CORE-2006-0714: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service
Core Security Technologies Advisory
http://www.coresecurity.com
Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service
Date Published: 2006-08-14
Last Update: 2006-08-14
Advisory ID: CORE-2006-0714
Bugtraq ID: 19215
CVE Name: CVE-2006-3942
Title: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service
Class: Failure to Handle Exceptional Conditions
Remotely Exploitable: Yes
Locally Exploitable: Yes
Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10
Vendors contacted:
- Microsoft
. 2006-07-12: Microsoft Security Bulletin MS06-035[1]
. 2006-07-12: Core releases exploit for MS06-035 to customers
. 2006-07-14: Customers report that exploit works against fully patched
systems
. 2006-07-14: Core's initial notification to vendor of new bug discovery
. 2006-07-14: Vendor acknowledges notification, requests details/PoC
. 2006-07-14: Core provides sample PoC code to vendor
. 2006-07-14: Vendor acknowledgment, case opened
. 2006-07-19: Proof-of-concept becomes publicly available
. 2006-07-27: Vendor confirms as new issue and repro
. 2006-07-28: IDS/IPS security vendor (ISS) advisory discloses
vulnerability in the MS06-035 detection module[2]
. 2006-07-28: Vendor discloses vulnerability on MSRC blog[3]
. 2006-07-28: ISS security advisory about publicly available "misconstrued
Mailslot vulnerability" proof-of-concept exploit[4]
. 2006-08-11: Vendor communicates tentative plan for a fix in
November, 2006
. 2006-08-14: Advisory CORE-2006-07-14 published
Release Mode: FORCED RELEASE
*Vulnerability Description:*
While investigating the Microsoft Server Service Mailslot heap overflow
vulnerability reported in Microsoft Security Bulletin MS06-035 [1], Core
Security Technologies researcher Gerardo Richarte discovered a second bug
in the server service.
This new vulnerability affects Windows systems with and without the
MS06-035 and any subsequent patches up to the date of publication of this
advisory.
Proof-of-concept code to exploit the vulnerability was made publicly
available in or around July 19th, 2006 and at least one third party
security vendor published a security advisory describing the bug.
Further analysis of the vulnerability seems to indicate that exploitation
is limited to a remote denial of service attack without the need of user
authentication.
The vendor was notified of the finding on July 14th, 2006 and has
indicated that issuance of a fix is tentatively scheduled for the November
patch release. [see "Vendors contacted" section above]
*Vulnerable Packages:*
- Windows 2000 SP0-Sp4
- Windows NT4 SP6a
- Windows XP SP0-SP2
- Windows 2003 SP0-SP1
*Not vulnerable Packages:*
- Windows Vista beta 2 build 5381
*Solution/Vendor Information/Workaround:*
. Block inbound connections to ports 139/tcp and 445/tcp
. IDS/IPS signatures should detect the presence of strings not
terminated with NUL in SMB_COM_TRANSACTION messages
*Credits:*
This vulnerability was accidentally found by Gerardo Richarte from Core
Security Technologies while looking for technical details about Microsoft
Security Bulletin MS06-035
*Technical Description - Exploit/Concept Code:*
The vulnerability can be triggered by sending a malformed
SMB_COM_TRANSACTION SMB message (0x25) that includes a string that is not
properly null terminated.
The crash was originally triggered by sending a SMB_COM_TRANSACTION
message using the string "\\MAILSLOT\LANMAN" (without NUL termination) in
an attempt to reproduce the MS06-035 bug(s).
The observed crash was actually inside __imp___wcsnicmp, when the string
"\\MAILSLOT" is compared to a NULL pointer. The following code, from
ExecuteTransaction(), is where wcsnicmp() is called from.
SRV.SYS:0002f487: push 9
SRV.SYS:0002f489: push "\\MAILSLOT"
SRV.SYS:0002f48f: push dword ptr [eax+24h] <-- [eax+24] is NULL
SRV.SYS:0002f492: call ds:__imp___wcsnicmp <-- Crash Inside (tm)
SRV.SYS:0002f498: add esp, 0ch
SRV.SYS:0002f49b: test eax, eax
SRV.SYS:0002f49d: jnz loc_2f4aa
SRV.SYS:0002f49f: push esi
SRV.SYS:0002f4a0: call _MailslotTransaction@4 <- execution flow does
not reach this point
SRV.SYS:0002f4a5: jmp loc_20bf6
SRV.SYS:0002f4aa:
Since the call to MailslotTransaction() is never reached and the crash is
triggered before that call we conclude that the bug is not specifically
related to MAILSLOT functionality. Upon further investigation it became
apparent that any SMB_COM_TRANSACTION message with a string that is not
null terminated will trigger a crash.
*References/Additional information*:
[1] http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
[2] http://xforce.iss.net/xforce/alerts/id/230
[3] http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx
[4] http://xforce.iss.net/xforce/alerts/id/231
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide. The company’s flagship
product, CORE IMPACT, is the first automated penetration testing product
for assessing specific information security threats to an organization.
Penetration testing evaluates overall network security and identifies what
resources are exposed. It enables organizations to determine if current
security investments are detecting and preventing attacks.
Core augments its leading technology solution with world-class security
consulting services, including penetration testing, software security
auditing and related training.
Based in Boston, MA. and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*DISCLAIMER:*
The contents of this advisory are copyright (c) 2006 CORE Security
Technologies and (c) 2006 Corelabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.
$Id: Windows-mailslot-DOS.txt,v 1.3 2006/08/14 22:17:24 iarce Exp $