|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534
|
| |
Vulnerable Systems:
* Samba version 3.0.24.
* Previous versions of Samba release 3 may be vulnerable.
* Release version 2 and below did not have this feature.
The vulnerability exists within the code responsible for updating a user's password in the SAM database. Unfiltered user input is passed to "/bin/sh". This allows an attacker to execute arbitrary shell commands with the privileges of the nobody user.
Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands with the privileges of the nobody user.
An important mitigating factor is that this vulnerability occurs within a non-default configuration of Samba. Specifically, the 'username map script' option must be defined in the smb.conf file.
Valid credentials are not needed to exploit this vulnerability. In order to successfully change a password, it is necessary to provide the original password. However, the vulnerability can still be triggered regardless of whether or not the change password attempt fails.
Workaround:
Removing the 'username map script' option from the smb.conf file will prevent this vulnerability from being triggered.
CVE Information:
CVE-2007-2447
Disclosure Timeline:
* 05/07/2007 Initial vendor notification
* 05/07/2007 Initial vendor response
* 05/14/2007 Coordinated public disclosure
|
|
|
|
|
