Categories: vuln, intrusive
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.
CVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insufficient memory to be allocated, leading to heap buffer overflow and possibility of remote code execution.
Script builds a malicious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is dropped and result is "Failed to receive bytes after 5 attempts". On patched system, samba throws an error and result is "MSRPC call returned a fault (packet type)".
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>
PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | samba-vuln-cve-2012-1182: | VULNERABLE: | SAMBA remote heap overflow | State: VULNERABLE | IDs: CVE:CVE-2012-1182 | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Description: | Samba versions 3.6.3 and all versions previous to this are affected by | a vulnerability that allows remote code execution as the "root" user | from an anonymous connection. | | Disclosure date: 2012-03-15 | References: | http://www.samba.org/samba/security/CVE-2012-1182 |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
License: Same as Nmap--See https://nmap.org/book/man-legal.html