ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [NT] Microsoft SRV.SYS SMB_COM_TRANSACTION DoS



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Thursday, August 17, 2006 5:20 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Microsoft SRV.SYS SMB_COM_TRANSACTION DoS
> 
> 
> 
> 
> Microsoft SRV.SYS SMB_COM_TRANSACTION DoS 
> 
> 
> 
> While investigating the Microsoft Server Service Mailslot 
> heap overflow vulnerability reported in Microsoft Security 
> Bulletin MS06-035 [1], Core Security Technologies researcher 
> Gerardo Richarte discovered a second bug in the server service. 
> 
> This new vulnerability affects Windows systems with and 
> without the MS06-035 and any subsequent patches up to the 
> date of publication of this advisory. 
> 
> Proof-of-concept code to exploit the vulnerability was made 
> publicly available in or around July 19th, 2006 and at least 
> one third party security vendor published a security advisory 
> describing the bug. 
> 
> Further analysis of the vulnerability seems to indicate that 
> exploitation is limited to a remote denial of service attack 
> without the need of user authentication. 
> 
> The vendor was notified of the finding on July 14th, 2006 and 
> has indicated that issuance of a fix is tentatively scheduled 
> for the November patch release. [see "Vendors contacted" 
> section below] 
> 
> 
> Vulnerable Systems: 
>  * Windows 2000 SP0-Sp4 
>  * Windows NT4 SP6a 
>  * Windows XP SP0-SP2 
>  * Windows 2003 SP0-SP1 
> 
> Immune Systems: 
>  * Windows Vista beta 2 build 5381 
> 
> The vulnerability can be triggered by sending a malformed 
> SMB_COM_TRANSACTION SMB message (0x25) that includes a string 
> that is not properly null terminated. 
> 
> The crash was originally triggered by sending a 
> SMB_COM_TRANSACTION message using the string 
> "\\MAILSLOT\LANMAN" (without NUL termination) in an attempt 
> to reproduce the MS06-035 bug(s). 
> 
> The observed crash was actually inside __imp___wcsnicmp, when 
> the string "\\MAILSLOT" is compared to a NULL pointer. The 
> following code, from ExecuteTransaction(), is where 
> wcsnicmp() is called from. 
> 
> SRV.SYS:0002f487: push 9 
> SRV.SYS:0002f489: push "\\MAILSLOT" 
> SRV.SYS:0002f48f: push dword ptr [eax+24h] <-- [eax+24] is NULL 
> SRV.SYS:0002f492: call ds:__imp___wcsnicmp <-- Crash Inside (tm) 
> SRV.SYS:0002f498: add esp, 0ch 
> SRV.SYS:0002f49b: test eax, eax 
> SRV.SYS:0002f49d: jnz loc_2f4aa 
> SRV.SYS:0002f49f: push esi 
> SRV.SYS:0002f4a0: call _MailslotTransaction@4 <- execution flow does 
>                                                      not 
> reach this point 
> SRV.SYS:0002f4a5: jmp loc_20bf6 
> SRV.SYS:0002f4aa: 
> 
> Since the call to MailslotTransaction() is never reached and 
> the crash is triggered before that call we conclude that the 
> bug is not specifically related to MAILSLOT functionality. 
> Upon further investigation it became apparent that any 
> SMB_COM_TRANSACTION message with a string that is not null 
> terminated will trigger a crash. 
> 
> CVE Information: 
> CVE-2006-3942 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3942>  
> 
> Vendors contacted: 
>  * Microsoft 
> 2006-07-12: Microsoft Security Bulletin MS06-035[1] 
> 2006-07-12: Core releases exploit for MS06-035 to customers 
> 2006-07-14: Customers report that exploit works against fully 
> patched systems 
> 2006-07-14: Core's initial notification to vendor of new bug 
> discovery 
> 2006-07-14: Vendor acknowledges notification, requests details/PoC 
> 2006-07-14: Core provides sample PoC code to vendor 
> 2006-07-14: Vendor acknowledgment, case opened 
> 2006-07-19: Proof-of-concept becomes publicly available 
> 2006-07-27: Vendor confirms as new issue and repro 
> 2006-07-28: IDS/IPS security vendor (ISS) advisory discloses 
> vulnerability in the MS06-035 detection module[2] 
> 2006-07-28: Vendor discloses vulnerability on MSRC blog[3] 
> 2006-07-28: ISS security advisory about publicly available 
> "misconstrued Mailslot vulnerability" proof-of-concept exploit[4] 
> 2006-08-11: Vendor communicates tentative plan for a fix in 
> November, 2006 
> 2006-08-14: Advisory CORE-2006-07-14 published 
> 
> References/Additional information: 
> [1] http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx 
> [2] http://xforce.iss.net/xforce/alerts/id/230 
> [3] http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx 
> [4] http://xforce.iss.net/xforce/alerts/id/231 
> 
> 
> Additional Information: 
> The information has been provided by Core Security 
> Technologies Advisories. 
> The original article can be found at: 
> http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10 
> 
> 
> ==============================================================
> ================== 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam mailing list. 
> To unsubscribe from the list, send mail with an empty subject 
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and receive 
> advisories in HTML format, simply forward this email to: 
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
> 
> 
> ==============================================================
> ================== 
> ==============================================================
> ================== 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS" without 
> warranty of any kind. 
> In no event shall we be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss 
> of business profits or special damages. 
> 
> 
> 
> 
> 
> 




 




Copyright © Lexa Software, 1996-2009.