Categories: vuln, intrusive
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.
CVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insufficient memory to be allocated, leading to heap buffer overflow and possibility of remote code execution.
Script builds a malicious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is dropped and result is "Failed to receive bytes after 5 attempts". On patched system, samba throws an error and result is "MSRPC call returned a fault (packet type)".
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
vulns.short, vulns.showallSee the documentation for the vulns library.
nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>
PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | samba-vuln-cve-2012-1182: | VULNERABLE: | SAMBA remote heap overflow | State: VULNERABLE | IDs: CVE:CVE-2012-1182 | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Description: | Samba versions 3.6.3 and all versions previous to this are affected by | a vulnerability that allows remote code execution as the "root" user | from an anonymous connection. | | Disclosure date: 2012-03-15 | References: | http://www.samba.org/samba/security/CVE-2012-1182 |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
License: Same as Nmap--See https://nmap.org/book/man-legal.html