MS SMB Memory Corruption Vulnerability (April 22, 2010)

Microsoft Windows is one of the most popular operating system used as both servers and clients. Windows is compatible to various hardware and software, and it also embeds a lot of applications and modules such as file editing, picture drawing, resources management etc.

Windows’s native networking framework is one of the embedded modules. It uses Server Message Block (SMB) protocol. SMB provides file sharing, networking printing and remote procedure calls and other functionalities.

An SMB message is composed of a header and message-specific data. The following describes an SMB message structure:

Offset Size Field ------------------------------------------------------------------------ 0x0000 BYTE[4] Contains 0xFF,'SMB' 0x0004 BYTE Command Type (SMB_COM_TRANS = 0x25) 0x0005 DWORD Error Class 0x0009 BYTE Flags x... .... (Request if x=0, Response if x=1) 0x000A WORD Flags2 0x000C WORD PID High 0x000E DWORD[2] Signature 0x0016 WORD Unused 0x0018 WORD Tree ID 0x001A WORD Process ID 0x001C WORD User ID 0x001E WORD Multiplex ID 0x0020 var SMB Message Data (format depends on the Command Type)

The SMB common header is immediately followed by command type-specific data. There are several SMB request/response types used in the SMB protocol. One such request/response type is SMB_COM_TRANSACTION (Command Type = 0x25), also known as TRANS. This command is used as the transport for the Transaction Subprotocol Commands which operate on mailslots and named pipes.

A memory corruption vulnerability exists in the SMB client implementation on Microsoft Windows. The vulnerability is due to a design error in the handling of the specially crafted SMB_COM_TRANSACTION responses. A successful exploitation of this vulnerability would allow the attacker to inject and execute arbitrary code on the target system.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect an attack attempts.

• 5141 MS SMB SMB_COM_TRANSACTON BO PoC (MS10-020)

The vulnerability is referred by the vendor as MS10-020, and referred by CVE as CVE-2010-0476.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.