>> Samba VFS Plugin Format String and Winbind Library Buffer Overflow Vulnerabilities
Title : Samba VFS Plugin Format String and Winbind Library Buffer Overflow Vulnerabilities VUPEN ID : VUPEN/ADV-2007-0483 CVE ID : CVE-2007-0452 - CVE-2007-0453 - CVE-2007-0454
Rated as : Moderate Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2007-02-06
Technical Description
Multiple vulnerabilities have been identified in Samba, which could be exploited by attackers to execute arbitrary commands or cause a denial of service.
The first issue is due to a format string error in the "afs_set_nt_acl()" [modules/vfs_afsacl.c] function when handling malformed filenames, which could be exploited by an attacker who is able to write to a share linked against an affected library to execute arbitrary commands.
The second vulnerability is due to a buffer overflow error in the "_nss_winbind_ipnodes_getbyname()" and "_nss_winbind_hosts_getbyname()" [nsswitch/winbind_nss_solaris.c] functions when sending certain requests to the winbindd daemon, which could be exploited by attackers to execute arbitrary commands.
The third issue is due to an error in the Samba file server daemon (smbd) that fails to properly remove certain requests from the queue, which could be exploited by authenticated attackers to cause a denial of service by opening multiple CIFS sessions.
