MS Windows SMB Negotiate Request DoS
Microsoft Windows operating systems ship with an implementation of the Server Message Block (SMB) protocol. SMB allows for sharing network devices and facilitates RPC among other functions. The service listens on TCP ports 139 and 445. SMB is a session oriented protocol requiring an initial handshake and optional authentication before a session is initiated. The session negotiation command has the code 0x72.
The following table illustrates an SMB header:
Offset Size Description ------- ------- ---------------------------------------------------------- 0x00 BYTE xffSMB 0x04 BYTE Command code (0x72) 0x05 BYTE Error class 0x06 BYTE Reserved 0x07 WORD Error code 0x09 BYTE Flags 0x0A WORD Flags2 0x0C WORD Process ID High 0x0E DWORD Signature 0x16 WORD Unused 0x18 WORD Tree ID 0x1A WORD Process ID 0x1C WORD User ID 0x1E WORD Multiplex ID
There are several different versions of the Server Message Block (SMB) protocol. The client and server will negotiate which SMB dialect to use for the session during the negotiation phase. Typically, the client will send a list of requested dialects. Some of the available dialects follow:
PC NETWORK PROGRAM 1.0 LANMAN1.0 NT LM 0.12
An upgrade of the SMB protocol, SMB2 was introduced with the release of Vista. The client can request an SMB2 session by including the dialect in the negotiation request.
A vulnerability exists within the SMB protocol implementation on some versions of Microsoft Windows. It is created by an error during indexing an array when processing SMB negotiation requests containing the SMB2 dialect. The flaw manifests itself during processing of the Process ID High field. The Process ID field value in the SMB header, constrained to 16 bits, may be extended to 32 bits by using the Process ID High field. This value is used, without any bounds checking, to index an array of function pointers. The function pointer is subsequently dereferenced and the function it points to is executed.
A remote unauthenticated attacker can leverage this vulnerability to terminate the Server service which results in kernel panic. While it is theoretically possible that this vulnerability can be exploited for code execution, it is highly unlikely as the attacker would be required to inject malicious code beforehand and know its exact location in memory. Thus, the most likely outcome of an exploitation attempt is the shutdown of the target machine. SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:
- 2032 - MS Windows SMB Negotiate Request DoS Attempt