Microsoft SMB Client Message Size Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	04/13/2010
Severity:	High
Operating Systems Affected:	Microsoft Windows 7 32-bit Microsoft Windows 7 x64 Microsoft Windows Server 2008 R2 x64 Microsoft Windows Server 2008 R2 Itanium
Type:	Remote
Identifiers:	CVE-2010-0477

Synopsis

Microsoft SMB client is prone to message size vulnerability. This vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB responses.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

Threat Analysis

The vulnerability exists because the Microsoft Server Message Block (SMB) client implementation improperly handles specially crafted SMB responses that cause the SMB client to consume the entire response and indicate an invalid value to the Winsock kernel.

An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data, or create new accounts with full user rights.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0477

Write-up by: Aditya Chaturvedi