A SMB Odyssey

This Black Tuesday (the 13th, no less), Microsoft released the first security patch of 2009. This patch addresses three vulnerabilities in the SRV.SYS driver of the Microsoft Windows operating system. The SRV.SYS driver implements the Server Service component of the SMB network service, exposed via ports 139 and 445.. The first issue addressed in this patch (CVE-2008-4114) has been public since September 14th, 2008 and allows a remote user to crash a Windows-based system by sending a malformed WriteAndX request to a named pipe. This flaw is interesting because it is triggered by memory copy, but instead of an overflow, it is a miscalculation of the source pointer. When the target machine receives this write request, it attempts to read from a memory location that may not exist, causing the entire operating system to crash (and by default, reboot). Normally, Microsoft waits until the next service pack to address bugs that do not result in code execution, so having a fix for this before XP SP4 (assuming there is one) is a nice surprise.
The next two bugs (CVE-2008-4834 and CVE-2008-4835) are a little different. These bugs are triggered when the service attempts to zero out a memory buffer that is smaller than a static value. If the attacker sends a request with certain fields set to values smaller than the static buffer size, the resulting operation overwrites the memory after the buffer with NULL bytes. Since we are dealing with driver code and the first buffer is allocated in a kernel pool, the subsequent overwrite usually corrupts the following pool header with a series of NULL bytes. This is where things start to get interesting. The Microsoft bulletin rates this patch as Critical and these two flaws as Remote Code Execution, but in order to execute code, there needs to be a way to leverage a small NULL byte overwrite of a kernel pool header to somehow gain control of execution. While there has been some work in this area, it has focused on using controllable values to overwrite header entries. As far as I know, there is no easy way to leverage a NULL byte overwrite of a pool header into code execution. For this reason, I would agree that these bugs are Critical in the sense that they should be patched as soon as possible (to prevent an easy DoS if nothing else), but I do not believe they will result in code execution. Of course, I would love to be proven wrong :-)
Successful exploitation of the NULL byte overwrite bugs will result in an exception like the following:
BAD_POOL_HEADER (19)
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e2008540, The pool entry we were looking for within the page.
Arg3: e 20089f 0, The next pool entry. <-- OVERWRITTEN HEADER
Arg4: 0c 96020e, (reserved)
 
BUGCHECK_STR: 0x19_20
f61bac30 80543e86 00000019 00000020 e2008540 nt!KeBugCheckEx+0x1b
f61bac 80 f 694fad1 e2008548 00000000 f 695d2b9 nt!ExFreePoolWithTag+0x 2a 0
f61bac 8c f695d2b9 00000021 e2008550 821e5bd0 srv!SrvFreePagedPool+0x 2a
f61baca 0 f 695771c 820d1610 e2008550 821f 1038 srv!SrvFreeTransaction+0x68
f61bacb 4 f 6958349 00000000 821f 1038 e2008550 srv!SrvDereferenceTransaction+0x6b
f61bacec f695786b 00000000 0000001e 821f 1038 srv!SrvCompleteExecuteTransaction+0xd0
f61bad 04 f 6958115 f 694be34 821f 1038 821f 2058 srv!ExecuteTransaction+0x333
f61bad 7c f 693f 836 821f 1040 821f 2020 f 694fa98 srv!SrvSmbTransaction+0x 7ac
f61bad 88 f 694fa98 00000000 8202e200 00000000 srv!SrvProcessSmb+0xb7
 
SYMBOL_NAME: srv!SrvFreePagedPool+ 2a
MODULE_NAME: srv
IMAGE_NAME: srv.sys
 
kd> dd e2008540 (current entry)
e2008540 0c 96020e 7274534c 000004a 0 00000000
e2008550 04a 0030c 00000000 820d1610 821e5bd0
 
kd> dd e 20089f 0 (overwritten entry header)
e 20089f 0 00000000 00000000 00000000 00000000
e 2008a 00 00000000 00000000 00000000 82270000
 
Posted by HD Moore (2009/01/13 21:25:34.923 US /Central)
 
 
[Ph4nt0m]
[Ph4nt 0m Security Team]
                  @ph4nt0m
          Email:  [email protected]
          PingMe:
          === V3ry G00d, V3ry Str0ng ===
          === Ultim4te H4cking ===
          === XPLOITZ ! ===
          === #_# ===
#If you brave,there is nothing you cannot achieve.#

你可能感兴趣的:(职场,休闲,smb,0day)