Saturday, July 31, 2010

MS10-020 Vulnerabilities in SMB Client

Recently I try to search and study more on SMB protocol vulnerability, the intention is to include these vulnerability support to Dionaea. And, I came across this most recent vulnerability that that reported in Microsoft Bulletin : MS10-020 Critical Vulnerabilities in SMB Client Could Allow Remote Code Execution.

From the Security Bulletin, it stated :

"The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. "

I found a detailed full disclosure on http://seclists.org/fulldisclosure/2010/Apr/201 and the POC has provided in http://g-laurent.blogspot.com/2010/04/ms10-020.html

A Windows7 clean images has setup in my VM, and the POC has initiated in another Ubuntu images. This POC will served as the simple crafted SMB server which will reply only this few request before the problematic Trans2 response:

a.Negotiate Protocol Response
b.Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
c.Tree Connect AndX Response
d.NT Create AndX Response, FID: 0x4000

After answer to these request, it crafted the SMb Trans2 Response, QUERY_FS_INFO, with appends 8 additional bytes at the end of the packet and an incorrect "Data Offset" field as 0xffff. This additional bytes is BBBBAAAA, which can be replaced further by EBP and EIP.

The normal SMB_COM_TRANSACTION2 Server Response Format:
Server Response Description
================ ============
UCHAR WordCount; Count of data bytes; value = 10 + SetupCount
USHORT TotalParameterCount; Total parameter bytes being sent
USHORT TotalDataCount; Total data bytes being sent
USHORT Reserved;
USHORT ParameterCount; Parameter bytes sent this buffer
USHORT ParameterOffset; Offset (from header start) to Parameters
USHORT ParameterDisplacement; Displacement of these Parameter bytes
USHORT DataCount; Data bytes sent this buffer
USHORT DataOffset; Offset (from header start) to data
USHORT DataDisplacement; Displacement of these data bytes
UCHAR SetupCount; Count of setup words
UCHAR Reserved2; Reserved (pad above to word boundary)
USHORT Setup[SetupWordCount]; Setup words (# = SetupWordCount)
USHORT ByteCount; Count of data bytes
UCHAR Pad[]; Pad to SHORT or LONG
UCHAR Parameters[ParameterCount]; Parameter bytes (# = ParameterCount)
UCHAR Pad1[]; Pad to SHORT or LONG
UCHAR Data[DataCount]; Data bytes (# = DataCount)

This crafted response can be seen clearly from the screenshot


Windows 7 crashes and it need startup repair after that. The POC works!


This POC can only be triggered at SMB client side, with the crafted response packet from the SMB Server. So, till now I guess this vulnerability won't suitable to include in Dionaea, as Dionaea should alway acts as a legitimate SMB server. Let see then.

I more curious about how this type vulnerability can be found, simply by luck or series of fuzzing?

No comments:

Post a Comment