[NT] Microsoft SRV.SYS SMB_COM_TRANSACTION DoS
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 17 Aug 2006 15:19:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft SRV.SYS SMB_COM_TRANSACTION DoS
While investigating the Microsoft Server Service Mailslot heap overflow
vulnerability reported in Microsoft Security Bulletin MS06-035 , Core
Security Technologies researcher Gerardo Richarte discovered a second bug
in the server service.
This new vulnerability affects Windows systems with and without the
MS06-035 and any subsequent patches up to the date of publication of this
Proof-of-concept code to exploit the vulnerability was made publicly
available in or around July 19th, 2006 and at least one third party
security vendor published a security advisory describing the bug.
Further analysis of the vulnerability seems to indicate that exploitation
is limited to a remote denial of service attack without the need of user
The vendor was notified of the finding on July 14th, 2006 and has
indicated that issuance of a fix is tentatively scheduled for the November
patch release. [see "Vendors contacted" section below]
* Windows 2000 SP0-Sp4
* Windows NT4 SP6a
* Windows XP SP0-SP2
* Windows 2003 SP0-SP1
* Windows Vista beta 2 build 5381
The vulnerability can be triggered by sending a malformed
SMB_COM_TRANSACTION SMB message (0x25) that includes a string that is not
properly null terminated.
The crash was originally triggered by sending a SMB_COM_TRANSACTION
message using the string "\\MAILSLOT\LANMAN" (without NUL termination) in
an attempt to reproduce the MS06-035 bug(s).
The observed crash was actually inside __imp___wcsnicmp, when the string
"\\MAILSLOT" is compared to a NULL pointer. The following code, from
ExecuteTransaction(), is where wcsnicmp() is called from.
SRV.SYS:0002f487: push 9
SRV.SYS:0002f489: push "\\MAILSLOT"
SRV.SYS:0002f48f: push dword ptr [eax+24h] <-- [eax+24] is NULL
SRV.SYS:0002f492: call ds:__imp___wcsnicmp <-- Crash Inside (tm)
SRV.SYS:0002f498: add esp, 0ch
SRV.SYS:0002f49b: test eax, eax
SRV.SYS:0002f49d: jnz loc_2f4aa
SRV.SYS:0002f49f: push esi
SRV.SYS:0002f4a0: call _MailslotTransaction@4 <- execution flow does
not reach this point
SRV.SYS:0002f4a5: jmp loc_20bf6
Since the call to MailslotTransaction() is never reached and the crash is
triggered before that call we conclude that the bug is not specifically
related to MAILSLOT functionality. Upon further investigation it became
apparent that any SMB_COM_TRANSACTION message with a string that is not
null terminated will trigger a crash.
2006-07-12: Microsoft Security Bulletin MS06-035
2006-07-12: Core releases exploit for MS06-035 to customers
2006-07-14: Customers report that exploit works against fully patched
2006-07-14: Core's initial notification to vendor of new bug discovery
2006-07-14: Vendor acknowledges notification, requests details/PoC
2006-07-14: Core provides sample PoC code to vendor
2006-07-14: Vendor acknowledgment, case opened
2006-07-19: Proof-of-concept becomes publicly available
2006-07-27: Vendor confirms as new issue and repro
2006-07-28: IDS/IPS security vendor (ISS) advisory discloses
vulnerability in the MS06-035 detection module
2006-07-28: Vendor discloses vulnerability on MSRC blog
2006-07-28: ISS security advisory about publicly available "misconstrued
Mailslot vulnerability" proof-of-concept exploit
2006-08-11: Vendor communicates tentative plan for a fix in November,
2006-08-14: Advisory CORE-2006-07-14 published
The information has been provided by Core Security Technologies
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Wordpress WP-DB Backup Plugin Directory Traversal
- Next by Date: [NT] Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege
- Previous by thread: [UNIX] Wordpress WP-DB Backup Plugin Directory Traversal
- Next by thread: [NT] Symantec NetBackup PureDisk Remote Office Edition Elevation of Privilege