MS Windows SMB Negotiate Request DoS

September 14, 2009

Microsoft Windows operating systems ship with an implementation of the Server Message Block (SMB) protocol. SMB allows for sharing network devices and facilitates RPC among other functions. The service listens on TCP ports 139 and 445. SMB is a session oriented protocol requiring an initial handshake and optional authentication before a session is initiated. The session negotiation command has the code 0x72.

The following table illustrates an SMB header:

Offset	Size		Description ------- ------- 	---------------------------------------------------------- 0x00	BYTE[4]		xffSMB 0x04	BYTE		Command code (0x72) 0x05	BYTE 		Error class 0x06	BYTE		Reserved 0x07	WORD		Error code 0x09	BYTE		Flags 0x0A	WORD		Flags2 0x0C	WORD		Process ID High 0x0E	DWORD[2] 	Signature 0x16	WORD 		Unused 0x18	WORD 		Tree ID 0x1A	WORD 		Process ID 0x1C	WORD 		User ID 0x1E	WORD 		Multiplex ID

There are several different versions of the Server Message Block (SMB) protocol. The client and server will negotiate which SMB dialect to use for the session during the negotiation phase. Typically, the client will send a list of requested dialects. Some of the available dialects follow:


An upgrade of the SMB protocol, SMB2 was introduced with the release of Vista. The client can request an SMB2 session by including the dialect in the negotiation request.

A vulnerability exists within the SMB protocol implementation on some versions of Microsoft Windows. It is created by an error during indexing an array when processing SMB negotiation requests containing the SMB2 dialect. The flaw manifests itself during processing of the Process ID High field. The Process ID field value in the SMB header, constrained to 16 bits, may be extended to 32 bits by using the Process ID High field. This value is used, without any bounds checking, to index an array of function pointers. The function pointer is subsequently dereferenced and the function it points to is executed.

A remote unauthenticated attacker can leverage this vulnerability to terminate the Server service which results in kernel panic. While it is theoretically possible that this vulnerability can be exploited for code execution, it is highly unlikely as the attacker would be required to inject malicious code beforehand and know its exact location in memory. Thus, the most likely outcome of an exploitation attempt is the shutdown of the target machine. SonicWALL has release an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature has been released:

  • 2032 - MS Windows SMB Negotiate Request DoS Attempt

The vulnerability has been assigned CVE-2009-3103 by Mitre. The vendor has released a security bulletin addressing this issue.