what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TSRT-06-02.txt

TSRT-06-02.txt
Posted Jul 12, 2006
Authored by H D Moore, Pedram Amini | Site tippingpoint.com

The Microsoft SRV.SYS driver suffers from a memory corruption flaw when processing Mailslot messages. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Microsoft Windows operating system. Authentication is not required to exploit this vulnerability and code execution occurs within the context of the kernel.

tags | advisory, remote, arbitrary, kernel, code execution
systems | windows
advisories | CVE-2006-1314
SHA-256 | 7ecbc9c470fe349666dc38c15db04ebb879ba6bf0f07f04da1973e974ec14ce4

TSRT-06-02.txt

Change Mirror Download
TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption
Vulnerability
http://www.tippingpoint.com/security/advisories/TSRT-06-02.html
July 11, 2006

-- CVE ID:
CVE-2006-1314

-- Affected Vendor:
Microsoft

-- Affected Products:
Windows 2000
Windows XP SP1
Windows XP SP2
Windows 2003
Windows 2003 SP1

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 11, 2006 by Digital Vaccine protection
filter ID 4266. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Microsoft Windows operating system.
Authentication is not required to exploit this vulnerability and code
execution occurs within the context of the kernel.

According to the Microsoft Developer Network (MSDN) documentation,
Mailslot communications are divided into two classes. First-class
Mailslots are connection oriented and operate over SMB/TCP.
Second-class Mailslots provide connectionless messaging for broadcast
messages and operate over SMB/UDP. Second-class Mailslots are limited
to 424 bytes per message. First-class Mailslots are officially
unsupported in the Windows 2000, XP and 2003 operating systems.

The specific flaw exists within the SRV.SYS driver, which is
responsible for handling all Server Message Block (SMB) traffic. During
the processing of first-class Mailslot messages, an exploitable memory
corruption condition is created. As a side effect, attackers are also
capable of exceeding the second-class Mailslot message size
limitation.

It is important to note that this vulnerability affects more than just
the Windows kernel. Applications built on Mailslot communications that
rely on the message size restriction of second-class Mailslots are
likely to be affected by this vulnerability.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS06-035.mspx

-- Disclosure Timeline:
2006.03.01 - Vulnerability reported to vendor
2006.07.11 - Digital Vaccine released to TippingPoint customers
2006.07.11 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security
Research Team in collaboration with HD Moore, Metasploit.
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close