Signature Detail

SCAN: Core Impact SAMBA trans2 Exploit

This signature detects the CORE Impact penetration testing tool using the SAMBA trans2 exploit against your network (this exploit is also detected by the signature attack object CRIT:APP:SAMBA:SMB-TRANS2ROOT-OF). Because CORE Impact can chain one infected computer to another, other machines in the network might already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, this signature can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.

Extended Description

A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory. Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process. It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected.

Affected Products

• Apple Mac OS X 10.2.0
• Apple Mac OS X 10.2.1
• Apple Mac OS X 10.2.2
• Apple Mac OS X 10.2.3
• Apple Mac OS X 10.2.4
• Compaq Tru64 4.0.0 B
• Compaq Tru64 4.0.0 D
• Compaq Tru64 4.0.0 d PK9 (BL17)
• Compaq Tru64 4.0.0 f
• Compaq Tru64 4.0.0 f PK6 (BL17)
• Compaq Tru64 4.0.0 f PK7 (BL18)
• Compaq Tru64 4.0.0 g
• Compaq Tru64 4.0.0 g PK3 (BL17)
• Compaq Tru64 5.0.0
• Compaq Tru64 5.0.0 a
• Compaq Tru64 5.0.0 a PK3 (BL17)
• Compaq Tru64 5.0.0 f
• Compaq Tru64 5.0.0 PK4 (BL17)
• Compaq Tru64 5.0.0 PK4 (BL18)
• Compaq Tru64 5.1.0
• Compaq Tru64 5.1.0 a
• Compaq Tru64 5.1.0 a PK1 (BL1)
• Compaq Tru64 5.1.0 a PK2 (BL2)
• Compaq Tru64 5.1.0 a PK3 (BL3)
• Compaq Tru64 5.1.0 B
• Compaq Tru64 5.1.0 b PK1 (BL1)
• Compaq Tru64 5.1.0 PK3 (BL17)
• Compaq Tru64 5.1.0 PK4 (BL18)
• Compaq Tru64 5.1.0 PK5 (BL19)
• Compaq Tru64 5.1.0 PK6 (BL20)
• HP CIFS/9000 Server A.01.05
• HP CIFS/9000 Server A.01.06
• HP CIFS/9000 Server A.01.07
• HP CIFS/9000 Server A.01.08
• HP CIFS/9000 Server A.01.08.01
• HP CIFS/9000 Server A.01.09
• HP CIFS/9000 Server A.01.09.01
• HP CIFS/9000 Server A.01.09.02
• HP HP-UX 10.0.0 1
• HP HP-UX 10.20.0
• HP HP-UX 10.24.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 11.20.0
• HP HP-UX 11.22.0
• HP HP-UX B.11.04
• Samba 2.0.0 .0
• Samba 2.0.1
• Samba 2.0.10
• Samba 2.0.2
• Samba 2.0.3
• Samba 2.0.4
• Samba 2.0.5
• Samba 2.0.6
• Samba 2.0.7
• Samba 2.0.8
• Samba 2.0.9
• Samba 2.2.0 .0
• Samba 2.2.0 .0A
• Samba 2.2.1 A
• Samba 2.2.2
• Samba 2.2.3 A
• Samba 2.2.4
• Samba 2.2.5
• Samba 2.2.6
• Samba 2.2.7
• Samba 2.2.7 A
• Samba 2.2.8
• Samba-TNG 0.3.0
• Samba-TNG 0.3.1
• Sun Cobalt Qube3 4000WG
• Sun Cobalt RaQ4 3001R
• Sun Cobalt RaQ 550 4100R
• Sun Cobalt RaQ XTR 3500R
• Sun Linux 5.0.0
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8 Sparc
• Sun Solaris 8 X86
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86
• Sun Solaris 9 X86 Update 2

References

• BugTraq: 7294
• CVE: CVE-2003-0201
• URL: http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0008.html