Samba < 3.0.20 Heap Overflow

vendor:

Samba

by:

zuc@hack.it

7.5

CVSS

HIGH

Heap Overflow

119

CWE

Product Name: Samba

Affected Version From: Samba < 3.0.20

Affected Version To: Samba < 3.0.20

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian, Slackware, Mandrake

2005

Samba < 3.0.20 Heap Overflow

This exploit is for Samba versions < 3.0.20. It is possible to overflow the heap by sending a specially crafted packet to the vulnerable server. The exploit uses the free() function from the GOT (Global Offset Table) to overwrite the return address of the function. This exploit does not work on Mandriva, RHEL, and Fedora.

Mitigation:

Upgrade to the latest version of Samba.

Source

Exploit-DB raw data:

/***********************************************************************************/
/* Samba < 3.0.20 heap overflow				   			   */
/* per Debian 3.0.14a Debian e altre versioni					   */
/* per versionare il sorgente:							   */
/* usare l'opzione DEBUG						  	   */
/* usare free() dalla GOT (non funziona su Mandriva,RHEL e Fedora)	 	   */  
/* da qualche parte nel 3Â°/4Â° pacchetto di risposta dice la versione di Samba	   */
/* coded by zuc@hack.it						  	   */
/***********************************************************************************/
#define VERSN 25
struct versions vers[VERSN] =
{
{"Debian 3.1 r0 X restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0 X",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0a X 1st",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0a noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r0a noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r1 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r1 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r2 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r2 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r3 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r3 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r4 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r4 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r5 noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r5 noX",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r6a noX restart",0x0827c000,0x0837f000,30*1024},
{"Debian 3.1 r6a noX",0x0827c000,0x0837f000,30*1024},
{"Slackware 10.0 restart",0x0827c000,0x0837f000,30*1024},
{"Slackware 10.0",0x0827c000,0x0837f000,30*1024},
{"Mandrake 10.1 noX",0x80380000,0x8045b000,30*1024},
{"Mandrake 10.1 X Kde",0x80380000,0x8045b000,30*1024},
{"Samba 3.0.x DEBUG",0x80380000,0x8045b000,30*1024}
};

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/7701.zip (2009-lsa.zip)

# milw0rm.com [2009-01-08]