Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2007-1114 advisory.

    [3.0.9-1.3E.14.3]

     - Security fix for CVE-2007-6015
     - Fix for regression introduced with CVE-2007-4572
     - resolves: #407321
     - resolves: #389021

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated samba packages that fix a security issue are now available for Red Hat Enterprise Linux 4.5 Extended Update Support.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A stack buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server. (CVE-2007-6015)

Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server.
(CVE-2007-6015)

This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares.

This update of Samba fixes a buffer overflow in function send_mailslot() that allows to overwrite the stack with zero-bytes.
(CVE-2007-6015)

I  Updated ESX driver

    a. Updated aacraid driver

       This patch fixes a flaw in how the aacraid SCSI driver checked        IOCTL command permissions.  This flaw might allow a local user        on the Service Console to cause a denial of service or gain        privileges. Thanks to Adaptec for reporting this issue.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)        has assigned the name CVE-2007-4308 to this issue.

II  Service Console package security updates

    a. Samba

       Alin Rad Pop of Secunia Research found a stack-based buffer overflow        flaw in the way Samba authenticates remote users.  A remote        unauthenticated user could trigger this flaw to cause the Samba        server to crash or to execute arbitrary code with the        permissions of the Samba server.

       Note: This vulnerability can be exploited only if the attacker              has access to the Service Console network.  The Samba              client is installed by default in the Service Console, but              the Samba server is not.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)        has assigned the name CVE-2007-6015 to this issue.

    b. Python

       Chris Evans of the Google security research team discovered an        integer overflow issue with the way Python's Perl-Compatible        Regular Expression (PCRE) module handled certain regular        expressions.  If a Python application used the PCRE module to        compile and execute untrusted regular expressions, it might be        possible to cause the application to crash, or to execute        arbitrary code with the privileges of the Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)        has assigned the name CVE-2006-7228 to this issue.

       Piotr Engelking discovered a flaw in Python's locale module        where strings generated by the strxfrm() function were not        properly NUL-terminated.  This might result in disclosure of        data stored in the memory of a Python application using the        strxfrm() function.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)        has assigned the name CVE-2007-2052 to this issue.

       Slythers Bro reported multiple integer overflow flaws in        Python's imageop module.  These could allow an attacker to cause        a Python application to crash, enter an infinite loop, or        possibly execute arbitrary code with the privileges of the        Python interpreter.

       The Common Vulnerabilities and Exposures project (cve.mitre.org)        has assigned the name CVE-2007-4965 to this issue.

 The remote host is running a version of Mac OS X that is older than version 10.5.2. Mac OS X 10.5.2 contains several security fixes for a number of programs.

The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.2.

Mac OS X 10.5.2 contains several security fixes for a number of programs.

The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-001 applied. 

This update contains several security fixes for a number of programs.

Alin Rad Pop discovered that Samba did not correctly check the size of reply packets to mailslot requests. If a server was configured with domain logon enabled, an unauthenticated remote attacker could send a specially crafted domain logon packet and execute arbitrary code or crash the Samba service. By default, domain logon is disabled in Ubuntu.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Secuna Research reports :

Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the 'send_mailslot()' function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted 'SAMLOGON' domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the 'domain logons' option is enabled.

This update of samba fixes a buffer overflow in function send_mailslot() that allows to overwrite the stack with zero-bytes.
(CVE-2007-6015)

Alin Rad Pop of Secunia Research discovered a stack-based buffer overflow in how Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or possibly execute arbitrary code with the permissions of the Samba server.

The updated packages have been patched to correct these issues.

Updated samba packages that fix a security issue and a bug are now available for Red Hat Enterprise Linux.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A stack-based buffer overflow flaw was found in the way Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or execute arbitrary code with the permissions of the Samba server.
(CVE-2007-6015)

Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.

This update also fixes a regression caused by the fix for CVE-2007-4572, which prevented some clients from being able to properly access shares.

Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues.

The remote host is affected by the vulnerability described in GLSA-200712-10 (Samba: Execution of arbitrary code)

    Alin Rad Pop (Secunia Research) discovered a boundary checking error in     the send_mailslot() function which could lead to a stack-based buffer     overflow.
  Impact :

    A remote attacker could send a specially crafted 'SAMLOGON' domain     logon packet, possibly leading to the execution of arbitrary code with     elevated privileges. Note that this vulnerability is exploitable only     when domain logon support is enabled in Samba, which is not the case in     Gentoo's default configuration.
  Workaround :

    Disable domain logon in Samba by setting 'domain logons = no' in     the 'global' section of your smb.conf and restart Samba.

Security release, fixes vulnerability reported as CVE-2007-6015

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Alin Rad Pop discovered that Samba, a LanManager-like file and printer server for Unix, is vulnerable to a buffer overflow in the nmbd code which handles GETDC mailslot requests, which might lead to the execution of arbitrary code.

New samba packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. A boundary failure in GETDC mailslot processing can result in a buffer overrun leading to possible code execution.

 According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error in 'nmbd' within the 'send_mailslot' function.  Provided the 'domain logons' option is enabled in 'smb.conf', an attacker can leverage this issue to produce a stack-based buffer overflow using a 'SAMLOGON' domain logon packet in which the username string is placed at an odd offset and is followed by a long 'GETDC' string.  Note that NNM has not verified whether 'domain logons' are enabled on the remote host.

According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error in 'nmbd' within the 'send_mailslot' function. Provided the 'domain logons' option is enabled in 'smb.conf', an attacker can leverage this issue to produce a stack-based buffer overflow using a 'SAMLOGON' domain logon packet in which the username string is placed at an odd offset and is followed by a long 'GETDC' string.

Note that Nessus has not actually tried to exploit this issue nor verify whether the 'domain logons' option has been enabled on the remote host.

SunOS 5.9_x86: Samba Patch.
Date this patch was last updated by Sun : Dec/22/10

SunOS 5.9: Samba Patch.
Date this patch was last updated by Sun : Dec/22/10

ID	Name	Product	Family	Severity
67620	Oracle Linux 5 : Critical: / samba (ELSA-2007-1114)	Nessus	Oracle Linux Local Security Checks	critical
63847	RHEL 4 : samba (RHSA-2007:1117)	Nessus	Red Hat Local Security Checks	high
60328	Scientific Linux Security Update : samba on SL5.x, SL4.x, SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
41171	SuSE9 Security Update : Samba (YOU Patch Number 12002)	Nessus	SuSE Local Security Checks	high
40374	VMSA-2008-0003 : Moderate: Updated aacraid driver and samba and python Service Console updates	Nessus	VMware ESX Local Security Checks	high
4373	Mac OS X < 10.5.2 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
30255	Mac OS X 10.5.x < 10.5.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
30254	Mac OS X Multiple Vulnerabilities (Security Update 2008-001)	Nessus	MacOS X Local Security Checks	critical
29738	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : samba vulnerability (USN-556-1)	Nessus	Ubuntu Local Security Checks	high
29691	FreeBSD : samba -- buffer overflow vulnerability (ffcbd42d-a8c5-11dc-bec2-02e0185f8d72)	Nessus	FreeBSD Local Security Checks	high
29392	SuSE 10 Security Update : Samba (ZYPP Patch Number 4780)	Nessus	SuSE Local Security Checks	high
29343	openSUSE 10 Security Update : cifs-mount (cifs-mount-4777)	Nessus	SuSE Local Security Checks	high
29342	Mandrake Linux Security Advisory : samba (MDKSA-2007:244)	Nessus	Mandriva Local Security Checks	high
29303	RHEL 2.1 / 3 / 4 / 5 : samba (RHSA-2007:1114)	Nessus	Red Hat Local Security Checks	high
29297	GLSA-200712-10 : Samba: Execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
29280	Fedora 8 : samba-3.0.28-0.fc8 (2007-4275)	Nessus	Fedora Local Security Checks	high
29279	Fedora 7 : samba-3.0.28-0.fc7 (2007-4269)	Nessus	Fedora Local Security Checks	high
29262	Debian DSA-1427-1 : samba - buffer overflow	Nessus	Debian Local Security Checks	high
29256	CentOS 3 / 4 / 5 : samba (CESA-2007:1114)	Nessus	CentOS Local Security Checks	high
29254	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : samba (SSA:2007-344-01)	Nessus	Slackware Local Security Checks	high
4311	Samba < 3.0.28 'send_mailslot' Function Buffer Overflow	Nessus Network Monitor	Samba	critical
29253	Samba < 3.0.28 send_mailslot Function Remote Buffer Overflow	Nessus	Misc.	high
13609	Solaris 9 (x86) : 114685-17	Nessus	Solaris Local Security Checks	high
13559	Solaris 9 (sparc) : 114684-17	Nessus	Solaris Local Security Checks	high

Detections

Analytics

CVE-2007-6015

critical

Tenable Plugins

critical

high

high

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high

high