Microsoft Windows SMB Pool Overflow (Aug 20, 2010)


The Microsoft Windows operating system ships with an implementation of the Server Message Block (SMB) protocol. SMB is a widely used protocol that allows for sharing network devices and remote procedure calls, among other things. The service listens on TCP ports 139 and 445. SMB is a stateful protocol that requires successful authentication before a session is established. An SMB message is composed of a header and message-specific data.
The following describes an SMB message structure:

 Offset	Size      Field ------	--------- --------------------------------------- 0x0000	char[4]   'SMB' 0x0004	char      Command (TRANS2 = 0x32) 0x0005	int32     Error Class 0x0009	char      Flags  0x000A	int16     Flags2 0x000C	int16     Pid High 0x000E	int32[2]  Signature 0x0016	int16     Unused 0x0018	int16     Tree ID 0x001A	int16     Process ID 0x001C	int16     User ID 0x001E	int16     Multiplex ID 0x0020  var       SMB Message Data

One of the Commands supported by the SMB protocol is the SMB_COM_TRANSACTION2, also known as TRANS2 (0x32).
The SMB Message Data portion of an SMB TRANS2 Request message has the following structure:

 Offset	Size	Field ------	------- ------------------------------------------ 0x0000 char     Word Count 0x0001 int16    Total Parameter Count 0x0003 int16    Total Data Count 0x0005 int16    Max Parameter Count 0x0007 int16    Max Data Count 0x0009 char     Max Setup Count 0x000A char     Reserved 0x000B int16    Flags 0x000D int32    Timeout 0x0011 int16    Reserved 0x0013 int16    Parameter Count 0x0015 int16    Parameter Offset 0x0017 int16    Data Count 0x0019 int16    Data Offset 0x001B char     Setup Count 0x001C char     Reserved 0x001D int16    Subcommand [...]

Based on the Subcommand, the format of the Subcommand Data will change. One of the supported subcommands is QUERY_FS_INFO.

A buffer overflow vulnerability exists in the Server Message Block (SMB) protocol client implementation on Microsoft Windows. The vulnerability is due to a boundary error when handling specially crafted SMB messages. The flaw exists in the processing of the QUERY_FS_INFO subcommand in SMB_COM_TRANSACTION2 requests. The vulnerable code does not properly verify the value of ‘Max Data Count’ field of the request. This value is used to allocate a memory pool in the kernel address space. A malicious SMB message processed by the vulnerable service could result in an undersized memory pool to be allocated which could consequently trigger a write access violation when utilized by the kernel.

Successful exploitation may result in code injection and execution with the privileges of the operating system kernel. In cases of unsuccessful exploitation, the attack will lead to kernel panic causing a system wide denial of service condition.

SonicWALL has released an IPS signature to address this vulnerability. The following signature has been released:

  • 5235 – MS SMB Pool Overflow Attack Attempt

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-2550 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.