Last time I had blogged about “Vulnerabilities in SMB Could Allow Remote Code Execution” (Wednesday, September 9, 2009). Here are few more details about this vulnerability.
Technical Details:
Windows vista and newer Windows comes with a new SMB version named SMB2. SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication. An attacker can remotely crash without no user interaction, any Vista/Windows 7 machine with SMB enable. Windows XP, 2k, are NOT affected as they don't have this driver.
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008 as it use the same SMB2.0 driver (not tested).
About the person who found this vulnerability:
As per Microsoft “Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk.” However, the person who has discovered the vulnerability has a very interesting view and recommendation towards this. As per him “vendor contacted, but no patch available for the moment. Close SMB feature and ports, until a patch is provided.”
Discovering vulnerabilities requires paramount knowledge but releasing details of the vulnerability irresponsibly and then releasing the exploit code as proof of concept is not a prudent action.
 | "With great power comes great responsibility…"Lets not forget this infamous dialog of Peter Parker from the movie Spiderman (2002) :P |
