Overview
Samba fails to properly filter input to /bin/sh. This vulnerability may allow a remote, authenticated attacker to execute arbitrary code on a Samba server.
Description
Samba provides file and print services for Microsoft Windows, Unix, Linux, and OS X clients. Samba can also act as a Primary Domain Controller (PDC) or as a Domain Member. Samba runs on most Unix-like systems. Samba versions prior to 3.0.24 pass unchecked user input from RPC messages to /bin/sh when calling externals scripts that are listed in the Samba configuration file. An attacker may be able to exploit this vulnerability by sending specially crafted RPC messages to a vulnerable server. |
Impact
A remote, unauthenticated attacker may be able to execute arbitrary commands. |
Solution
Apply a patch or upgrade |
Do not load external shell scripts
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://samba.org/samba/history/security.html
- http://us4.samba.org/samba/ftp/patches/security/samba-3.0.24-CVE-2007-2447.patch
- http://www.samba.org
- http://secunia.com/advisories/25232/
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
- http://docs.info.apple.com/article.html?artnum=306172
Acknowledgements
Thanks to Joshua J. Drake, iDefense Labs, and the Samba team for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2007-2447 |
| Severity Metric: | 7.44 |
| Date Public: | 2007-05-14 |
| Date First Published: | 2007-05-14 |
| Date Last Updated: | 2008-07-21 17:51 UTC |
| Document Revision: | 42 |