Microsoft SMB Race Condition Remote Code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	02/09/2009
Severity:	High
Operating Sysytem:	Microsoft Windows Vista SP1, SP2, SP3 Microsoft Windows Server 2008 Microsoft Windows 7
Applications Affected:	SMB Client
Type:	Remote
Identifiers:	CVE-2010-0017

Synopsis

Microsoft SMB Client is prone to remote code execution vulnerability in the way that SMB client receives two consecutive negotiate responses to a request. After successful exploitation, Remote attacker can execute arbitrary code in security context of logged-in user.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx

Threat Analysis

The Server Message Block Protocol is a network file sharing protocol. SMB operates on application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

SMB client is prone to remote code execution vulnerability. This vulnerability exists when client access the pointer to data which is previously set to NULL. It happens when there are two consecutive negotiate responses to a request, and while processing the second response, the client resets a data structure that is being used in the first response. Successful exploitation allows to remote attacker can execute arbitrary code in security context of logged-in user.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0017

Write-up by: Gaurav Bajpai