Recently we became aware of a new security vulnerability that affects various versions of Microsoft Windows operating systems. This vulnerability allows remote attackers to carry out denial-of-service and local privilege escalation attacks against affected computers and though not confirmed, it may also facilitate remote code-execution with kernel-level privileges.
The issue was publicly released on September 7, 2009, by a researcher named Laurent Gaffié. The researcher published proof-of-concept code and some technical details on the Full Disclosure mailing list. He indicated that the code targets the Microsoft Server Message Block version 2 (SMB v2) protocol implementation in Microsoft Windows Vista and Windows 7 and it could be used to trigger a denial-of-service condition in the affected operating systems. We tested the exploit code and confirmed the issue on Windows Vista SP1 and Windows Server 2008.
Subsequent analysis revealed that the vulnerability specifically affects the ‘_Smb2ValidateProviderCallback()’ function of the ‘srv2.sys’ driver and arises when a vulnerable computer processes an SMB NEGOTIATE PROTOCOL REQUEST packet. An attacker can supply a specific 16-bit (WORD) ‘PIDHigh’ (ProcessIDHigh) value through this packet to exploit this issue. The ‘PIDHigh’ value is used as an index into an array of function pointers and an incorrectly sized value can be used to reference memory that exists outside of this array of function pointers. This memory will be subsequently interpreted as a pointer to a function and called by the vulnerable code. In most cases this would result in a system crash, but it can be leveraged to execute code depending on the contents of memory adjacent to the array. If an attacker could provide a value that referenced a malicious payload in memory then code-execution could be possible. Because this flaw arises in the kernel memory space, successful code-execution could allow an attacker to gain complete control over a vulnerable computer.
Since the publication of this vulnerability, multiple examples of exploit code have been released by various researchers. All publicly available examples so far exploit this issue to trigger a “blue screen of death” (BSoD). On September 14, 2009, a working commercial exploit was released for the Immunity CANVAS automated exploitation system. This exploit is not otherwise publicly available or known to be circulating in the wild. It is likely that publicly available or zero-day exploits taking advantage of this vulnerability to remotely execute code may also appear in the near future.
On September 8, 2009, Microsoft released a Security Advisory (975497) to discuss this issue and identify affected platforms. The vendor reported that the following specific versions of Windows are affected by this vulnerability:
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
This issue does not affect older versions of Windows as they do not use SMB v2. Windows 7 was initially reported to be vulnerable but Microsoft specifically indicated that Windows 7 and Windows Server 2008 R2 are not affected. However, some reports indicate that release candidates of Windows 7 may be vulnerable.
Microsoft did not release any fixes for this vulnerability but provided workarounds that include disabling the affected SMB2 protocol and blocking associated ports including TCP 139 and TCP 445 at the firewall. It should also be noted that File and Print Sharing must be enabled for this issue to present a threat.
Due to the potential severity of this issue and the lack of vendor-supplied patches, we recommend that customers follow security best practices and consider the following mitigation strategies:
• Disable SMB v2, where possible.
• Disable file and print sharing.
• Restrict access to TCP ports 139 and 445 at network perimeters.
Symantec has also released detection signatures that detect and block this attack.
For further reference:
Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability