- Products
- Network Security
- Threat Protection
- Secure Access Service Edge (SASE)
- Cloud Security
- Endpoint Security
- Email Security
- Secure Access
-
Wi-Fi 6 Access Points
SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.
Read More
- Solutions
- Industries
- Use Cases
- Solutions Widgets
- Solutions Content Widgets
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
- Solutions Image Widgets
-
- Partners
- SonicWall Partners
- Partner Resources
- Partner Widgets
- Custom HTML : Partners Content WIdgets
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
- Partners Image Widgets
-
- Support
- Support
- Resources
- Capture Labs
- Support Widget
- Custom HTML : Support Content WIdgets
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
- Support Image Widgets
-
- COMPANY
- PROMOTIONS
- MANAGED SERVICES
- Contact Sales
-
- Menu
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
SMB Client Remote Code Execution
03/26/2020 
10 People found this article helpful
195,521 Views
Description
SMB Client Remote Code Execution
Resolution
SMB Client Remote Code Execution (Feb 11, 2010)
Description
Server Message Block (SMB, also known as Common Internet File System, CIFS) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. All versions of Microsoft Windows ship with an implementation of SMB.
The messages sent from a SMB client to a SMB server are normally named Commands, as the messages sent from the server to the client are named Responses. A Microsoft Windows SMB server listens on TCP ports 139 and 445.
When a client wishes to engage in SMB communication with a server, the client will send an SMB NEGOTIATE Request message to the server and the server will respond with an SMB NEGOTIATE Response. An SMB NEGOTIATE Response message has the following structure:
| Offset | Size | Field |
| -------------------------------------------------------------------------------- | ||
| 0x0000 | BYTE | Word Count |
| 0x0001 | WORD | Dialect Index |
| 0x0003 | BYTE | Security Mode |
| 0x0004 | WORD | Max Mpx Count |
| 0x0006 | WORD | Max Number VCs |
| 0x0008 | DWORD | Max Buffer Size |
| 0x000C | DWORD | Max Raw Size |
| 0x0010 | DWORD | Session Key |
| ....(truncated) | ||
After an SMB session has been established, the client can start sending other commands.
There exists a vulnerability within the Microsoft Windows SMB client implementation. Specifically, the Max Buffer Size value is assumed to be at least 32 (0x20) bytes, and the value is used to allocate a heap buffer. When the vulnerable code processes SMB NEGOTIATE Response messages, it copies data into this heap buffer without first verifying its size. A remote unauthenticated attacker can leverage this vulnerability by enticing the target user to connect to an SMB server, which will reply to SMB NEGOTIATE Request messages with crafted SMB NEGOTIATE Response messages.
Successful exploitation would allow the attacker to inject and execute arbitrary code with the privileges of "SYSTEM". Unsuccessful exploitation would result in system crash due to memory corruption.
Microsoft has released Security Bulletin MS10-006 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0016.
SonicWall has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:
- 4791 MS Windows SMB Client Pool Corruption (MS10-006)
Related Articles
- Identical Access Rules for different users/user groups
- Advanced Network Security eLearning Training Course
- Network Security Essentials eLearning Training Course
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO