- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
SMB Client Remote Code Execution
03/26/2020 
10 People found this article helpful
44,786 Views
Description
SMB Client Remote Code Execution
Resolution
SMB Client Remote Code Execution (Feb 11, 2010)
Description
Server Message Block (SMB, also known as Common Internet File System, CIFS) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. All versions of Microsoft Windows ship with an implementation of SMB.
The messages sent from a SMB client to a SMB server are normally named Commands, as the messages sent from the server to the client are named Responses. A Microsoft Windows SMB server listens on TCP ports 139 and 445.
When a client wishes to engage in SMB communication with a server, the client will send an SMB NEGOTIATE Request message to the server and the server will respond with an SMB NEGOTIATE Response. An SMB NEGOTIATE Response message has the following structure:
Offset | Size | Field |
-------------------------------------------------------------------------------- | ||
0x0000 | BYTE | Word Count |
0x0001 | WORD | Dialect Index |
0x0003 | BYTE | Security Mode |
0x0004 | WORD | Max Mpx Count |
0x0006 | WORD | Max Number VCs |
0x0008 | DWORD | Max Buffer Size |
0x000C | DWORD | Max Raw Size |
0x0010 | DWORD | Session Key |
....(truncated) | ||
After an SMB session has been established, the client can start sending other commands.
There exists a vulnerability within the Microsoft Windows SMB client implementation. Specifically, the Max Buffer Size value is assumed to be at least 32 (0x20) bytes, and the value is used to allocate a heap buffer. When the vulnerable code processes SMB NEGOTIATE Response messages, it copies data into this heap buffer without first verifying its size. A remote unauthenticated attacker can leverage this vulnerability by enticing the target user to connect to an SMB server, which will reply to SMB NEGOTIATE Request messages with crafted SMB NEGOTIATE Response messages.
Successful exploitation would allow the attacker to inject and execute arbitrary code with the privileges of "SYSTEM". Unsuccessful exploitation would result in system crash due to memory corruption.
Microsoft has released Security Bulletin MS10-006 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0016.
SonicWall has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:
- 4791 MS Windows SMB Client Pool Corruption (MS10-006)
Related Articles
- Supported Public Cloud Servers/Instance Sizes on SonicWall NSv Series Models
- Why do I need a Support Services Reinstatement?
- How can I configure a VPN between a SonicWall firewall and Microsoft Azure?
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO