.org/samba/ftp/patches/security/. The patch has been signed with the "Samba Distribution Verificati...

Potential Remote Denial of Service

Summary: A remote attacker could cause and smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. Patch Availability A patch for Samba 3.0.7 samba-3.0.7-CAN-2004-0930.patch is available from...

Potential Arbitrary File Access

Summary: A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection. Patch Availability The patch for Samba 3.0.2a and earlier releases 3.0.x samba-3.0.2a-reducename.patch can be...

Samba 3.0.x Denial of Service Flaw

ii A DoS bug in nmbd may allow an attacker to remotely crash the nmbd daemon. Patch Availability The patch file for Samba 3.0.5 addressing both bugs samba-3.0.5-DoS.patch can be downloaded from http://www.samba.org/samba/ftp/patches/security/ The patch has been signed with the "Samba Distribution...

Potential Buffer Overrun in smbd

Description A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Affected Samba 3 installations can avoid this possible...

Potential Buffer Overrun in SWAT

Description The internal routine used by the Samba Web Administration Tool SWAT v3.0.2 and later to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. It is recommended that all Samba v3.0.2 or later installations running...

mksmbpasswd shell script may create accounts

Description It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. Samba administrators not wishing to upgrade to the current version...