一、 漏洞 CVE-2007-2447 基础信息
漏洞信息
# N/A
## 漏洞概述
Samba 3.0.0 到 3.0.25rc3 版本中的 smbd 组件存在漏洞,允许远程攻击者利用 shell 通配符通过特定函数执行任意命令,特别是在 "username map script" smb.conf 选项启用时。远程认证用户也可以通过其他 MS-RPC 函数执行命令。
## 影响版本
- Samba 3.0.0 到 3.0.25rc3
## 漏洞细节
- **漏洞1**: 通过 `SamrChangePassword` 函数利用 shell 通配符,并在 "username map script" smb.conf 选项启用的情况下,允许远程攻击者执行任意命令。
- **漏洞2**: 通过远程打印机管理中的其他 MS-RPC 函数利用 shell 通配符,允许远程认证用户执行命令。
- **漏洞3**: 通过文件共享管理中的其他 MS-RPC 函数利用 shell 通配符,允许远程认证用户执行命令。
## 影响
该漏洞允许攻击者通过 shell 通配符在易受攻击的 Samba 版本中执行任意命令。这可能导致系统被完全控制,依赖于具体的漏洞利用方式和配置条件。
神龙判断
是否为 Web 类漏洞: 是
判断理由:
是。这个漏洞涉及到Samba服务的MS-RPC功能,允许远程攻击者通过特定的函数(如SamrChangePassword)利用shell元字符执行任意命令,当“username map script” smb.conf选项被启用时,这个问题尤其突出。此外,经过身份验证的远程用户也可以通过涉及远程打印和文件共享管理的其他MS-RPC函数执行命令。这些情况都表明这是一个服务端的漏洞,因为它涉及到服务端处理和响应客户端请求时的安全弱点。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Samba MS-RPC Shell命令注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Samba是Samba团队开发的一套可使UNIX系列的操作系统与微软Windows操作系统的SMB/CIFS网络协议做连结的自由软件。该软件支持共享打印机、互相传输资料文件等。 Samba在处理用户数据时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。 Samba中负责在SAM数据库更新用户口令的代码未经过滤便将用户输入传输给了/bin/sh。如果在调用smb.conf中定义的外部脚本时,通过对/bin/sh的MS-RPC调用提交了恶意输入的话,就可能允许攻击者以nobody用户的权限执
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码注入
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2007-2447 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2007-2447 - Samba usermap script | https://github.com/amriunix/CVE-2007-2447 | POC详情 |
| 2 | A simple exploit for CVE-2007-2447 | https://github.com/b1fair/smb_usermap | POC详情 |
| 3 | Remote Command Injection Vulnerability (CVE-2007-2447), allows remote attackers to execute arbitrary commands by specifying a Samba username containing shell meta characters. | https://github.com/JoseBarrios/CVE-2007-2447 | POC详情 |
| 4 | None | https://github.com/3x1t1um/CVE-2007-2447 | POC详情 |
| 5 | Exploit for the vulnerability CVE-2007-2447 | https://github.com/xlcc4096/exploit-CVE-2007-2447 | POC详情 |
| 6 | None | https://github.com/WildfootW/CVE-2007-2447_Samba_3.0.25rc3 | POC详情 |
| 7 | Python implementation of 'Username' map script' RCE Exploit for Samba 3.0.20 < 3.0.25rc3 (CVE-2007-2447). | https://github.com/Ziemni/CVE-2007-2447-in-Python | POC详情 |
| 8 | None | https://github.com/0xKn/CVE-2007-2447 | POC详情 |
| 9 | Exploit Samba | https://github.com/ozuma/CVE-2007-2447 | POC详情 |
| 10 | Samba 3.0.20 username map script exploit | https://github.com/un4gi/CVE-2007-2447 | POC详情 |
| 11 | cve-2007-2447 this script was rewrite the part of Metasploit modules to python3 | https://github.com/G01d3nW01f/CVE-2007-2447 | POC详情 |
| 12 | Samba usermap script. | https://github.com/cherrera0001/CVE-2007-2447 | POC详情 |
| 13 | CVE-2007-2447 - Samba usermap script | https://github.com/Alien0ne/CVE-2007-2447 | POC详情 |
| 14 | None | https://github.com/3t4n/samba-3.0.24-CVE-2007-2447-vunerable- | POC详情 |
| 15 | Exploit code for CVE-2007-2447 written in Python3. | https://github.com/xbufu/CVE-2007-2447 | POC详情 |
| 16 | None | https://github.com/s4msec/CVE-2007-2447 | POC详情 |
| 17 | None | https://github.com/0xConstant/CVE-2007-2447 | POC详情 |
| 18 | CVE-2007-2447 | https://github.com/Nosferatuvjr/Samba-Usermap-exploit | POC详情 |
| 19 | None | https://github.com/testaross4/CVE-2007-2447 | POC详情 |
| 20 | CVE-2007-2447 samba remote code execution | https://github.com/mr-l0n3lly/CVE-2007-2447 | POC详情 |
| 21 | CVE-2007-2447 exploit written in python to get reverse shell | https://github.com/HerculesRD/PyUsernameMapScriptRCE | POC详情 |
| 22 | automated script for exploiting CVE-2007-2447 | https://github.com/Aviksaikat/CVE-2007-2447 | POC详情 |
| 23 | None | https://github.com/crypticdante/CVE-2007-2447 | POC详情 |
| 24 | Exploit i used in HTB | https://github.com/bdunlap9/CVE-2007-2447_python | POC详情 |
| 25 | Samba 3.0.20 | https://github.com/MikeRega7/CVE-2007-2447-RCE | POC详情 |
| 26 | Samba Reverse Shell | https://github.com/0xTabun/CVE-2007-2447 | POC详情 |
| 27 | None | https://github.com/ShivamDey/Samba-CVE-2007-2447-Exploit | POC详情 |
| 28 | None | https://github.com/H3xL00m/CVE-2007-2447 | POC详情 |
| 29 | None | https://github.com/n3ov4n1sh/CVE-2007-2447 | POC详情 |
| 30 | Samba 3.0.0 - 3.0.25rc3 | https://github.com/Juantos/cve-2007-2447 | POC详情 |
| 31 | None | https://github.com/c0d3cr4f73r/CVE-2007-2447 | POC详情 |
| 32 | Exploit Samba smbd 3.0.20-Debian | https://github.com/Sp3c73rSh4d0w/CVE-2007-2447 | POC详情 |
| 33 | This is a exploit for CVE-2007-2447; Vulnerable SMB | https://github.com/IamLucif3r/CVE-2007-2447-Exploit | POC详情 |
| 34 | Exploit Samba smbd 3.0.20-Debian | https://github.com/0xwh1pl4sh/CVE-2007-2447 | POC详情 |
| 35 | Exploit Samba smbd 3.0.20-Debian | https://github.com/N3rdyN3xus/CVE-2007-2447 | POC详情 |
| 36 | Exploit Samba smbd 3.0.20-Debian | https://github.com/NyxByt3/CVE-2007-2447 | POC详情 |
| 37 | Exploit Samba smbd 3.0.20-Debian | https://github.com/h3xcr4ck3r/CVE-2007-2447 | POC详情 |
| 38 | Exploit Samba smbd 3.0.20-Debian | https://github.com/n3rdh4x0r/CVE-2007-2447 | POC详情 |
| 39 | None | https://github.com/banomaly/CVE-2007-2447 | POC详情 |
| 40 | None | https://github.com/foudadev/CVE-2007-2447 | POC详情 |
| 41 | CVE-2007-2447 samba remote code execution | https://github.com/b3m0x00/CVE-2007-2447 | POC详情 |
| 42 | CVE-2007-2447 samba remote code execution | https://github.com/b33m0x00/CVE-2007-2447 | POC详情 |
| 43 | None | https://github.com/elphon/CVE-2007-2447-Exploit | POC详情 |
| 44 | Exploit Samba smbd 3.0.20-Debian | https://github.com/h3x0v3rl0rd/CVE-2007-2447 | POC详情 |
| 45 | None | https://github.com/DevinLiggins14/SMB-PenTest-Exploiting-CVE-2007-2447-on-Metasploitable-2 | POC详情 |
| 46 | just remeber how small mistake in santisize username could give yoy root access to the full machine | https://github.com/MrRoma577/exploit_cve-2007-2447_again | POC详情 |
| 47 | A Rust implementation of the CVE-2007-2447 exploit targeting Samba smbd 3.0.20-Debian. | https://github.com/nika0x38/CVE-2007-2447 | POC详情 |
| 48 | Hands-on pentest project using Kali Linux vs Metasploitable2. Includes full workflow: Nmap scanning, enumeration, Metasploit exploitation (Samba CVE-2007-2447), post-exploitation validation, and mitigation steps. Repo contains commands, outputs, and report showing both offensive techniques and defensive recommendations. | https://github.com/SeifEldienAhmad/Penetration-Testing-on-Metasploitable2 | POC详情 |
| 49 | None | https://github.com/nulltrace1336/Samba-Exploit-CVE-2007-2447 | POC详情 |
| 50 | None | https://github.com/abdulsaabir/CVE-2007-2447 | POC详情 |
三、漏洞 CVE-2007-2447 的情报信息
- https://issues.rpath.com/browse/RPL-1366x_refsource_CONFIRM
- http://docs.info.apple.com/article.html?artnum=306172x_refsource_CONFIRM
- http://www.xerox.com/downloads/usa/en/c/cert_XRX08_001.pdfx_refsource_CONFIRM
- http://www.samba.org/samba/security/CVE-2007-2447.htmlx_refsource_CONFIRM
- http://securityreason.com/securityalert/2700third-party-advisoryx_refsource_SREASON
- http://secunia.com/advisories/25246third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25259third-party-advisoryx_refsource_SECUNIA
- http://www.osvdb.org/34700vdb-entryx_refsource_OSVDB
- http://secunia.com/advisories/28292third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/26083third-party-advisoryx_refsource_SECUNIA
- http://www.securityfocus.com/bid/25159vdb-entryx_refsource_BID
- http://secunia.com/advisories/25255third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25251third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25257third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25567third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25256third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/26235third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25241third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/27706third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/26909third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25675third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25772third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25289third-party-advisoryx_refsource_SECUNIA
- http://www.securityfocus.com/bid/23972vdb-entryx_refsource_BID
- http://secunia.com/advisories/25270third-party-advisoryx_refsource_SECUNIA
- http://secunia.com/advisories/25232third-party-advisoryx_refsource_SECUNIA
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1vendor-advisoryx_refsource_SUNALERT
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200588-1vendor-advisoryx_refsource_SUNALERT
- http://www.securitytracker.com/id?1018051vdb-entryx_refsource_SECTRACK
- http://www.debian.org/security/2007/dsa-1291vendor-advisoryx_refsource_DEBIAN
- http://www.ubuntu.com/usn/usn-460-1vendor-advisoryx_refsource_UBUNTU
- http://www.trustix.org/errata/2007/0017/vendor-advisoryx_refsource_TRUSTIX
- http://www.kb.cert.org/vuls/id/268336third-party-advisoryx_refsource_CERT-VN
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01078980vendor-advisoryx_refsource_HP
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01067768vendor-advisoryx_refsource_HP
- http://www.vupen.com/english/advisories/2007/2210vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2008/0050vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2007/3229vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2007/2281vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2007/1805vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2007/2079vdb-entryx_refsource_VUPEN
- http://www.vupen.com/english/advisories/2007/2732vdb-entryx_refsource_VUPEN
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:104vendor-advisoryx_refsource_MANDRIVA
- http://security.gentoo.org/glsa/glsa-200705-15.xmlvendor-advisoryx_refsource_GENTOO
- http://www.redhat.com/support/errata/RHSA-2007-0354.htmlvendor-advisoryx_refsource_REDHAT
- http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.475906vendor-advisoryx_refsource_SLACKWARE
- http://www.novell.com/linux/security/advisories/2007_14_sr.htmlvendor-advisoryx_refsource_SUSE
- http://lists.suse.com/archive/suse-security-announce/2007-May/0006.htmlvendor-advisoryx_refsource_SUSE
标题: 404 Not Found -- 🔗来源链接
标签:vendor-advisoryx_refsource_APPLE
神龙速读:从这个网页截图中获取到的关于漏洞的关键信息如下: - **HTTP Status Code**: 404 Not Found 页面显示了“Not Found”的错误信息,表明服务器无法找到请求的资源。 - **Message**: - The requested URL was not found on this server. 服务器明确指出请求的URL在服务器上不存在。 - **Potential Vulnerability**: - **Information Disclosure**: 虽然这是一个标准的404错误消息,但它提供了关于请求资源未找到的确切信息。攻击者可能利用这一点来推测哪些资源存在,哪些不存在。 - **Directory Structure Inference**: 如果攻击者能够通过多次尝试不同的URL路径,他们可能推断出网站的目录结构。 Markdown格式总结如下: ```markdown ## Key Information on Vulnerabilities from the Webpage Screenshot - **HTTP Status Code**: 404 Not Found - Indicates that the server could not find the requested resource. - **Message**: - "The requested URL was not found on this server." - Provides specific information about the non-existence of the requested URL on the server. - **Potential Vulnerability**: - **Information Disclosure**: The explicit message could be exploited by attackers to infer the existence of other resources. - **Directory Structure Inference**: Attackers might use this information to deduce the website's directory structure through multiple URL guesses. ```
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.012.htmlvendor-advisoryx_refsource_OPENPKG
标题: 404 Not Found -- 🔗来源链接
标签:vdb-entrysignaturex_refsource_OVAL
神龙速读:从这个网页截图中可以获取到以下关于漏洞的关键信息: - **Error Code**: NoSuchKey - **Message**: The specified key does not exist. - **Key**: repository/search/definition/oval:org.mitre.oval:def:10062 - **RequestId**: 634HT2TRPPJXGBV1 - **HostId**: Hwp1gmGJOjluQ2Yd4tOBPk1uqgO4lVlBmyzqhh+/FhRhnNQci1VwT1xbdFwH8QEn6LQ/tqfPpuxEeYAFQnW9E3dAAHuLW+Ax 从这些信息中,我们可以推断出以下几点: - **漏洞类型**: 尝试访问一个不存在的资源或键(key),这可能与资源管理或权限设置有关。 - **特定的Key**: 指向了`oval:org.mitre.oval:def:10062`,这可能是一个定义某个特定漏洞或配置检查的OVAL定义ID,但该ID在目标系统中不存在。 - **RequestId和HostId**: 这些唯一标识符有助于追踪具体的请求和主机,便于日志分析和故障排查。 这些关键信息可以帮助安全分析师进一步调查漏洞的来源和影响范围。
- http://www.securityfocus.com/archive/1/468670/100/0/threadedmailing-listx_refsource_BUGTRAQ
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534third-party-advisoryx_refsource_IDEFENSE
- http://www.securityfocus.com/archive/1/468565/100/0/threadedmailing-listx_refsource_BUGTRAQ
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.htmlmailing-listx_refsource_FULLDISC
- https://nvd.nist.gov/vuln/detail/CVE-2007-2447
四、漏洞 CVE-2007-2447 的评论
暂无评论