Rule: -- Sid: 2598 -- Summary: This event is generated when an attempt is made to exploit a buffer overrun condition in the Samba Web Administration Tool (SWAT). -- Impact: Remote execution of arbitrary code. -- Detailed Information: A vulnerability exists in SWAT that may present an attacker with the opportunity to execute code of their choosing on an affected host. The problem lies in an the functions that handle base64 decoding during HTTP basic authentication. Exploitation of this vulnerability may present the attacker with the opportunity to gain control of the affected system. -- Affected Systems: Versions of Samba greater than or equal to 3.0.2 and less than 3.0.5 -- Attack Scenarios: An attcker needs to make a specially crafted request to the SWAT service that could contain harmful code to gain further access to the system. -- Ease of Attack: Simple -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Apply the appropriate vendor supplied patches -- Contributors: Sourcefire Research Team Matt Watchinski <mwatchinski@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0600 Bugtraq: http://www.securityfocus.com/bid/10780 --