[NT] Microsoft SRV.SYS Mailslot Ring0 Memory Corruption (MS06-035)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Jul 2006 00:51:23 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft SRV.SYS Mailslot Ring0 Memory Corruption (MS06-035)
------------------------------------------------------------------------
SUMMARY
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Microsoft Windows operating system.
DETAILS
Vulnerable Systems:
* Windows 2000
* Windows XP SP1
* Windows XP SP2
* Windows 2003
* Windows 2003 SP1
According to the Microsoft Developer Network (MSDN) documentation,
Mailslot communications are divided into two classes. First-class
Mailslots are connection oriented and operate over SMB/TCP.
Second-class Mailslots provide connectionless messaging for broadcast
messages and operate over SMB/UDP. Second-class Mailslots are limited to
424 bytes per message. First-class Mailslots are officially unsupported in
the Windows 2000, XP and 2003 operating systems.
The specific flaw exists within the SRV.SYS driver, which is responsible
for handling all Server Message Block (SMB) traffic. During the processing
of first-class Mailslot messages, an exploitable memory corruption
condition is created. As a side effect, attackers are also capable of
exceeding the second-class Mailslot message size limitation.
It is important to note that this vulnerability affects more than just the
Windows kernel. Applications built on Mailslot communications that rely on
the message size restriction of second-class Mailslots are likely to be
affected by this vulnerability.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1314>
CVE-2006-1314
Disclosure Timeline:
2006.03.01 - Vulnerability reported to vendor
2006.07.11 - Coordinated public release of advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:tsrt@xxxxxxxxxxxxxxxx>
Tippingpoint Security.
The original article can be found at:
<http://www.tippingpoint.com/security/advisories/TSRT-06-02.html>
http://www.tippingpoint.com/security/advisories/TSRT-06-02.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] ASP.NET Information Disclosure (MS06-033)
- Next by Date: [NT] Microsoft Office Excel File Rebuilding Code Execution (MS06-037)
- Previous by thread: [NT] ASP.NET Information Disclosure (MS06-033)
- Next by thread: [NT] Microsoft Office Excel File Rebuilding Code Execution (MS06-037)
- Index(es):
Relevant Pages
|
|
