SMB Client Remote Code Execution
03/26/2020 12 People found this article helpful 486,219 Views
Description
SMB Client Remote Code Execution
Resolution
SMB Client Remote Code Execution (Feb 11, 2010)
Description
Server Message Block (SMB, also known as Common Internet File System, CIFS) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. All versions of Microsoft Windows ship with an implementation of SMB.
The messages sent from a SMB client to a SMB server are normally named Commands, as the messages sent from the server to the client are named Responses. A Microsoft Windows SMB server listens on TCP ports 139 and 445.
When a client wishes to engage in SMB communication with a server, the client will send an SMB NEGOTIATE Request message to the server and the server will respond with an SMB NEGOTIATE Response. An SMB NEGOTIATE Response message has the following structure:
Offset | Size | Field |
-------------------------------------------------------------------------------- |
0x0000 | BYTE | Word Count |
0x0001 | WORD | Dialect Index |
0x0003 | BYTE | Security Mode |
0x0004 | WORD | Max Mpx Count |
0x0006 | WORD | Max Number VCs |
0x0008 | DWORD | Max Buffer Size |
0x000C | DWORD | Max Raw Size |
0x0010 | DWORD | Session Key |
....(truncated) |
After an SMB session has been established, the client can start sending other commands.
There exists a vulnerability within the Microsoft Windows SMB client implementation. Specifically, the Max Buffer Size value is assumed to be at least 32 (0x20) bytes, and the value is used to allocate a heap buffer. When the vulnerable code processes SMB NEGOTIATE Response messages, it copies data into this heap buffer without first verifying its size. A remote unauthenticated attacker can leverage this vulnerability by enticing the target user to connect to an SMB server, which will reply to SMB NEGOTIATE Request messages with crafted SMB NEGOTIATE Response messages.
Successful exploitation would allow the attacker to inject and execute arbitrary code with the privileges of "SYSTEM". Unsuccessful exploitation would result in system crash due to memory corruption.
Microsoft has released Security Bulletin
MS10-006 to address this issue. The CVE identifier for this vulnerability is
CVE-2010-0016.
SonicWall has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:
- 4791 MS Windows SMB Client Pool Corruption (MS10-006)
Related Articles
Categories