Posts

Microsoft Windows SMB Pool Overflow (Aug 20, 2010)

/in /by

The Microsoft Windows operating system ships with an implementation of the Server Message Block (SMB) protocol. SMB is a widely used protocol that allows for sharing network devices and remote procedure calls, among other things. The service listens on TCP ports 139 and 445. SMB is a stateful protocol that requires successful authentication before a session is established. An SMB message is composed of a header and message-specific data.
The following describes an SMB message structure:

 Offset	Size      Field ------	--------- --------------------------------------- 0x0000	char[4]   'SMB' 0x0004	char      Command (TRANS2 = 0x32) 0x0005	int32     Error Class 0x0009	char      Flags  0x000A	int16     Flags2 0x000C	int16     Pid High 0x000E	int32[2]  Signature 0x0016	int16     Unused 0x0018	int16     Tree ID 0x001A	int16     Process ID 0x001C	int16     User ID 0x001E	int16     Multiplex ID 0x0020  var       SMB Message Data

One of the Commands supported by the SMB protocol is the SMB_COM_TRANSACTION2, also known as TRANS2 (0x32).
The SMB Message Data portion of an SMB TRANS2 Request message has the following structure:

 Offset	Size	Field ------	------- ------------------------------------------ 0x0000 char     Word Count 0x0001 int16    Total Parameter Count 0x0003 int16    Total Data Count 0x0005 int16    Max Parameter Count 0x0007 int16    Max Data Count 0x0009 char     Max Setup Count 0x000A char     Reserved 0x000B int16    Flags 0x000D int32    Timeout 0x0011 int16    Reserved 0x0013 int16    Parameter Count 0x0015 int16    Parameter Offset 0x0017 int16    Data Count 0x0019 int16    Data Offset 0x001B char     Setup Count 0x001C char     Reserved 0x001D int16    Subcommand [...]

Based on the Subcommand, the format of the Subcommand Data will change. One of the supported subcommands is QUERY_FS_INFO.

A buffer overflow vulnerability exists in the Server Message Block (SMB) protocol client implementation on Microsoft Windows. The vulnerability is due to a boundary error when handling specially crafted SMB messages. The flaw exists in the processing of the QUERY_FS_INFO subcommand in SMB_COM_TRANSACTION2 requests. The vulnerable code does not properly verify the value of ‘Max Data Count’ field of the request. This value is used to allocate a memory pool in the kernel address space. A malicious SMB message processed by the vulnerable service could result in an undersized memory pool to be allocated which could consequently trigger a write access violation when utilized by the kernel.

Successful exploitation may result in code injection and execution with the privileges of the operating system kernel. In cases of unsuccessful exploitation, the attack will lead to kernel panic causing a system wide denial of service condition.

SonicWALL has released an IPS signature to address this vulnerability. The following signature has been released:

  • 5235 – MS SMB Pool Overflow Attack Attempt

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-2550 by mitre.

Microsoft Security Bulletins Coverage (Aug 10, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

  • CVE-2010-1888Windows Kernel Data Initialization Vulnerability
    Local elevation of privilege
  • CVE-2010-1889Windows Kernel Double Free Vulnerability
    Local elevation of privilege
  • CVE-2010-1890Windows Kernel Improper Validation Vulnerability
    Local denial of service

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

  • CVE-2010-1887Win32k Bounds Checking Vulnerability
    Local denial of service
  • CVE-2010-1894Win32k Exception Handling Vulnerability
    Local elevation of privilege
  • CVE-2010-1895Win32k Pool Overflow Vulnerability
    Local elevation of privilege
  • CVE-2010-1896Win32k User Input Validation Vulnerability
    Local elevation of privilege
  • CVE-2010-1897Win32k Window Creation Vulnerability
    Local elevation of privilege

MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution

  • CVE-2009-3555TLS/SSL Renegotiation Vulnerability
    This vulnerability allows an attacker to spoof an authenticated SSL client.
    There is no feasible method to discern malicious traffic from normal.
  • CVE-2010-2566SChannel Malformed Certificate Request Remote Code Execution Vulnerability
    Attacks occur over an encrypted channel.

MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution

  • CVE-2010-2564Movie Maker Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution

  • CVE-2010-2561MSxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability
    Unexpected HTTP responses may trigger a bug in Microsoft XML Core Services which may result in process flow diversion.

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution

  • CVE-2010-1882MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-053 Cumulative Security Update for Internet Explorer

  • CVE-2010-1258Event Handler Cross-Domain Vulnerability
    IPS 5184 – document.execCommand Method Invocation
  • CVE-2010-2556Uninitialized Memory Corruption Vulnerability

    • IPS 5157 – location.protocol Attribute Setting

  • CVE-2010-2557Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2558Race Condition Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2559Uninitialized Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.
  • CVE-2010-2560HTML Layout Memory Corruption Vulnerability
    This is a logical flaw. Attacks targeting this vulnerability cannot be detected by IPS.

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution

  • CVE-2010-2550SMB Pool Overflow Vulnerability
    IPS 5235 – MS SMB Pool Overflow Attack Attempt
  • CVE-2010-2551SMB Variable Validation Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets.
  • CVE-2010-2552SMB Stack Exhaustion Vulnerability
    A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB compounded requests.

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution

  • CVE-2010-2553Cinepak Codec Decompression Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution

  • CVE-2010-1900Word Record Parsing Vulnerability
    There are no known public exploits targeting this vulnerability.
  • CVE-2010-1901Word RTF Parsing Engine Memory Corruption Vulnerability
    GAV Agent.EXP_5
    GAV Agent.EXP_6
    GAV Agent.EXP_7
  • CVE-2010-1902MS Word RTF Parsing Buffer Overflow Attempt
    IPS 5127 – MS Word RTF Parsing Buffer Overflow Attempt
  • CVE-2010-1903Word HTML Linked Objects Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution

  • CVE-2010-2562
    Excel Memory Corruption Vulnerability
    There are no known public exploits targeting this vulnerability.

MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege

  • CVE-2010-1892IPv6 Memory Corruption Vulnerability
    A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted IPv6 packets with a malformed extension header.
  • CVE-2010-1893Integer Overflow in Windows Networking Vulnerability
    Local elevation of privilege

MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege

  • CVE-2010-2554Tracing Registry Key ACL Vulnerability
    Local elevation of privilege
  • CVE-2010-2555Tracing Memory Corruption Vulnerability
    Local elevation of privilege

MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution

  • CVE-2010-0019Microsoft Silverlight Memory Corruption Vulnerability
    IPS 5115 – MS Silverlight Memory Corruption S1
  • CVE-2010-1898Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability
    A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a specially crafted Microsoft .NET application or a specially crafted Silverlight application to access memory, leading to arbitrary unmanaged code execution.