-=PCTechTalk=- Vista Users!

  • From: "Larry Southerland" <larrysoutherland@xxxxxxxxxxxxx>
  • To: <the_bullhorn2@xxxxxxxxxxxxxxx>, <thebullhornsbest@xxxxxxxxxxxxxxx>, <Puters_N_Such@xxxxxxxxxxxxxxx>, <pctechtalk@xxxxxxxxxxxxx>
  • Date: Wed, 9 Sep 2009 15:51:50 -0400

Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

http://blogs.zdnet.com/security/?p=4228&tag=nl.e589


September 9th, 2009 


Microsoft confirms SMB2 vulnerability, warns of code execution risk


Posted by Ryan Naraine @ 9:10 am

Categories: Arbitrary Code Execution
<http://blogs.zdnet.com/security/?cat=61> , Browsers
<http://blogs.zdnet.com/security/?cat=8> , Complex Attacks
<http://blogs.zdnet.com/security/?cat=64> , Data theft
<http://blogs.zdnet.com/security/?cat=24> , Denial of Service (DoS)
<http://blogs.zdnet.com/security/?cat=59> , Exploit code
<http://blogs.zdnet.com/security/?cat=18> , Hackers
<http://blogs.zdnet.com/security/?cat=3> , Locally Running Web
<http://blogs.zdnet.com/security/?cat=63>  Servers, Microsoft
<http://blogs.zdnet.com/security/?cat=6> , Patch Watch
<http://blogs.zdnet.com/security/?cat=2> , Pen testing
<http://blogs.zdnet.com/security/?cat=26> , Responsible disclosure
<http://blogs.zdnet.com/security/?cat=14> , Vulnerability research
<http://blogs.zdnet.com/security/?cat=12> , Windows Vista
<http://blogs.zdnet.com/security/?cat=7> , Zero-day attacks
<http://blogs.zdnet.com/security/?cat=4> 

Tags: Vulnerability <http://updates.zdnet.com/tags/Vulnerability.html> ,
Microsoft Corp. <http://updates.zdnet.com/tags/Microsoft+Corp..html> ,
Server Message <http://updates.zdnet.com/tags/Server+Message+Block.html>
Block, Microsoft <http://updates.zdnet.com/tags/Microsoft+Windows+7.html>
Windows 7, Microsoft <http://updates.zdnet.com/tags/Microsoft+Windows.html>
Windows, Security <http://updates.zdnet.com/tags/Security.html> , Operating
<http://updates.zdnet.com/tags/Operating+Systems.html>  Systems, Software
<http://updates.zdnet.com/tags/Software.html> , Ryan Naraine
<http://updates.zdnet.com/tags/Ryan+Naraine.html> 

 <http://blogs.zdnet.com/security/?p=4228> Microsoft has issued a formal
security advisory to confirm the remote reboot flaw in its
<http://blogs.zdnet.com/security/?p=4222>  implementation of the SMB2
protocol, going a step further to warn that a successful attack could lead
to remote code execution and full system takeover.

The vulnerability, which was originally released as a denial-of-service
issue, does not affect the RTM version of Windows 7, Microsoft said.    It
appears Microsoft fixed <http://twitter.com/jness/statuses/3856921104>  the
flaw in Windows 7 build ~7130, just after RC1.  Windows Vista and Windows
Server 2008 users remain at risk.

The Microsoft advisory
<http://www.microsoft.com/technet/security/advisory/975497.mspx>  is
somewhat confusing.  It mentions the plural "vulnerabilities" in the title
but later warns of "a possible vulnerability in Microsoft Server Message
Block (SMB) implementation."

[ SEE: Windows <http://blogs.zdnet.com/security/?p=4222>  7, Vista exposed
to 'teardrop attack' ] <http://blogs.zdnet.com/security/?p=4222> 


It is, however, very clear about the risk severity:

An attacker who successfully exploited this vulnerability could take
complete control of an affected system. Most attempts to exploit this
vulnerability will cause an affected system to stop responding and restart.

[ SEE: Microsoft <http://blogs.zdnet.com/security/?p=4217>  patches gaping
Windows worm holes ] <http://blogs.zdnet.com/security/?p=4217> 


Microsoft points to this CVE
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103>  entry to
explain the actual bug:

Array index error in the SMB2 protocol implementation in srv2.sys in
Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote
attackers to cause a denial of service (system crash) via an & (ampersand)
character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST
packet, which triggers an attempted dereference of an out-of-bounds memory
location.

Proof of concept code, which allows an attacker to remotely crash any
vulnerable machine with SMB enabled, is publicly available.

In the absence of patch, Microsoft recommends that users disable SMB v2 and
block TCP ports 139 and 445 at the firewall.

Ryan NaraineRyan Naraine is a journalist and security evangelist at
Kaspersky Lab <http://www.kaspersky.com> . He manages Threatpost.com
<http://www.threatpost.com> , a security news portal. Here is Ryan's full
profile <http://blogs.zdnet.com/bio.php#naraine>  and disclosure
<http://blogs.zdnet.com/security/?page_id=324>  of his industry
affiliations.

 




---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
OR
To subscribe to the mailing list, send an email to 
pctechtalk-request@xxxxxxxxxxxxx with "subscribe" in the Subject. To 
unsubscribe send email to pctechtalk-request@xxxxxxxxxxxxx with "unsubscribe" 
in the Subject.

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx

To join our separate PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------

Other related posts:

  • » -=PCTechTalk=- Vista Users! - Larry Southerland
  1. Home
  2. pctechtalk
  3. Archive
  4. 09-2009