Microsoft SMB Driver Remote Buffer Overflow

 

Autor:  Javier Vicente Vallejo

Web:  www.vallejo.cc

 

Abstract

 

Some versions of the Microsoft SMB driver  (mrxsmb.sys) are prone to a vulnerability when a malformed packet is received. The vulnerability causes a kernel buffer overflow that could be exploited to execute code on vulnerable systems.

 

I was not able to exploit the vulnerability with systems updated with this security update:

 http://www.microsoft.com/technet/security/Bulletin/MS06-030.msp

The update fixes a elevation of privilege bug,  it wasn’t dessigned to patch the vulnerability that i will describe here. I have not got the vulnerability working when this patch is installed, but since the patch is not specific for this bug, perhaps it could be possible to exploit it with some modifications.

 

 

Affected versions

 

It worked on Windows XP Sp2 without MS06-30 update. I wasn´t able to exploit it on this system with MS06-30 update installed.

 

Analysis

 

The vulnerability occurs with a malformed SMB Session Setup command with a security blob and a larger security blob lenght. Mrxsmb.sys starts to copy from the security blob buffer in the packet to other buffer in memory using the lenght that we indicated in the packet, without doing previous checks. When we set a high value for lenght (for example, 0xcccc), a buffer overflow occurs.

 

ef1d3da1 8bb044010000    mov     esi,dword ptr [eax+144h]

ef1d3da7 8b8848010000    mov     ecx,dword ptr [eax+148h]

ef1d3dad 03b030010000    add     esi,dword ptr [eax+130h]

ef1d3db3 8bc1            mov     eax,ecx

ef1d3db5 c1e902          shr     ecx,2

ef1d3db8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:e14eef54=00000000 ds:0023:e11e2fff=????????

ef1d3dba 8bc8            mov     ecx,eax

ef1d3dbc 83e103          and     ecx,3

ef1d3dbf f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

ef1d3dc1 8b4508          mov     eax,dword ptr [ebp+8]

ef1d3dc4 8b7038          mov     esi,dword ptr [eax+38h]

 

eax=0000cccc ebx=c0000016 ecx=0000175e edx=837f2010 esi=e11e2fff edi=e14eef54

eip=ef1d3db8 esp=eebccd50 ebp=eebccd5c iopl=0         nv up ei pl nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206

mrxsmb+0x7db8:

ef1d3db8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:e14eef54=00000000 ds:0023:e11e2fff=????????

 

Attached with this description you can find a pcap file of the tcp traffic for the connection causing the buffer overflow captured with wireshark.

 

In addition i have attached the minidump generated where you can see the crash details.