MS SMB Memory Corruption Vulnerability

April 22, 2010

Microsoft Windows is one of the most popular operating system used as both servers and clients. Windows is compatible to various hardware and software, and it also embeds a lot of applications and modules such as file editing, picture drawing, resources management etc.

Windows's native networking framework is one of the embedded modules. It uses Server Message Block (SMB) protocol. SMB provides file sharing, networking printing and remote procedure calls and other functionalities.

An SMB message is composed of a header and message-specific data. The following describes an SMB message structure:

Offset Size Field ------------------------------------------------------------------------ 0x0000 BYTE[4] Contains 0xFF,'SMB' 0x0004 BYTE Command Type (SMB_COM_TRANS = 0x25) 0x0005 DWORD Error Class 0x0009 BYTE Flags x... .... (Request if x=0, Response if x=1) 0x000A WORD Flags2 0x000C WORD PID High 0x000E DWORD[2] Signature 0x0016 WORD Unused 0x0018 WORD Tree ID 0x001A WORD Process ID 0x001C WORD User ID 0x001E WORD Multiplex ID 0x0020 var SMB Message Data (format depends on the Command Type)

The SMB common header is immediately followed by command type-specific data. There are several SMB request/response types used in the SMB protocol. One such request/response type is SMB_COM_TRANSACTION (Command Type = 0x25), also known as TRANS. This command is used as the transport for the Transaction Subprotocol Commands which operate on mailslots and named pipes.

A memory corruption vulnerability exists in the SMB client implementation on Microsoft Windows. The vulnerability is due to a design error in the handling of the specially crafted SMB_COM_TRANSACTION responses. A successful exploitation of this vulnerability would allow the attacker to inject and execute arbitrary code on the target system.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect an attack attempts.


The vulnerability is referred by the vendor as MS10-020, and referred by CVE as CVE-2010-0476.