Signature Detail

SCAN: Core Impact SAMBA nttrans Exploit

This signature detects the CORE Impact penetration testing tool using the SAMBA nttrans exploit against your network (this exploit is also detected by the signature attack object CRIT:APP:SAMBA:NTRANS-RPLY). Because CORE Impact can chain one infected computer to another, other machines in the network might already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, this signature can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.

Extended Description

Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets. An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values. Note that the smbd service runs with root privileges.

Affected Products

• HP CIFS/9000 Server A.01.05
• HP CIFS/9000 Server A.01.06
• HP CIFS/9000 Server A.01.07
• HP CIFS/9000 Server A.01.08
• HP CIFS/9000 Server A.01.08.01
• HP CIFS/9000 Server A.01.09
• HP CIFS/9000 Server A.01.09.01
• Samba 2.0.0 .0
• Samba 2.0.1
• Samba 2.0.10
• Samba 2.0.2
• Samba 2.0.3
• Samba 2.0.4
• Samba 2.0.5
• Samba 2.0.6
• Samba 2.0.7
• Samba 2.0.8
• Samba 2.0.9
• Samba 2.2.0 .0
• Samba 2.2.0 .0A
• Samba 2.2.1 A
• Samba 2.2.2
• Samba 2.2.3
• Samba 2.2.3 A
• Samba 2.2.4
• Samba 2.2.5
• Samba 2.2.6
• Samba 2.2.7
• Samba 2.2.7 A
• Samba-TNG 0.3.0
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86

References

• BugTraq: 7106
• CVE: CVE-2003-0085
• URL: http://marc.theaimsgroup.com/?l=bugtraq&m=104801012929374&w=2