On mySimon: Where The Wild Things Are Plush
BNET Business Network:
BNET
TechRepublic
ZDNet

September 9th, 2009

Microsoft confirms SMB2 vulnerability, warns of code execution risk

Posted by Ryan Naraine @ 9:10 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Locally Running Web Servers, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Vulnerability, Microsoft Corp., Server Message Block, Microsoft Windows 7, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Microsoft has issued a formal security advisory to confirm the remote reboot flaw in its implementation of the SMB2 protocol, going a step further to warn that a successful attack could lead to remote code execution and full system takeover.

The vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said.    It appears Microsoft fixed the flaw in Windows 7 build ~7130, just after RC1.  Windows Vista and Windows Server 2008 users remain at risk.

The Microsoft advisory is somewhat confusing.  It mentions the plural “vulnerabilities” in the title but later warns of “a possible vulnerability in Microsoft Server Message Block (SMB) implementation.”

[ SEE: Windows 7, Vista exposed to 'teardrop attack' ]

It is, however, very clear about the risk severity:

An attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.

[ SEE: Microsoft patches gaping Windows worm holes ]

Microsoft points to this CVE entry to explain the actual bug:

Array index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location.

Proof of concept code, which allows an attacker to remotely crash any vulnerable machine with SMB enabled, is publicly available.

In the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 25 Talkback(s)
Wel Richard...
...if they've managed to break into my LAN then I guess I have more serious issues than an SMB bug, don't I?... (Read the rest)
Posted by: Sleeper Service Posted on: 09/11/09 You are currently: a Guest | | Terms of Use
Feel free to delete this Ryan.  i8thecat | 09/09/09
Yup, my mistake  Ryan NaraineZDNet Moderator | 09/09/09
Isn't it about time we stop playing nice and  James Quinn | 09/09/09
Very nasty vulnerability  LiquidLearner | 09/09/09
This is a SMB2 issue - XP unaffected  Rod1994 | 09/09/09
Good point, my mistake - nt  LiquidLearner | 09/09/09
RE: Microsoft confirms SMB2 vulnerability, warns of code execution risk  Super-Dale | 09/09/09
However it is in released versions of Vista.  ye | 09/09/09
I agree  LiquidLearner | 09/09/09
Spot on  Richard Flude | 09/09/09
Only if you take my words out of context in order to fabricate an...  ye | 09/09/09
Out of context?  Richard Flude | 09/09/09
You do know what out of context means don't you?  ye | 09/09/09
Enterprises will only be an issue if the admins are stupid/lazy  LiquidLearner | 09/09/09
@LiquidLearner: Tell us then  Richard Flude | 09/10/09
@Richard  LiquidLearner | 09/10/09
Wel Richard...  Sleeper Service | 09/11/09
There is a "MS Workaround" listed in the advisory  i8thecat | 09/09/09
A workaround...  wolftalamasca | 09/09/09
I didn't see him make any such claim.  ye | 09/09/09
workarounds  wolftalamasca | 09/09/09
@wolftalamasca: The strawman was...  ye | 09/09/09
So true  LiquidLearner | 09/09/09
Workaround?  The 'G-Man.' | 09/10/09
It is if the system does not need to share files.  ye | 09/10/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here