{"vuid":"VU#773720","idnumber":"773720","name":"Samba NDR MS-RPC heap buffer overflow","keywords":["Samba","memory corruption","arbitrary code execution","NDR","MS-RPC","samba-3.0.25","apple_2007-007"],"overview":"Samba fails to properly handle malformed MS-RPC packets. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code.","clean_desc":"Samba is a widely used open-source implementation of Server Message Block (SMB)/Common Internet File System (CIFS). Network Data Representation (NDR) is the scheme to encode MS-RPC data for transport. Samba fails to properly validate MS-RPC packets. Specifically, Samba's NDR functions do not properly validate arguments supplied to memory allocation routines. This results in a buffer of insufficient size being allocated. When data is copied to this buffer, a heap-based buffer overflow may occur. More information is available in Samba's Security Announcement.","impact":"A remote attacker may be able to execute arbitrary code.","resolution":"Apply a patch or upgrade\nThese vulnerabilities are addressed in Samba version 3.0.25. In addition, patches are available to address this vulnerability in Samba version 3.0.24. Refer to the Samba Security Releases website for more information. Administrators who get Samba from their operating system vendor should see the systems affected portion of this document for a list of affected vendors.","workarounds":"","sysaffected":"","thanks":"This vulnerability was reported by the Samba Team. Samba, in turn credits Brian Schafer of TippingPoint.","author":"This document was written by Jeff Gennari.","public":["http://samba.org/samba/security/CVE-2007-2446.html","http://samba.org/samba/history/security.html","http://www.samba.org/samba/history/samba-3.0.25.html","http://secunia.com/advisories/25232/","http://www.zerodayinitiative.com/advisories/ZDI-07-029.html","http://www.zerodayinitiative.com/advisories/ZDI-07-030.html","http://www.zerodayinitiative.com/advisories/ZDI-07-031.html","http://www.zerodayinitiative.com/advisories/ZDI-07-032.html","http://www.zerodayinitiative.com/advisories/ZDI-07-033.html","http://www.iss.net/threats/266.html","http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1","http://docs.info.apple.com/article.html?artnum=306172"],"cveids":["CVE-2007-2446"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-05-14T17:10:46Z","publicdate":"2007-05-14T00:00:00Z","datefirstpublished":"2007-05-14T19:39:07Z","dateupdated":"2007-08-08T17:39:34Z","revision":34,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"4","cam_widelyknown":"8","cam_exploitation":"0","cam_internetinfrastructure":"7","cam_population":"16","cam_impact":"17","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"7.65","cam_scorecurrentwidelyknown":"13.77","cam_scorecurrentwidelyknownexploited":"23.97","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.65,"vulnote":null}