Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-0017 to a friend New vulnerability? New tool? Tell us	CVE-2010-0017 Microsoft SMB Client Pool Overflow Vulnerability     Credit: The information has been provided by Laurent Gaffi . The original article can be found at: http://go.microsoft.com/fwlink/?LinkId=178850 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-0017 Details Check for CVE-2010-0017 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Microsoft Windows XP and earlier  * Microsoft Windows Server 2003 and earlier  * Microsoft Windows Vista and 7 are affected by a variant of this vulnerability. Successful exploitation of this issue may result in remote code execution with kernel privileges. Failed attempts may result in a remote denial of service. Server Message Block (SMB), also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process-Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE/RPC) operations. When initializing an SMB communication the client sends a 'Negotiate Protocol' packet to negotiate the dialect that will be used for further communication. The server response will contain the following structure: uchar WordCount; /* must be 0x11 (17) */ ushort DialectIndex; /* selected dialect */ uchar SecurityMode; /* security flags */ ushort MaxMpxCount; /* maximum pending multiplexed requests supported*/ ushort MaxNumberVCs; /* maximum virtual connections */ ulong MaxBufferSize; /* maximum SMB message size */ ulong MaxRawSize; /* maximum raw buffer size */ ulong SessionKey; /* unique session identifier */ ulong Capabilities; /* server capabilities */ ulong SystemTimeLow; /* server time - low bytes */ ulong SystemTimeHigh; /* server time - high bytes */ short ServerTimeZone; /* time zone */ uchar EncryptionKeyLength; /* set to 0 or 8 */ The 'MaxBufferSize' field is defined in the 'MSDN Open Specifications Developer Center' as: "MaxBufferSize (4 bytes): Maximum size, in bytes, of the server buffer for sending and receiving SMB messages. This is the size of the largest message that the client may send to the server. This is the size of the buffer used for the SMB message from the start of the SMB header to the end of the packet." By sending a crafted response packet containing a small 'MaxBufferSize' value, it is possible trigger a kernel pool corruption on several Microsoft Windows operating systems. Patch Availability: Apply appropriate security patches published by Microsoft related to this issue. Workaround: Alternatively, block access to network ports 139 and 445 using a host based firewall. CVE Information: CVE-2010-0016 CVE-2010-0017 Disclosure Timeline: 11/11/2009: Issue discovered. 23/11/2009: MSRC acknowledges receipt of advisory. 09/02/2010: Coordinated disclosure.  Comments on CVE-2010-0017:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®