Hi all,
Just for the records since the vulnerability is not only a DoS as stated
initially. Below are the technical details I found while verifying the flaw.
The flaw is a out-of-bounds indexing. We can fully control the 16 bit
value used as index within the function table.
srv2.sys (Vista)
text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j
.text:000156B3 ;
Smb2ValidateProviderCallback(x)+4DEj
.text:000156B3 movzx eax, word ptr [esi+0Ch];
packet->SBM_Header->Process_ID_High
.text:000156B7 mov eax, _ValidateRoutines[eax*4];
BUG - out-of-bounds dereference.
.text:000156BE test eax, eax
.text:000156C0 jnz short loc_156C9
.text:000156C2 mov eax, 0C0000002h
.text:000156C7 jmp short loc_156CC
.text:000156C9 ; —————————————————————————
.text:000156C9
.text:000156C9 loc_156C9: ; CODE XREF:
Smb2ValidateProviderCallback(x)+4F3j
.text:000156C9 push ebx
.text:000156CA call eax ; Smb2ValidateNegotiate(x) ;
Smb2ValidateNegotiate(x) - KABOOOM!!
Affected versions: Windows Vista - Windows 7 - Windows server 2008.
-—-
More technical details (english)
http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1
Detalles técnicos (castellano)
http://blog.48bits.com/?p=510
Regards,
Rubén.