2

I have a CentOS server that is running Samba and I want to verify the vulnerability addressed by CVE-2008-1105.

What scenarios can I build in order to run the exploit that is mentioned in http://secunia.com/advisories/cve_reference/CVE-2008-1105/?

http://secunia.com/secunia_research/2008-20/advisory/ says that "Successful exploitation allows execution of arbitrary code by tricking a user into connecting to a malicious server (e.g. by clicking an "smb://" link) or by sending specially crafted packets to an "nmbd" server configured as a local or domain master browser."

More info:

http://www.samba.org/samba/security/CVE-2008-1105.html

http://secunia.com/secunia_research/2008-20/advisory/

Joao Heleno
  • 251
  • 1
  • 4
  • 12

1 Answers1

2

The fastest way to check if a package contains a fix for a CVE vulnerability is to look at the changelog of the RPM:

[root@test001 ~]# rpm -q --changelog samba| grep CVE-2008-1105
- Security fix for CVE-2008-1105
- resolves: CVE-2008-1105

Browsing through the changelog with less shows the fix in context:

* Sat May 17 2008 Simo Sorce <ssorce@redhat.com> 3.0.28-1.el5_2.1
- Security fix for CVE-2008-1105
- Fix join verification
- Fix smb signing
- resolves: CVE-2008-1105
- resolves: #447380
- resolves: #444637

So the fix happened on May 17 2008.

As far as building scenarios to test/exploit it then you probably need to get on some security research forums.

This was from samba 3.0.33-3.14 on a RedHat 5U4 system.

# rpm -q samba                                
samba-3.0.33-3.14.el5

Without turning yourself into a security researcher and writing your own exploit, there are free tools like metasploit http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html that have put a browser interface round a lot of exploits making them easy to use. You can turn these against your own systems in a lab environment. I think metasploit even let you write exploit 'plugins'.

gm3dmo
  • 9,632
  • 1
  • 40
  • 35