Thread-topic: TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability
> -----Original Message-----
> From: Zero Day Initiative [mailto:zdi@xxxxxxxxxxxxxxxx] On
> Behalf Of Tippingpoint Security Research Team
> Sent: Tuesday, July 11, 2006 11:16 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory
> Corruption Vulnerability
>
> TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption
> Vulnerability
>
> July 11, 2006
>
> -- CVE ID:
> CVE-2006-1314
>
> -- Affected Vendor:
> Microsoft
>
> -- Affected Products:
> Windows 2000
> Windows XP SP1
> Windows XP SP2
> Windows 2003
> Windows 2003 SP1
>
> -- TippingPoint(TM) IPS Customer Protection:
> TippingPoint IPS customers have been protected against this
> vulnerability since July 11, 2006 by Digital Vaccine protection
> filter ID 4266. For further product information on the
> TippingPoint IPS:
>
>
>
> -- Vulnerability Details:
> This vulnerability allows remote attackers to execute
> arbitrary code on
> vulnerable installations of the Microsoft Windows operating system.
> Authentication is not required to exploit this vulnerability and code
> execution occurs within the context of the kernel.
>
> According to the Microsoft Developer Network (MSDN) documentation,
> Mailslot communications are divided into two classes. First-class
> Mailslots are connection oriented and operate over SMB/TCP.
> Second-class Mailslots provide connectionless messaging for broadcast
> messages and operate over SMB/UDP. Second-class Mailslots are limited
> to 424 bytes per message. First-class Mailslots are officially
> unsupported in the Windows 2000, XP and 2003 operating systems.
>
> The specific flaw exists within the SRV.SYS driver, which is
> responsible for handling all Server Message Block (SMB)
> traffic. During
> the processing of first-class Mailslot messages, an exploitable memory
> corruption condition is created. As a side effect, attackers are also
> capable of exceeding the second-class Mailslot message size
> limitation.
>
> It is important to note that this vulnerability affects more than just
> the Windows kernel. Applications built on Mailslot communications that
> rely on the message size restriction of second-class Mailslots are
> likely to be affected by this vulnerability.
>
> -- Vendor Response:
> Microsoft has issued an update to correct this vulnerability. More
> details can be found at:
>
>
>
> -- Disclosure Timeline:
> 2006.03.01 - Vulnerability reported to vendor
> 2006.07.11 - Digital Vaccine released to TippingPoint customers
> 2006.07.11 - Coordinated public release of advisory
>
> -- Credit:
> This vulnerability was discovered by Pedram Amini,
> TippingPoint Security
> Research Team in collaboration with HD Moore, Metasploit.
>
