Search for vulnerabilities
Vulnerability details: VCID-d1dc-wf94-aaah
Vulnerability ID VCID-d1dc-wf94-aaah
Aliases CVE-2007-2446
Summary Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
generic_textual MODERATE http://docs.info.apple.com/article.html?artnum=306172
generic_textual MODERATE http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
rhas Critical https://access.redhat.com/errata/RHSA-2007:0354
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79314 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79794 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79794 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.79794 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.80967 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.80967 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.80967 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.80967 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81225 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81538 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.81538 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.82516 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.87169 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.87169 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.87169 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
epss 0.96477 https://api.first.org/data/v1/epss?cve=CVE-2007-2446
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=239429
cvssv2 10.0 https://nvd.nist.gov/vuln/detail/CVE-2007-2446
generic_textual MODERATE http://www.securityfocus.com/bid/25159
Reference id Reference type URL
http://docs.info.apple.com/article.html?artnum=306172
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
http://lists.suse.com/archive/suse-security-announce/2007-May/0006.html
http://osvdb.org/34699
http://osvdb.org/34731
http://osvdb.org/34733
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-2446.json
https://api.first.org/data/v1/epss?cve=CVE-2007-2446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2446
http://secunia.com/advisories/25232
http://secunia.com/advisories/25241
http://secunia.com/advisories/25246
http://secunia.com/advisories/25251
http://secunia.com/advisories/25255
http://secunia.com/advisories/25256
http://secunia.com/advisories/25257
http://secunia.com/advisories/25259
http://secunia.com/advisories/25270
http://secunia.com/advisories/25289
http://secunia.com/advisories/25391/
http://secunia.com/advisories/25567
http://secunia.com/advisories/25675
http://secunia.com/advisories/25772
http://secunia.com/advisories/26235
http://secunia.com/advisories/26909
http://secunia.com/advisories/27706
http://secunia.com/advisories/28292
http://security.gentoo.org/glsa/glsa-200705-15.xml
http://securityreason.com/securityalert/2702
https://exchange.xforce.ibmcloud.com/vulnerabilities/34309
https://exchange.xforce.ibmcloud.com/vulnerabilities/34311
https://exchange.xforce.ibmcloud.com/vulnerabilities/34312
https://exchange.xforce.ibmcloud.com/vulnerabilities/34314
https://exchange.xforce.ibmcloud.com/vulnerabilities/34316
https://issues.rpath.com/browse/RPL-1366
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11415
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1
http://www.debian.org/security/2007/dsa-1291
http://www.kb.cert.org/vuls/id/773720
http://www.mandriva.com/security/advisories?name=MDKSA-2007:104
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.html
http://www.osvdb.org/34732
http://www.redhat.com/support/errata/RHSA-2007-0354.html
http://www.samba.org/samba/security/CVE-2007-2446.html
http://www.securityfocus.com/archive/1/468542/100/0/threaded
http://www.securityfocus.com/archive/1/468670/100/0/threaded
http://www.securityfocus.com/archive/1/468672/100/0/threaded
http://www.securityfocus.com/archive/1/468673/100/0/threaded
http://www.securityfocus.com/archive/1/468674/100/0/threaded
http://www.securityfocus.com/archive/1/468675/100/0/threaded
http://www.securityfocus.com/archive/1/468680/100/0/threaded
http://www.securityfocus.com/bid/23973
http://www.securityfocus.com/bid/24195
http://www.securityfocus.com/bid/24196
http://www.securityfocus.com/bid/24197
http://www.securityfocus.com/bid/24198
http://www.securityfocus.com/bid/25159
http://www.securitytracker.com/id?1018050
http://www.trustix.org/errata/2007/0017/
http://www.ubuntu.com/usn/usn-460-1
http://www.vupen.com/english/advisories/2007/1805
http://www.vupen.com/english/advisories/2007/2079
http://www.vupen.com/english/advisories/2007/2210
http://www.vupen.com/english/advisories/2007/2281
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/3229
http://www.vupen.com/english/advisories/2008/0050
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdf
http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
http://www.zerodayinitiative.com/advisories/ZDI-07-030.html
http://www.zerodayinitiative.com/advisories/ZDI-07-031.html
http://www.zerodayinitiative.com/advisories/ZDI-07-032.html
http://www.zerodayinitiative.com/advisories/ZDI-07-033.html
239429 https://bugzilla.redhat.com/show_bug.cgi?id=239429
cpe:2.3:a:samba:samba:3.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.10:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.11:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.11:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.12:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.12:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.13:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.13:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.14:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.14:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.14a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.14a:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.15:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.15:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.16:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.16:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.17:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.17:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.18:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.18:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.19:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.19:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.20:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.20:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.20a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.20a:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.20b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.20b:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.21:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.21:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.21a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.21a:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.21b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.21b:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.21c:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.21c:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.22:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.22:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.23:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.23:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.23a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.23a:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.23b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.23b:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.23c:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.23c:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.23d:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.23d:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.24:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.24:*:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.25:pre1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.25:pre1:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.25:pre2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.25:pre2:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.25:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.25:rc1:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.25:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.25:rc2:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.25:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.25:rc3:*:*:*:*:*:*
cpe:2.3:a:samba:samba:3.0.2a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:samba:3.0.2a:*:*:*:*:*:*:*
CVE-2007-2446 https://nvd.nist.gov/vuln/detail/CVE-2007-2446
CVE-2007-2446;OSVDB-34699 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/16859.rb
CVE-2007-2446;OSVDB-34699 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/remote/9950.rb
CVE-2007-2446;OSVDB-34699 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/osx/remote/16875.rb
CVE-2007-2446;OSVDB-34699 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/solaris/remote/16329.rb
GLSA-200705-15 https://security.gentoo.org/glsa/200705-15
RHSA-2007:0354 https://access.redhat.com/errata/RHSA-2007:0354
USN-460-1 https://usn.ubuntu.com/460-1/
Data source Exploit-DB
Date added April 5, 2010
Description Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)
Ransomware campaign use Known
Source publication date April 5, 2010
Exploit type remote
Platform solaris
Source update date Dec. 1, 2016
Data source Metasploit
Description This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".
Note 
Stability:
  - crash-service-restarts
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date May 14, 2007
Platform Solaris
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/solaris/samba/lsa_transnames_heap.rb
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2007-2446
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.99014
EPSS Score 0.79314
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.