Posts

SMB Client Remote Code Execution (Feb 11, 2010)

/in /by

Server Message Block (SMB, also known as Common Internet File System, CIFS) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. All versions of Microsoft Windows ship with an implementation of SMB.

The messages sent from a SMB client to a SMB server are normally named Commands, as the messages sent from the server to the client are named Responses. A Microsoft Windows SMB server listens on TCP ports 139 and 445.

When a client wishes to engage in SMB communication with a server, the client will send an SMB NEGOTIATE Request message to the server and the server will respond with an SMB NEGOTIATE Response. An SMB NEGOTIATE Response message has the following structure:

Offset Size Field
——————————————————————————–
0x0000 BYTE Word Count
0x0001 WORD Dialect Index
0x0003 BYTE Security Mode
0x0004 WORD Max Mpx Count
0x0006 WORD Max Number VCs
0x0008 DWORD Max Buffer Size
0x000C DWORD Max Raw Size
0x0010 DWORD Session Key
….(truncated)

After an SMB session has been established, the client can start sending other commands.

There exists a vulnerability within the Microsoft Windows SMB client implementation. Specifically, the Max Buffer Size value is assumed to be at least 32 (0x20) bytes, and the value is used to allocate a heap buffer. When the vulnerable code processes SMB NEGOTIATE Response messages, it copies data into this heap buffer without first verifying its size. A remote unauthenticated attacker can leverage this vulnerability by enticing the target user to connect to an SMB server, which will reply to SMB NEGOTIATE Request messages with crafted SMB NEGOTIATE Response messages.

Successful exploitation would allow the attacker to inject and execute arbitrary code with the privileges of “SYSTEM”. Unsuccessful exploitation would result in system crash due to memory corruption.

Microsoft has released Security Bulletin MS10-006 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0016.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4791 MS Windows SMB Client Pool Corruption (MS10-006)