Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

EEYE: Windows SMB Client Transaction Response Handling Vulnerability

from [Marc Maiffret] Network Security [Permanent Link]
Subject: EEYE: Windows SMB Client Transaction Response Handling Vulnerability
Date: Tue, 8 Feb 2005 16:16:51 -0800 
Windows SMB Client Transaction Response Handling Vulnerability

Release Date:
February 8, 2005

Date Reported:
August 2, 2004

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 2000
Windows XP
Windows Server 2003

Overview:
eEye Digital Security has discovered a vulnerability in Windows SMB
client's handling of SMB responses. An attacker who can cause an
affected system to connect to the SMB service on a malicious host may
exploit this vulnerability in order to execute code on the victim's
machine.

Technical Details:
The driver MRXSMB.SYS is responsible for performing SMB client
operations and processing the responses returned by an SMB server
service. A number of important Windows File Sharing operations, and all
RPC-over-named-pipes, use the SMB commands Trans (25h) and Trans2 (32h).
A malicious SMB server can respond with specially crafted Transaction
response data that will cause an overflow wherever the data is handled,
either in MRXSMB.SYS or in client code to which it provides data. One
example would be if the file name and short file name length fields in a
Trans2 FIND_FIRST2 response packet can be supplied with inappropriately
large values in order to cause an excessive memcpy to occur when the
data is handled. In the case of these examples an attacker could
leverage file:// links, that when clicked by a remote user, would lead
to code execution.

Protection:
Retina - Network Security Scanner - has been updated to identify this
vulnerability.
Blink - End-Point Vulnerability Prevention - protects from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at: 
http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx

Credit:
Yuji Ukai, Derek Soeder

Related Links:
Retina - Network Security Scanner -
http://www.eeye.com/html/products/retina/index.html
Blink - End-Point Vulnerability Prevention -
http://www.eeye.com/html/products/blink/index.html

Greetings:
KiP(he is back), altoids, cretz, hsj, commit(it works well...), Ink,
Rhone, Rose, Mr. White, Chris, Joy, Spot, Alena, Brey, and Cristo.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • EEYE: Windows SMB Client Transaction Response Handling Vulnerability, Marc Maiffret <=
Previous by Date:  MajorRev: v2.0 Microsoft Security Bulletin MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution (885881), Russ Cooper
Next by Date:  FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Overflow, Mitlyng, Matthew J. SGT (MN)
Previous by Thread:  MajorRev: v2.0 Microsoft Security Bulletin MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution (885881), Russ Cooper
Next by Thread:  FW: [SA14179] Symantec Multiple Products UPX Parsing Engine Buffe r Overflow, Mitlyng, Matthew J. SGT (MN)
Indexes:  [Date] [Thread] [Top] [All Lists]