Regarding "SMB Invalid Handle Value" - MS06-030. Vulnerability not fixed.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Regarding "SMB Invalid Handle Value" - MS06-030. Vulnerability not fixed.
From: Reversemode <advisories@xxxxxxxxxxxxxxx>
Date: Thu, 15 Jun 2006 20:43:06 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Hi,

Just to confirm that Microsoft has  not fixed the NtClose/ZwClose
DeadLock vulnerability. The bulletin MS06-030 addressed this flaw as
"SMB Invalid Handle Value" which is just an euphemism under my point of
view.

The code added to mrxsmb.sys is just a wrapper in order to avoid the
"Invalid Handle".

I am sure that Microsoft has its own reasons to do this, I do not care
about. I'm not interested in discussing. However, I think that the
Driver Developer community should be informed that using
NtClose/ZwClose, the driver will be exposed to a security issue by
default.  If this issue is considered as a feature, please, document it.
A developer is not extrictely required to know this behaviour.

------
case IOCTL_CLOSEHANDLE_DEADLOCK:
        
        inBuf = Irp->AssociatedIrp.SystemBuffer;
        ZwClose((HANDLE)inBuf[0]);
------

References: -Reversing mrxsmb.sys , Chapter II "NtClose DeadLock"-
http://www.reversemode.com/index.php?option=com_content&task=view&id=14&Itemid=1


Rubén Santamarta,
www.reversemode.com

Prev by Date: [ GLSA 200606-18 ] PAM-MySQL: Multiple vulnerabilities
Next by Date: [ GLSA 200606-17 ] OpenLDAP: Buffer overflow
Previous by thread: [ GLSA 200606-18 ] PAM-MySQL: Multiple vulnerabilities
Next by thread: [ GLSA 200606-17 ] OpenLDAP: Buffer overflow
Index(es):
- Date
- Thread