Microsoft SMB Client Pool Overflow (MS10-006)

2010.02.16
Credit: Laurent Gaffi, Renaud Feil
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-0016 | CVE-2010-0017
CWE: CWE-20
CWE-362

=============================================================================== Stratsec Security Advisory: SS-2010-003 =============================================================================== Title: Microsoft SMB Client Pool Overflow (MS10-006) Version: 1.0 Issue type: Pool overflow Affected vendor: Microsoft Release date: 09/02/2010 Discovered by: Laurent Gaffi Advisory by: Laurent Gaffi, Renaud Feil Issue status: Patch available =============================================================================== Summary ------- A vulnerability exists in the Microsoft SMB client which allows an attacker to trigger a kernel pool memory corruption by sending a specific 'Negotiate Protocol' response. Successful exploitation of this issue may result in remote code execution with kernel privileges. Failed attempts may result in a remote denial of service. Description ----------- Server Message Block (SMB), also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process-Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE/RPC) operations. When initializing an SMB communication the client sends a 'Negotiate Protocol' packet to negotiate the dialect that will be used for further communication. The server response will contain the following structure: uchar WordCount; /* must be 0x11 (17) */ ushort DialectIndex; /* selected dialect */ uchar SecurityMode; /* security flags */ ushort MaxMpxCount; /* maximum pending multiplexed requests supported*/ ushort MaxNumberVCs; /* maximum virtual connections */ ulong MaxBufferSize; /* maximum SMB message size */ ulong MaxRawSize; /* maximum raw buffer size */ ulong SessionKey; /* unique session identifier */ ulong Capabilities; /* server capabilities */ ulong SystemTimeLow; /* server time - low bytes */ ulong SystemTimeHigh; /* server time - high bytes */ short ServerTimeZone; /* time zone */ uchar EncryptionKeyLength; /* set to 0 or 8 */ The 'MaxBufferSize' field is defined in the 'MSDN Open Specifications Developer Center' as: "MaxBufferSize (4 bytes): Maximum size, in bytes, of the server buffer for sending and receiving SMB messages. This is the size of the largest message that the client may send to the server. This is the size of the buffer used for the SMB message from the start of the SMB header to the end of the packet." By sending a crafted response packet containing a small 'MaxBufferSize' value, it is possible trigger a kernel pool corruption on several Microsoft Windows operating systems. Impact ------ A remote attacker may be able to remotely execute code with kernel privileges on affected Windows systems. It should be noted that user interaction is not necessary for exploitation. NetBIOS Name Service (NBNS) packets can easily be spoofed, or the browser election protocol can be abused to poison the neighbourhood cache. Affected products ----------------- - Microsoft Windows XP, Server 2003 and earlier versions are affected - Microsoft Windows Vista and 7 are affected by a variant of this vulnerability. A race condition in the second negotiation transaction can cause a remote denial of service. See Microsoft advisory for more details: - http://go.microsoft.com/fwlink/?LinkId=178850 Technical details ----------------- The following analysis has been performed on an up-to-date Windows XP SP3 with version 5.1.2600.5700 of the driver mrxsmb.sys. The underlying issue is similar on other affected platforms, but the code path leading to the pool corruption is different. The issue is triggered by sending to the client a 'Negotiate Protocol' response with a small 'MaxBufferSize' value. In the function mrxsmb!SmbCeInitializeExtendedSessionSetupExchange, the SMB client adds 80h to the 'MaxBufferSize' value sent by the server and requests a kernel pool chunk of the corresponding size: kd> u mrxsmb!SmbCeInitializeExtendedSessionSetupExchange+0x65 mrxsmb!SmbCeInitializeExtendedSessionSetupExchange+0x65: f6e30937 51 push ecx ; PoolTag = 0x734b6d53 ('SmKs') f6e30938 0580000000 add eax, 80h ; add 80h to 'MaxBufferSize' value f6e3093d 50 push eax ; Requested size f6e3093e 6a01 push 1 f6e30940 e8ce1dfdff call mrxsmb!_RxAllocatePoolWithTag (f6e02713) The stack trace when the incorrect call to RxAllocatePoolWithTag is performed is shown below : kd> kc rdbss!_RxAllocatePoolWithTag mrxsmb!SmbCeInitializeExtendedSessionSetupExchange+0x73 mrxsmb!SmbCeReferenceSession+0x144 mrxsmb!SmbCeInitiateExchange+0xf5 mrxsmb!SmbCeEstablishConnection+0xaf mrxsmb!MRxSmbCreateVNetRoot+0x15a [...] The SMB client then builds the SESSION_SETUP_ANDX_REQUEST packet that is to be sent back the server. In the function mrxsmb!SmbExtSecuritySessionSetupExchangeStart, the SMB headers are copied starting at offset 80h from the beginning of the previously allocated chunk. The amount of space available is controlled by the 'MaxBufferSize' value sent, and there is no check that the allocated buffer is large enough. Any data copied after 'MaxBufferSize' bytes overwrites the adjacent pool header and data. kd> uf mrxsmb!SmbExtSecuritySessionSetupExchangeStart [...] f6e30813 8bb730010000 mov esi,dword ptr [edi+130h] ; esi = offset 80h ; in allocated buffer f6e30819 c706ff534d42 mov dword ptr [esi],424D53FFh ; create SMB headers f6e3081f c6460918 mov byte ptr [esi+9],18h ; possible out-of- f6e30823 66c7460a03c8 mov word ptr [esi+0Ah],0C803h ; bound write f6e30829 66c7461afffe mov word ptr [esi+1Ah],0FEFFh ; ;(according to 'MaxBufferSize') [...] A carefully crafted SMB response with an appropriate 'MaxBufferSize' field may allow arbitrary code execution. Solution -------- Apply appropriate security patches published by Microsoft related to this issue.Alternatively, block access to network ports 139 and 445 using a host based firewall. Response timeline ----------------- 11/11/2009: Issue discovered. 23/11/2009: Microsoft Security Response Center (MSRC) notified. 23/11/2009: MSRC acknowledges receipt of advisory. 27/11/2009: MSRC confirms the issue on XP and Server 2003. 11/12/2009: MSRC confirms issue across all platforms (2000 SP4 - Windows 7) 11/12/2009: Patch release date agreed as 12/01/2010. 05/01/2010: MSRC delays the patch to 09/02/2010. 30/01/2010: Advisory publication date agreed as 09/02/2010 09/02/2010: Coordinated disclosure. References ---------- * Vendor advisory: http://go.microsoft.com/fwlink/?LinkId=178850 * CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0016 * CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0017 =============================================================================== About stratsec -------------- Stratsec, specialises in providing information security consulting and testing services for government and commercial clients. Established in 2004, we are now one of the leading independent information security companies in the Australasian and SE-Asian region, with offices throughout Australia and in Singapore and Malaysia. For more information, please visit our website at http://www.stratsec.net/ =============================================================================== -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering. http://www.mailguard.com.au/mg

References:

http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx
http://blogs.technet.com/srd/archive/2010/02/09/ms10-006-and-ms10-012-smb-security-bulletins.aspx
http://g-laurent.blogspot.com/2010/02/more-details-on-ms10-006.html
http://www.skullsecurity.org/blog/?p=452


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top