Microsoft Windows SMB Pool Overflow
The Microsoft Windows operating system ships with an implementation of the Server Message Block (SMB) protocol. SMB is a widely used protocol that allows for sharing network devices and remote procedure calls, among other things. The service listens on TCP ports 139 and 445. SMB is a stateful protocol that requires successful authentication before a session is established. An SMB message is composed of a header and message-specific data.
The following describes an SMB message structure:
Offset Size Field ------ --------- --------------------------------------- 0x0000 char 'SMB' 0x0004 char Command (TRANS2 = 0x32) 0x0005 int32 Error Class 0x0009 char Flags 0x000A int16 Flags2 0x000C int16 Pid High 0x000E int32 Signature 0x0016 int16 Unused 0x0018 int16 Tree ID 0x001A int16 Process ID 0x001C int16 User ID 0x001E int16 Multiplex ID 0x0020 var SMB Message Data
One of the Commands supported by the SMB protocol is the SMB_COM_TRANSACTION2, also known as TRANS2 (0x32).
The SMB Message Data portion of an SMB TRANS2 Request message has the following structure:
Offset Size Field ------ ------- ------------------------------------------ 0x0000 char Word Count 0x0001 int16 Total Parameter Count 0x0003 int16 Total Data Count 0x0005 int16 Max Parameter Count 0x0007 int16 Max Data Count 0x0009 char Max Setup Count 0x000A char Reserved 0x000B int16 Flags 0x000D int32 Timeout 0x0011 int16 Reserved 0x0013 int16 Parameter Count 0x0015 int16 Parameter Offset 0x0017 int16 Data Count 0x0019 int16 Data Offset 0x001B char Setup Count 0x001C char Reserved 0x001D int16 Subcommand [...]
Based on the Subcommand, the format of the Subcommand Data will change. One of the supported subcommands is QUERY_FS_INFO.
A buffer overflow vulnerability exists in the Server Message Block (SMB) protocol client implementation on Microsoft Windows. The vulnerability is due to a boundary error when handling specially crafted SMB messages. The flaw exists in the processing of the QUERY_FS_INFO subcommand in SMB_COM_TRANSACTION2 requests. The vulnerable code does not properly verify the value of 'Max Data Count' field of the request. This value is used to allocate a memory pool in the kernel address space. A malicious SMB message processed by the vulnerable service could result in an undersized memory pool to be allocated which could consequently trigger a write access violation when utilized by the kernel.
Successful exploitation may result in code injection and execution with the privileges of the operating system kernel. In cases of unsuccessful exploitation, the attack will lead to kernel panic causing a system wide denial of service condition.
SonicWALL has released an IPS signature to address this vulnerability. The following signature has been released:
- 5235 - MS SMB Pool Overflow Attack Attempt
The vendor has released an advisory regarding this issue. The vulnerability has been assigned