Vulnerability Details : CVE-2007-2446
Public exploit exists!
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Vulnerability category: Execute code
Products affected by CVE-2007-2446
- cpe:2.3:a:samba:samba:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.2a:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.21a:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.21b:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.21c:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.20a:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.14a:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.20b:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.23a:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.23b:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.23c:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.23d:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.25:pre2:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.25:rc2:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.25:rc3:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.25:rc1:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:3.0.25:pre1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2007-2446
80.97%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2007-2446
-
Samba lsa_io_trans_names Heap Overflow
Disclosure Date: 2007-05-14First seen: 2020-04-26exploit/solaris/samba/lsa_transnames_heapThis module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba -
Samba lsa_io_trans_names Heap Overflow
First seen: 2020-04-26auxiliary/dos/samba/lsa_transnames_heapThis module triggers a heap overflow in the LSA RPC service of the Samba daemon. Authors: - hdm <x@hdm.io> -
Samba lsa_io_privilege_set Heap Overflow
First seen: 2020-04-26auxiliary/dos/samba/lsa_addprivs_heapThis module triggers a heap overflow in the LSA RPC service of the Samba daemon. Authors: - hdm <x@hdm.io> -
Samba lsa_io_trans_names Heap Overflow
Disclosure Date: 2007-05-14First seen: 2020-04-26exploit/osx/samba/lsa_transnames_heapThis module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure. Authors: - Ramon de C Valle <rcvalle@metasploit.com> - Adriano Lima <adriano -
Samba lsa_io_trans_names Heap Overflow
Disclosure Date: 2007-05-14First seen: 2020-04-26exploit/linux/samba/lsa_transnames_heapThis module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba
CVSS scores for CVE-2007-2446
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2007-2446
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2007-2446
-
http://secunia.com/advisories/25772
About Secunia Research | Flexera
-
http://osvdb.org/34731
-
http://www.zerodayinitiative.com/advisories/ZDI-07-030.html
ZDI-07-030 | Zero Day Initiative
-
http://secunia.com/advisories/25259
About Secunia Research | FlexeraVendor Advisory
-
http://www.vupen.com/english/advisories/2008/0050
Site en construction
-
http://www.vupen.com/english/advisories/2007/3229
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.vupen.com/english/advisories/2007/2210
Site en construction
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11415
404 Not Found
-
http://www.securityfocus.com/archive/1/468673/100/0/threaded
-
http://www.vupen.com/english/advisories/2007/2281
Site en construction
-
http://security.gentoo.org/glsa/glsa-200705-15.xml
Samba: Multiple vulnerabilities (GLSA 200705-15) — Gentoo security
-
http://www.redhat.com/support/errata/RHSA-2007-0354.html
SupportVendor Advisory
-
http://secunia.com/advisories/25232
About Secunia Research | FlexeraVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34312
Samba smb_io_notify_option_type_data buffer overflow CVE-2007-2446 Vulnerability Report
-
http://www.securityfocus.com/bid/23973
-
http://secunia.com/advisories/25675
About Secunia Research | Flexera
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1
-
http://www.securityfocus.com/archive/1/468542/100/0/threaded
-
http://secunia.com/advisories/28292
About Secunia Research | Flexera
-
http://www.securityfocus.com/bid/24195
-
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
-
http://www.debian.org/security/2007/dsa-1291
Debian -- The Universal Operating System
-
http://secunia.com/advisories/27706
About Secunia Research | Flexera
-
http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
ZDI-07-029 | Zero Day Initiative
-
http://www.samba.org/samba/security/CVE-2007-2446.html
Samba - Security Announcement ArchivePatch;Vendor Advisory
-
http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
ZDI-07-033 | Zero Day Initiative
-
http://docs.info.apple.com/article.html?artnum=306172
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768
-
http://www.securityfocus.com/bid/25159
-
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdf
Page not found – Xerox Nav Content- Production
-
http://www.vupen.com/english/advisories/2007/1805
Site en construction
-
http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html
Object not found!
-
http://www.securityfocus.com/archive/1/468672/100/0/threaded
-
http://www.securityfocus.com/bid/24197
-
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
[Full-Disclosure] Mailing List Charter
-
http://secunia.com/advisories/25255
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/25251
About Secunia Research | FlexeraVendor Advisory
-
http://www.securityfocus.com/archive/1/468680/100/0/threaded
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34316
Samba lsa_io_trans_names buffer overflow CVE-2007-2446 Vulnerability Report
-
http://www.ubuntu.com/usn/usn-460-1
USN-460-1: Samba vulnerabilities | Ubuntu security notices | Ubuntu
-
http://secunia.com/advisories/25391/
About Secunia Research | Flexera
-
http://www.securityfocus.com/archive/1/468674/100/0/threaded
-
http://www.securitytracker.com/id?1018050
Access Denied
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34314
Samba sec_io_acl buffer overflow CVE-2007-2446 Vulnerability Report
-
http://www.trustix.org/errata/2007/0017/
Trustix | Empowering Trust and Security in the Digital Age
-
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html
ZDI-07-031 | Zero Day Initiative
-
http://www.securityfocus.com/archive/1/468670/100/0/threaded
-
http://www.zerodayinitiative.com/advisories/ZDI-07-032.html
ZDI-07-032 | Zero Day Initiative
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34309
Samba lsa_io_privilege_set buffer overflow CVE-2007-2446 Vulnerability Report
-
http://www.securityfocus.com/bid/24198
-
http://www.vupen.com/english/advisories/2007/2732
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.securityfocus.com/archive/1/468675/100/0/threaded
-
http://secunia.com/advisories/25270
About Secunia Research | FlexeraVendor Advisory
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980
-
http://www.vupen.com/english/advisories/2007/2079
Site en construction
-
http://secunia.com/advisories/25289
About Secunia Research | Flexera
-
http://osvdb.org/34733
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906
The Slackware Linux Project: Slackware Security Advisories
-
http://secunia.com/advisories/26909
About Secunia Research | Flexera
-
http://secunia.com/advisories/25256
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/26235
About Secunia Research | Flexera
-
http://www.osvdb.org/34732
404 Not Found
-
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
-
http://secunia.com/advisories/25241
About Secunia Research | FlexeraVendor Advisory
-
http://osvdb.org/34699
-
http://secunia.com/advisories/25246
About Secunia Research | FlexeraVendor Advisory
-
https://issues.rpath.com/browse/RPL-1366
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/34311
Samba netdfs_io_dfs_EnumInfo_d buffer overflow CVE-2007-2446 Vulnerability Report
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
-
http://www.mandriva.com/security/advisories?name=MDKSA-2007:104
Mandriva
-
http://www.securityfocus.com/bid/24196
-
http://securityreason.com/securityalert/2702
Samba 3.0.0 - 3.0.25rc3: Multiple Heap Overflows Allow Remote Code Execution - CXSecurity.com
-
http://secunia.com/advisories/25257
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/25567
About Secunia Research | Flexera
-
http://www.kb.cert.org/vuls/id/773720
VU#773720 - Samba NDR MS-RPC heap buffer overflowUS Government Resource
Jump to