Signature Detail

SMB: Samba NT Trans Reply Buffer Overflow

This signature detects attempts to exploit a known vulnerability against Samba 2.2.7a and earlier. Because Samba does not properly verify the NT Trans reply message, attackers can send a maliciously crafted Samba message to a Samba server and overflow the buffer.

Extended Description

Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets. An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values. Note that the smbd service runs with root privileges.

Affected Products

• HP CIFS/9000 Server A.01.05
• HP CIFS/9000 Server A.01.06
• HP CIFS/9000 Server A.01.07
• HP CIFS/9000 Server A.01.08
• HP CIFS/9000 Server A.01.08.01
• HP CIFS/9000 Server A.01.09
• HP CIFS/9000 Server A.01.09.01
• Samba 2.0.0 .0
• Samba 2.0.1
• Samba 2.0.10
• Samba 2.0.2
• Samba 2.0.3
• Samba 2.0.4
• Samba 2.0.5
• Samba 2.0.6
• Samba 2.0.7
• Samba 2.0.8
• Samba 2.0.9
• Samba 2.2.0 .0
• Samba 2.2.0 .0A
• Samba 2.2.1 A
• Samba 2.2.2
• Samba 2.2.3
• Samba 2.2.3 A
• Samba 2.2.4
• Samba 2.2.5
• Samba 2.2.6
• Samba 2.2.7
• Samba 2.2.7 A
• Samba-TNG 0.3.0
• Sun Solaris 9 Sparc
• Sun Solaris 9 X86

References

• BugTraq: 7106
• CVE: CVE-2002-1318
• CVE: CVE-2003-0085
• URL: http://www.securiteam.com/exploits/5TP0M2AAKS.html
• URL: http://www.kb.cert.org/vuls/id/298233