Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service

Advisory ID Internal
CORE-2006-0714

1. Advisory Information

Advisory ID: CORE-2006-0714

Bugtraq ID: 19215

CVE Name: CVE-2006-3942

Title: Microsoft SRV.SYS SMB_COM_TRANSACTION Denial of Service

Class: Failure to Handle Exceptional Conditions

Remotely Exploitable: Yes

Locally Exploitable: Yes

Vendors contacted:
- Microsoft
. 2006-07-12: Microsoft Security Bulletin MS06-035
. 2006-07-12: Core releases exploit for MS06-035 to customers
. 2006-07-14: Customers report that exploit works against fully patched systems
. 2006-07-14: Core's initial notification to vendor of new bug discovery
. 2006-07-14: Vendor acknowledges notification, requests details/PoC
. 2006-07-14: Core provides sample PoC code to vendor
. 2006-07-14: Vendor acknowledgement, case opened
. 2006-07-19: Proof-of-concept becomes publicly available
. 2006-07-27: Vendor confirms as new issue and repro
. 2006-07-28: IDS/IPS security vendor (ISS) advisory discloses vulnerability in the MS06-035 detection module
. 2006-07-28: Vendor discloses vulnerability on MSRC blog
. 2006-07-28: ISS security advisory about publicly available "misconstrued Mailslot vulnerability" proof-of-concept exploit
. 2006-08-11: Vendor communicates tentative plan for a fix in November, 2006

Release Mode: FORCED RELEASE

2. Vulnerability Description:

While investigating the Microsoft Server Service Mailslot heap overflow vulnerability reported in Microsoft Security Bulletin MS06-035, Core Security Technologies researcher Gerardo Richarte discovered a second bug in the server service.

This new vulnerability affects Windows systems with and without the MS06-035 and any subsequent patches up to the date of publication of this advisory.

Proof-of-concept code to exploit the vulnerability was made publicly available in or around July 19th, 2006 and at least one third party security vendor published a security advisory describing the bug.

Further analysis of the vulnerability seems to indicate that exploitation is limited to a remote denial of service attack without the need of user authentication.

The vendor was notified of the finding on July 14th, 2006 and has indicated that issuance of a fix is tentatively scheduled for the November patch release. [see "Vendors contacted" section above]

3. Vulnerable Packages:

  • Windows 2000 SP0-Sp4
  • Windows NT4 SP6a
  • Windows XP SP0-SP2
  • Windows 2003 SP0-SP1

4. Not Vulnerable Packages:

  • Windows Vista beta 2 build 5381

5. Solution/Vendor Information/Workaround:

  • Block inbound connections to ports 139/tcp and 445/tcp
  • IDS/IPS signatures should detect the presence of strings not terminated with NULL in SMB_COM_TRANSACTION messages

6. Credits:

This vulnerability was accidentally found by Gerardo Richarte from Core Security Technologies while looking for technical details about Microsoft Security Bulletin MS06-035

7. Technical Description - Exploit/Concept Code:

The vulnerability can be triggered by sending a malformed SMB_COM_TRANSACTION SMB message (0x25) that includes a string that is not properly null terminated.

The crash was originally triggered by sending a SMB_COM_TRANSACTION message using the string "\\MAILSLOT\LANMAN" (without NUL termination) in an attempt to reproduce the MS06-035 bug(s).

The observed crash was actually inside __imp___wcsnicmp, when the string "\\MAILSLOT" is compared to a NULL pointer. The following code, from ExecuteTransaction(), is where wcsnicmp() is called from.

SRV.SYS:0002f487: push 9
SRV.SYS:0002f489: push "\\MAILSLOT"
SRV.SYS:0002f48f: push dword ptr [eax+24h] <-- [eax+24] is NULL
SRV.SYS:0002f492: call ds:__imp___wcsnicmp <-- Crash Inside (tm)
SRV.SYS:0002f498: add esp, 0ch
SRV.SYS:0002f49b: test eax, eax
SRV.SYS:0002f49d: jnz loc_2f4aa
SRV.SYS:0002f49f: push esi
SRV.SYS:0002f4a0: call _MailslotTransaction@4 <- execution flow does not reach this point
SRV.SYS:0002f4a5: jmp loc_20bf6
SRV.SYS:0002f4aa:

Since the call to MailslotTransaction() is never reached and the crash is triggered before that call we conclude that the bug is not specifically related to MAILSLOT functionality. Upon further investigation it became apparent that any SMB_COM_TRANSACTION message with a string that is not null terminated will trigger a crash.

8. About CoreLabs:

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies.

We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs

9. About Core Security Technologies:

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide. The company’s flagship product, CORE IMPACT, is the first automated penetration testing product for assessing specific information security threats to an organization. Penetration testing evaluates overall network security and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks.

Core augments its leading technology solution with world-class security consulting services, including penetration testing, software security auditing and related training.

Based in Boston, MA. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at https://www.coresecurity.com.

Disclaimer:

The contents of this advisory are copyright (c) 2006 CORE Security Technologies and (c) 2006 Corelabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.