-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Microsoft Windows SMB 2.0 "srv2.sys" remote code execution
vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-114.htm
Original Issue Date: September 10, 2009
Severity Rating:High
System Affected
*Windows Vista SP 2 and prior
*Windows Vista x64 Edition SP 2 and prior
*Windows Server 2008 for 32-bit Systems SP2 and prior
*Windows Server 2008 for 64-bit Systems SP2 and prior
*Windows Server 2008 for Itanium-based Systems SP 2 and prior
Overview
A zero day vulnerability has been reported in Microsoft Server Message
Block (SMB) implementation. Successful exploitation allows an attacker to
execute arbitrary code on affected systems with full administrative rights
or leads the operating system to stop responding (possibly a, B.S.O.D aka
Blue Screen of Death) and restart, without any authentication.
Description
Microsoft Server Message Block (SMB) is a Microsoft network file sharing
protocol used in Microsoft Windows.SMB 2.0 has been introduced since
Windows Vista.
The vulnerability is due to an array index error in the kernel driver
srv2.sys which allows remote attackers to cause a denial of service (system
crash) via an &(ampersand) character in a Process ID High header field in a
NEGOTIATE PROTOCOL REQUEST packet (The NEGOTIATE PROTOCOL REQUEST is the
first SMB query a client send to a SMB server, and it's used to identify
the SMB dialect that will be used for further communication), which
triggers an attempted dereference of an out-of-bounds memory location.
Successful exploitation leads code execution with SYSTEM-level privileges
and failed exploit attempts will leads to denial-of-service conditions.
NOTE:
File sharing must be enabled to exploit this vulnerability.
Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000,Windows
Vista systems(if the network profile is set to "Public") are not affected.
Proof-of-concept code to exploit is publicly available.
Workaround
*Disable SMB v2
*Block TCP ports 139, 445 at the firewall
*For detailed steps and impact of applying these workarounds refer to
Microsoft security Advisory 975497
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/advisory/975497.mspx
References
Microsoft
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security
- - -advisory-975497-released.aspx
http://msdn.microsoft.com/en-us/library/aa365233
http://www.microsoft.com/security/pypc.aspx
SecurityFocus
http://www.securityfocus.com/bid/36299
Secunia
http://secunia.com/advisories/36623
Security Tracker
http://securitytracker.com/alerts/2009/Sep/1022848.html
ISC SANS
http://isc.sans.org/diary.html?storyid=7093
CVE Name
CVE-2009-3103
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSqoiDXWXeYNsoT30AQpM2ggAx6sx8yY/cF71ajsj3eAOgptgpoPRnkIe
LKAXcWHeY8sg0dN+yp6xwseskLiBnJvZUvEnJWT4qE8lZdDurOdnrLUK49d4Freb
wh/CCAWRG5VQcfFzhpgRj8n6FoDeX/m6O9m5w7d4BY1bzHWPR6LWjYjbEWcNz00H
YUfuOW8wolT3dEpG8Ygo/IDZkwv8emFqHdSDbl+U+PPGAReOe3k7UClOjOkWtpdA
k4Jas1iXoyYY+XkUjOCGggGM47ejijwMsS3e/NBnC5eeQdYpueCcUWpL/hXycrB0
ZsahS+nsvkNPijtie6njGdRNSi+UmpPlIo5wBVPMvQdYE+gtpW+flw==
=ybOT
-----END PGP SIGNATURE-----
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.
No comments:
Post a Comment