Microsoft Windows SMB2 driver Remote Code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	09/09/2009
Severity:	High
Applications Affected:	Microsoft Windows Vista Microsoft Windows 2008 Server
Type:	Remote
Identifiers:	CVE-2009-3103

Synopsis

The SMB drivers in Microsoft Windows Vista and 2008 Server are prone to Remote Code Execution Vulnerability in the way that this application do not correctly validate the header value. After successful exploitation remote attacker can execute arbitrary code in security context of current user.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/advisory/975497.mspx

Threat Analysis

The Server Message Block Protocol is a network file sharing protocol. Server Message Block (SMB) operates on application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network

Remote Code Execution Vulnerability has been discovered in SMB2 driver in Microsoft Windows. This vulnerability exists while applications do not correctly validate the SMB header field “Process Id High” value while the negotiation handler for SMB2. This value should be zero. Successful exploitation allows remote attacker to execute arbitrary code in security context of logged-in user.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
http://www.securityfocus.com/bid/36299
http://en.securitylab.ru/nvd/384948.php

Write-up by: Gaurav Bajpai