The information has been provided by Laurent Gaffi .
The original article can be found at: http://go.microsoft.com/fwlink/?LinkId=178850
* Microsoft Windows XP and earlier
* Microsoft Windows Server 2003 and earlier
* Microsoft Windows Vista and 7 are affected by a variant of this vulnerability.
Successful exploitation of this issue may result in remote code execution with kernel privileges. Failed attempts may result in a remote denial of service.
Server Message Block (SMB), also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process-Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE/RPC) operations.
When initializing an SMB communication the client sends a 'Negotiate Protocol' packet to negotiate the dialect that will be used for further communication. The server response will contain the following structure:
uchar WordCount; /* must be 0x11 (17) */
ushort DialectIndex; /* selected dialect */
uchar SecurityMode; /* security flags */
ushort MaxMpxCount; /* maximum pending multiplexed requests supported*/
ushort MaxNumberVCs; /* maximum virtual connections */
ulong MaxBufferSize; /* maximum SMB message size */
ulong MaxRawSize; /* maximum raw buffer size */
ulong SessionKey; /* unique session identifier */
ulong Capabilities; /* server capabilities */
ulong SystemTimeLow; /* server time - low bytes */
ulong SystemTimeHigh; /* server time - high bytes */
short ServerTimeZone; /* time zone */
uchar EncryptionKeyLength; /* set to 0 or 8 */
The 'MaxBufferSize' field is defined in the 'MSDN Open Specifications Developer Center' as:
"MaxBufferSize (4 bytes): Maximum size, in bytes, of the server buffer for sending and receiving SMB messages. This is the size of the largest message that the client may send to the server. This is the size of the buffer used for the SMB message from the start of the SMB header to the end of the packet."
By sending a crafted response packet containing a small 'MaxBufferSize' value, it is possible trigger a kernel pool corruption on several Microsoft Windows operating systems.
Apply appropriate security patches published by Microsoft related to this issue.
Alternatively, block access to network ports 139 and 445 using a host based firewall.
11/11/2009: Issue discovered.
23/11/2009: MSRC acknowledges receipt of advisory.
09/02/2010: Coordinated disclosure.