‘Windows SMB Client Transaction Response Handling Technical Details (MS05-011)’

Summary

eEye Digital Security has discovered a vulnerability in Windows SMB client’s handling of SMB responses. An attacker who can cause an affected system to connect to the SMB service on a malicious host may exploit this vulnerability in order to execute code on the victim’s machine.’

Credit:

‘The information has been provided by Marc Maiffret.
The original article can be found at: http://www.eeye.com/html/research/advisories/AD20050208.html


Details

Vulnerable Systems:
 * Windows 2000
 * Windows XP
 * Windows Server 2003
For detailed information regarding vulnerable systems refer to the advisory linked in the ‘Vendor Status’ section below.

The driver MRXSMB.SYS is responsible for performing SMB client operations and processing the responses returned by an SMB server service. A number of important Windows File Sharing operations, and all RPC-over-named-pipes, use the SMB commands Trans (25h) and Trans2 (32h). A malicious SMB server can respond with specially crafted Transaction response data that will cause an overflow wherever the data is handled, either in MRXSMB.SYS or in client code to which it provides data. One example would be if the file name and short file name length fields in a Trans2 FIND_FIRST2 response packet can be supplied with inappropriately large values in order to cause an excessive memcpy to occur when the data is handled. In the case of these examples an attacker could leverage file:// links, that when clicked by a remote user, would lead to code execution.

Vendor Status:
Advisory release date: February 8, 2005
Date Reported to vendor: August 2, 2004

Microsoft has released an advisory and patches for this vulnerability. The patch is available at: Vulnerability in Server Message Block Could Allow Remote Code Execution

Categories: Windows