lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4491AA3A.6060506@reversemode.com>
Date: Thu, 15 Jun 2006 20:43:06 +0200
From: Reversemode <advisories@...ersemode.com>
To: bugtraq@...urityfocus.com
Subject: Regarding "SMB Invalid Handle Value" - MS06-030. Vulnerability not
 fixed.



Hi,

Just to confirm that Microsoft has  not fixed the NtClose/ZwClose
DeadLock vulnerability. The bulletin MS06-030 addressed this flaw as
"SMB Invalid Handle Value" which is just an euphemism under my point of
view.

The code added to mrxsmb.sys is just a wrapper in order to avoid the
"Invalid Handle".

I am sure that Microsoft has its own reasons to do this, I do not care
about. I'm not interested in discussing. However, I think that the
Driver Developer community should be informed that using
NtClose/ZwClose, the driver will be exposed to a security issue by
default.  If this issue is considered as a feature, please, document it.
A developer is not extrictely required to know this behaviour.

------
case IOCTL_CLOSEHANDLE_DEADLOCK:
    	
  	inBuf = Irp->AssociatedIrp.SystemBuffer;
        ZwClose((HANDLE)inBuf[0]);
------

References: -Reversing mrxsmb.sys , Chapter II "NtClose DeadLock"-
http://www.reversemode.com/index.php?option=com_content&task=view&id=14&Itemid=1


Rubén Santamarta,
www.reversemode.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ