Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Samba remote root vuln (CVE-2012-1182) script idea

From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Wed, 11 Apr 2012 12:22:12 +0200
Hi All,

detecting this vulnerability should be fairly easy. Samba forks for every
user
so crashing one session doesn't crash the whole server.
What could be done here is:
1. Add a function to msrpc.lua to call GetAliasMembership (opnum 0x10)
2. Construct a malformed packet as in the PoC
3. Make a call
4. If the connection hangs , the server is vulnerable

I'm refering to first PoC exploit. Since apparently that samba code is auto
generated
there are a bunch of heap overflows fixed with this patch, but that first
one (ZDI-CAN-1503 from the first set of reproducers)
seems the most straightforward one.

I'm currently away for holiday (ortodox easter) but could work on this on
Monday.

Regards,
Aleksandar


On Wed, Apr 11, 2012 at 9:02 AM, Fyodor <fyodor () insecure org> wrote:


Hi folks.  If anyone is in a script-writing mood, I'm sure a detection
(or even exploitation) NSE script for the new Samba bug would be
welcomed by many network administrators and pen testers right about
now :).  Here are some details:

Announcement:
  https://www.samba.org/samba/security/CVE-2012-1182
Bugzilla entry, with proof of concept code:
  https://bugzilla.samba.org/show_bug.cgi?id=8815

I'll add this to the NSE script ideas page[1] too.

Cheers,
Fyodor

[1] https://secwiki.org/w/Nmap_Script_Ideas
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: