Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD

Type securityvulns
Reporter Securityvulns
Modified 2009-09-09T00:00:00


References: [Original Advisory ] Lauren Gaffié

Hi all,

Just for the records since the vulnerability is not only a DoS as stated initially. Below are the technical details I found while verifying the flaw.

  • This vulnerability is not only a BSOD flaw. It allows remote code execution. The execution of code is far from being reliable though (at the momment).

The flaw is a out-of-bounds indexing. We can fully control the 16 bit value used as index within the function table.

srv2.sys (Vista)

text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j .text:000156B3 ; Smb2ValidateProviderCallback(x)+4DEj .text:000156B3 movzx eax, word ptr [esi+0Ch]; packet->SBM_Header->Process_ID_High .text:000156B7 mov eax, _ValidateRoutines[eax*4];
BUG - out-of-bounds dereference. .text:000156BE test eax, eax .text:000156C0 jnz short loc_156C9 .text:000156C2 mov eax, 0C0000002h .text:000156C7 jmp short loc_156CC .text:000156C9 ; ————————————————————————— .text:000156C9 .text:000156C9 loc_156C9: ; CODE XREF: Smb2ValidateProviderCallback(x)+4F3j .text:000156C9 push ebx .text:000156CA call eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x) - KABOOOM!!

  • The exploit provided by Lauren Gaffié ( the researcher who discovered the flaw ) may or may not work since it is based on dereferencing a non-paged memory page. If the original exploit didn't work, it would probably deferenced a zeroed memory. You can try ProcessIDHigh values > 0x13 since any of these should trigger the flaw.

Affected versions: Windows Vista - Windows 7 - Windows server 2008.


More technical details (english)

Detalles técnicos (castellano)

Regards, Rubén.