Samba lsa_io_trans_names buffer overflow

Added: 12/24/2007
CVE: CVE-2007-2446
BID: 24195
OSVDB: 34699

Background

Samba is a software package which implements the SMB protocol on a variety of platforms, providing compatibility with Windows systems.

Problem

A vulnerability in the LSA RPC interface allows a remote attacker to execute arbitrary commands by sending a specially crafted LsarLookupSids/LsarLookupSids2 request, which causes a buffer overflow in the lsa_io_trans_names function.

Resolution

Upgrade to Samba 3.0.25 or higher, apply the patch for Samba 3.0.24, or apply the patch for Solaris.

References

http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
http://us1.samba.org/samba/security/CVE-2007-2446.html

Limitations

Exploit works on Samba 3.0.24 on Sun SPARC Solaris 9 and Samba 3.0.22 on SuSE Linux Enterprise Server 10.

Since the exploit uses a brute force method, extra time may be required before the exploit succeeds.

The Crypt::DES, Digest::MD4, and Digest::MD5 packages are required for this exploit. These packages are available from http://cpan.org/modules/by-module/.

Platforms

SunOS / Solaris
Linux

Back to exploit index