what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

msSMSClient.txt

msSMSClient.txt
Posted Jul 14, 2004
Authored by HexView

A denial of service condition exists in the Microsoft SMS Client where a data packet that gets analyzed will cause the server to throw an exception while attempting to read or write an invalid memory address. Tested against: Microsoft Systems Management Server version 2.50.2726.0.

tags | advisory, denial of service
SHA-256 | 553f2e065d26c6b861b80533b5ce510271d41b91c5034a763c8d3895d8d62af4

msSMSClient.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Denial of Service (DoS) in Microsoft SMS Client

Classification:
===============
Level: low-[MED]-high-crit
ID: HEXVIEW*2004*07*14*1

Overview:
=========
Microsoft Systems Management Server provides configuration management
solution for Windows platform. It is widely deployed in medium and large
network environments. A flaw in SMS Remote Control service makes possible to
crash the service remotely leading to the DoS condition.

Affected products:
==================
All tests were performed on a client part of Microsoft Systems Management
Server version 2.50.2726.0.

Cause and Effect:
=================
SMS Remote Control Client service is listening on TCP ports 2701 and 2702.
The service performs basic signature checks and size tests on received data
and assumes the data is correct if those tests pass. It is possible to create
a data packet that will go through basic checks and throw an exception by
causing the server to read or write to an invalid memory address. It is also
possible to specify the memory address value in the data packet.
Initial analysis showed that the problem is not [easily] exploitable because
there is no buffer overflow condition and it is not possible to specify the
data to be written to the memory. The exception occurs in multprot.dll
library when the service makes an API call with invalid parameters.

Demonstration:
==============
The problem can be reproduced by sending the "RCH0####RCHE" string followed by
a large number of characters (over 130) to TCP port 2702.

Vendor Status:
==============
At the time of release vendor was not aware of the vulnerability.
HexView does not notify vendors unless there is a prior agreement to do so.
Vendors interested in receiving notifications prior to public disclosure
or more detailed analysis may obtain more information by writing to the
e-mail address provided at the end of the document.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade.
The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. The chances are you read our
advisories or disclosures. For the sake of readability and easy web indexing
we recently decided to use the HexView alias to publish all the information.

Distribution:
=============
This document may be freely distributed through any channels as long as the
contents are kept unmodified. Commercial use of the information in the document
is not allowed without written permission from HexView signed by our pgp key.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@hexview.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA9X2KDPV1+KQrDqQRAp/UAJ9NfG+WEUFviKTe5cH3Tx07PLkmTACfTujL
ts+oqYjC+gSL04mD/0qvQV4=
=mUX1
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close