lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4AA68503.3010503@reversemode.com>
Date: Tue, 08 Sep 2009 18:23:31 +0200
From: Reversemode <advisories@...ersemode.com>
To: bugtraq@...urityfocus.com
Subject: Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD 


-----------------------
References:
[Original Advisory ] Lauren Gaffié
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
-----------------------

Hi all,

Just for the records since the vulnerability is not only a DoS as stated
initially. Below are the technical details I found while verifying the flaw.

* This vulnerability is not only a BSOD flaw. It allows remote code
execution. The execution of code is far from being reliable though (at
the momment).

The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.

----------------------
srv2.sys (Vista)

text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5.j
.text:000156B3                                         ;
Smb2ValidateProviderCallback(x)+4DE.j
.text:000156B3  movzx   eax, word ptr [esi+0Ch];
packet->SBM_Header->Process_ID_High
.text:000156B7  mov     eax, _ValidateRoutines[eax*4]; 		
			BUG - out-of-bounds dereference.
.text:000156BE  test    eax, eax
.text:000156C0  jnz     short loc_156C9
.text:000156C2  mov     eax, 0C0000002h
.text:000156C7  jmp     short loc_156CC
.text:000156C9 ; —————————————————————————
.text:000156C9
.text:000156C9 loc_156C9:  ; CODE XREF:
Smb2ValidateProviderCallback(x)+4F3.j
.text:000156C9  push    ebx
.text:000156CA  call    eax ; Smb2ValidateNegotiate(x) ;
Smb2ValidateNegotiate(x) - KABOOOM!!

-----------------------

* The exploit provided by Lauren Gaffié ( the researcher who discovered
the flaw ) may or may not work since it is based on dereferencing a
non-paged memory page. If the original exploit didn't work, it would
probably deferenced a zeroed memory. You can try ProcessIDHigh values >
0x13 since any of these should trigger the flaw.

Affected versions: Windows Vista - Windows 7 - Windows server 2008.

-*---*-

More technical details (english)
http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1

Detalles técnicos (castellano)
http://blog.48bits.com/?p=510

Regards,
Rubén.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ