EEYE: Windows SMB Client Transaction Response Handling Vulnerability

From: Marc Maiffret (mmaiffret_at_EEYE.COM)
Date: 02/09/05

  • Next message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution (885881)"
    Date:         Tue, 8 Feb 2005 16:16:51 -0800

    Windows SMB Client Transaction Response Handling Vulnerability

    Release Date:
    February 8, 2005

    Date Reported:
    August 2, 2004

    High (Remote Code Execution)


    Systems Affected:
    Windows 2000
    Windows XP
    Windows Server 2003

    eEye Digital Security has discovered a vulnerability in Windows SMB
    client's handling of SMB responses. An attacker who can cause an
    affected system to connect to the SMB service on a malicious host may
    exploit this vulnerability in order to execute code on the victim's

    Technical Details:
    The driver MRXSMB.SYS is responsible for performing SMB client
    operations and processing the responses returned by an SMB server
    service. A number of important Windows File Sharing operations, and all
    RPC-over-named-pipes, use the SMB commands Trans (25h) and Trans2 (32h).
    A malicious SMB server can respond with specially crafted Transaction
    response data that will cause an overflow wherever the data is handled,
    either in MRXSMB.SYS or in client code to which it provides data. One
    example would be if the file name and short file name length fields in a
    Trans2 FIND_FIRST2 response packet can be supplied with inappropriately
    large values in order to cause an excessive memcpy to occur when the
    data is handled. In the case of these examples an attacker could
    leverage file:// links, that when clicked by a remote user, would lead
    to code execution.

    Retina - Network Security Scanner - has been updated to identify this
    Blink - End-Point Vulnerability Prevention - protects from this

    Vendor Status:
    Microsoft has released a patch for this vulnerability. The patch is
    available at:

    Yuji Ukai, Derek Soeder

    Related Links:
    Retina - Network Security Scanner -
    Blink - End-Point Vulnerability Prevention -

    KiP(he is back), altoids, cretz, hsj, commit(it works well...), Ink,
    Rhone, Rose, Mr. White, Chris, Joy, Spot, Alena, Brey, and Cristo.

    Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
    granted for the redistribution of this alert electronically. It is not
    to be edited in any way without express consent of eEye. If you wish to
    reprint the whole or any part of this alert in any other medium
    excluding electronic medium, please email for permission.

    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties, implied or express, with regard to this information.
    In no event shall the author be liable for any direct or indirect
    damages whatsoever arising out of or in connection with the use or
    spread of this information. Any use of this information is at the user's
    own risk.

    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.

  • Next message: Russ Cooper: "MinorRev: Microsoft Security Bulletin MS04-035 - Vulnerability in SMTP Could Allow Remote Code Execution (885881)"

    Relevant Pages