lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 14 Aug 2006 19:54:40 -0300
From: Core Security Technologies advisories <advisories@...esecurity.com>
To: bugtraq@...urityfocus.com
Subject: CORE-2006-0714: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service

                        Core Security Technologies Advisory
                            http://www.coresecurity.com

           Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service


Date Published: 2006-08-14

Last Update: 2006-08-14

Advisory ID: CORE-2006-0714

Bugtraq ID: 19215

CVE Name: CVE-2006-3942

Title: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service

Class: Failure to Handle Exceptional Conditions

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10

Vendors contacted:
- Microsoft
. 2006-07-12: Microsoft Security Bulletin MS06-035[1]
. 2006-07-12: Core releases exploit for MS06-035 to customers
. 2006-07-14: Customers report that exploit works against fully patched
              systems
. 2006-07-14: Core's initial notification to vendor of new bug discovery
. 2006-07-14: Vendor acknowledges notification, requests details/PoC
. 2006-07-14: Core provides sample PoC code to vendor
. 2006-07-14: Vendor acknowledgment, case opened
. 2006-07-19: Proof-of-concept becomes publicly available
. 2006-07-27: Vendor confirms as new issue and repro
. 2006-07-28: IDS/IPS security vendor (ISS) advisory discloses
              vulnerability in the MS06-035 detection module[2]
. 2006-07-28: Vendor discloses vulnerability on MSRC blog[3]
. 2006-07-28: ISS security advisory about publicly available "misconstrued
              Mailslot vulnerability" proof-of-concept exploit[4]
. 2006-08-11: Vendor communicates tentative plan for a fix in
              November, 2006
. 2006-08-14: Advisory CORE-2006-07-14 published

Release Mode: FORCED RELEASE

*Vulnerability Description:*

While investigating the Microsoft Server Service Mailslot heap overflow
vulnerability reported in Microsoft Security Bulletin MS06-035 [1], Core
Security Technologies researcher Gerardo Richarte discovered a second bug
in the server service.

This new vulnerability affects Windows systems with and without the
MS06-035 and any subsequent patches up to the date of publication of this
advisory.

Proof-of-concept code to exploit the vulnerability was made publicly
available in or around July 19th, 2006 and at least one third party
security vendor published a security advisory describing the bug.

Further analysis of the vulnerability seems to indicate that exploitation
is limited to a remote denial of service attack without the need of user
authentication.

The vendor was notified of the finding on July 14th, 2006 and has
indicated that issuance of a fix is tentatively scheduled for the November
patch release. [see "Vendors contacted" section above]

*Vulnerable Packages:*
- Windows 2000 SP0-Sp4
- Windows NT4 SP6a
- Windows XP SP0-SP2
- Windows 2003 SP0-SP1

*Not vulnerable Packages:*
- Windows Vista beta 2 build 5381

*Solution/Vendor Information/Workaround:*
. Block inbound connections to ports 139/tcp and 445/tcp
. IDS/IPS signatures should detect the presence of strings not
  terminated with NUL in SMB_COM_TRANSACTION messages

*Credits:*

This vulnerability was accidentally found by Gerardo Richarte from Core
Security Technologies while looking for technical details about Microsoft
Security Bulletin MS06-035

*Technical Description - Exploit/Concept Code:*

The vulnerability can be triggered by sending a malformed
SMB_COM_TRANSACTION SMB message (0x25) that includes a string that is not
properly null terminated.

The crash was originally triggered by sending a SMB_COM_TRANSACTION
message using the string "\\MAILSLOT\LANMAN" (without NUL termination) in
an attempt to reproduce the MS06-035 bug(s).

The observed crash was actually inside __imp___wcsnicmp, when the string
"\\MAILSLOT" is compared to a NULL pointer. The following code, from
ExecuteTransaction(), is where wcsnicmp() is called from.

SRV.SYS:0002f487:    push 9
SRV.SYS:0002f489:    push "\\MAILSLOT"
SRV.SYS:0002f48f:    push dword ptr [eax+24h]     <-- [eax+24] is NULL
SRV.SYS:0002f492:    call ds:__imp___wcsnicmp     <-- Crash Inside (tm)
SRV.SYS:0002f498:    add esp, 0ch
SRV.SYS:0002f49b:    test eax, eax
SRV.SYS:0002f49d:    jnz loc_2f4aa
SRV.SYS:0002f49f:    push esi
SRV.SYS:0002f4a0:    call _MailslotTransaction@4  <- execution flow does
                                                     not reach this point
SRV.SYS:0002f4a5:    jmp loc_20bf6
SRV.SYS:0002f4aa:

Since the call to MailslotTransaction() is never reached and the crash is
triggered before that call we conclude that the bug is not specifically
related to MAILSLOT functionality. Upon further investigation it became
apparent that any SMB_COM_TRANSACTION message with a string that is not
null terminated will trigger a crash.

*References/Additional information*:

[1] http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

[2] http://xforce.iss.net/xforce/alerts/id/230

[3] http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx

[4] http://xforce.iss.net/xforce/alerts/id/231


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.

We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:

http://www.coresecurity.com/corelabs/

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing product
for assessing specific information security threats to an organization.
Penetration testing evaluates overall network security and identifies what
resources are exposed. It enables organizations to determine if current
security investments are detecting and preventing attacks.

Core augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.

Based in Boston, MA. and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 Corelabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.

$Id: Windows-mailslot-DOS.txt,v 1.3 2006/08/14 22:17:24 iarce Exp $

Powered by blists - more mailing lists