Advisories
Windows SMB Client Transaction Response Handling Vulnerability
Release Date:
February 8, 2005
Date Reported:
August 2, 2004
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 2000
Windows XP
Windows Server 2003
Windows NT 4 (Please see note below under "Vendor Status")
Overview:
eEye Digital Security has discovered a vulnerability in Windows SMB client's handling of SMB responses. An attacker who can cause an affected system to connect to the SMB service on a malicious host may exploit this vulnerability in order to execute code on the victim's machine.
Technical Details:
The driver MRXSMB.SYS is responsible for performing SMB client operations and processing the responses returned by an SMB server service. A number of important Windows File Sharing operations, and all RPC-over-named-pipes, use the SMB commands Trans (25h) and Trans2 (32h). A malicious SMB server can respond with specially crafted Transaction response data that will cause an overflow wherever the data is handled, either in MRXSMB.SYS or in client code to which it provides data. One example would be if the file name and short file name length fields in a Trans2 FIND_FIRST2 response packet can be supplied with inappropriately large values in order to cause an excessive memcpy to occur when the data is handled. In the case of these examples an attacker could leverage file:// links, that when clicked by a remote user, would lead to code execution.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - protects from this vulnerability.
Vendor Status:
For Windows 2000, XP and Server 2003 customers, Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx
Microsoft will not be releasing a public Windows NT 4.0 patch due to the platform's non-supported status. eEye customers with Blink installed on NT 4.0 systems are protected from these attacks regardless of patch level, with zero impact to system or application functionality.
Credit:
Discovery: Yuji Ukai, Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink End-Point Vulnerability Prevention - Free Trial
Greetings:
KiP(he is back), altoids, cretz, hsj, commit (it works well...), Ink, Rhone, Rose, Mr. White, Chris, Joy, Spot, Alena, Brey, and Cristo.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
February 8, 2005
Date Reported:
August 2, 2004
Patch Development Time (In Days):
 |
|
|
|
| 190 |
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 2000
Windows XP
Windows Server 2003
Windows NT 4 (Please see note below under "Vendor Status")
Overview:
eEye Digital Security has discovered a vulnerability in Windows SMB client's handling of SMB responses. An attacker who can cause an affected system to connect to the SMB service on a malicious host may exploit this vulnerability in order to execute code on the victim's machine.
Technical Details:
The driver MRXSMB.SYS is responsible for performing SMB client operations and processing the responses returned by an SMB server service. A number of important Windows File Sharing operations, and all RPC-over-named-pipes, use the SMB commands Trans (25h) and Trans2 (32h). A malicious SMB server can respond with specially crafted Transaction response data that will cause an overflow wherever the data is handled, either in MRXSMB.SYS or in client code to which it provides data. One example would be if the file name and short file name length fields in a Trans2 FIND_FIRST2 response packet can be supplied with inappropriately large values in order to cause an excessive memcpy to occur when the data is handled. In the case of these examples an attacker could leverage file:// links, that when clicked by a remote user, would lead to code execution.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - protects from this vulnerability.
Vendor Status:
For Windows 2000, XP and Server 2003 customers, Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx
Microsoft will not be releasing a public Windows NT 4.0 patch due to the platform's non-supported status. eEye customers with Blink installed on NT 4.0 systems are protected from these attacks regardless of patch level, with zero impact to system or application functionality.
Credit:
Discovery: Yuji Ukai, Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink End-Point Vulnerability Prevention - Free Trial
Greetings:
KiP(he is back), altoids, cretz, hsj, commit (it works well...), Ink, Rhone, Rose, Mr. White, Chris, Joy, Spot, Alena, Brey, and Cristo.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
