samba-vuln-cve-2012-1182
脚本使用类型:
hostrule
脚本所属分类:
vuln, intrusive
脚本下载地址: http://nmap.org/svn/scripts/samba-vuln-cve-2012-1182.nse
Checks if target machines are vulnerable to the Samba heap overflow vulnerability CVE-2012-1182.
Samba versions 3.6.3 and all versions previous to this are affected by a vulnerability that allows remote code execution as the "root" user from an anonymous connection.
CVE-2012-1182 marks multiple heap overflow vulnerabilities located in PIDL based autogenerated code. This check script is based on PoC by ZDI marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray function where an attacker is under control of num_sids and can cause insuficient memory to be allocated, leading to heap buffer overflow and posibility of remote code execution.
Script builds a malitious packet and makes a SAMR GetAliasMembership call which triggers the vulnerability. On the vulnerable system, connection is droped and result is "Failed to receive bytes after 5 attempts". On patched system, samba throws an error and result is "MSRPC call returned a fault (packet type)".
References:
执行格式
nmap --script=samba-vuln-cve-2012-1182 -p 139 <target>
PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | samba-vuln-cve-2012-1182: | VULNERABLE: | SAMBA remote heap overflow | State: VULNERABLE | IDs: CVE:CVE-2012-1182 | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Description: | Samba versions 3.6.3 and all versions previous to this are affected by | a vulnerability that allows remote code execution as the "root" user | from an anonymous connection. | | Disclosure date: 2012-03-15 | References: | http://www.samba.org/samba/security/CVE-2012-1182 |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
Author: Aleksandar Nikolic
License: VER007 整理 http://www.ver007.com