Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File samba-vuln-cve-2012-1182

Script types: hostrule
Categories: vuln, intrusive
Download: http://nmap.org/svn/scripts/samba-vuln-cve-2012-1182.nse

User Summary

Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.

Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.

CVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insuficient memory to be allocated, leading to heap buffer overflow and posibility of remote code execution.

Script builds a malitious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is droped and result is "Failed to receive bytes after 5 attempts". On patched system, samba throws an error and result is "MSRPC call returned a fault (packet type)".

References:

Script Arguments

vulns.showall

See the documentation for the vulns library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage 

nmap --script=samba-vuln-cve-2012-1182  -p 139 <target>

Script Output 

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| samba-vuln-cve-2012-1182: 
|   VULNERABLE:
|   SAMBA remote heap overflow
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-1182
|     Risk factor: HIGH  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|     Description:
|       Samba versions 3.6.3 and all versions previous to this are affected by
|       a vulnerability that allows remote code execution as the "root" user
|       from an anonymous connection.
|       
|     Disclosure date: 2012-03-15
|     References:
|       http://www.samba.org/samba/security/CVE-2012-1182
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182

Requires

Author: Aleksandar Nikolic

License: Same as Nmap--See http://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]