Home

Microsoft Windows SRV2.SYS Remote Code Execution

Notification Type:	IBM Internet Security Systems Protection Alert
Notification Date:	September 10, 2009
Notification Version:	1.2

Name:	Microsoft Windows SRV2.SYS Remote Code Execution
Public disclosure/ In the wild date:	September 07, 2009
Aliases:	MS09-050
CVE:	CVE-2009-3103
Description:	The Microsoft Windows SMB 2 (SRV2.SYS) is vulnerable to a denial of service, possibly resulting in remote code execution, due to improper processing of SMB packets.

ISS Coverage

Product	Content Version
Network Sensor 7.0 Proventia A Proventia IPS (G/GX) Server Sensor 7.0 Proventia Multifunction Appliance Proventia Server (Linux)	29.091
Proventia Server (Windows) Proventia Desktop	2431

Propagation Techniques	ISS Protection	Available
remote exploit	SMB_Negotiate_ProcessID_Exec	Sep 11, 2009

Detailed Description

Business Impact:	This vulnerability affects SMB 2, which is resident in Windows Vista and 2008 Server. Although SMB 2 is not enabled by default, many systems are expected to have it enabled to allow file sharing. Therefore, it is expected that the use of SMB 2 on these platforms would be fairly widespread. When this vulnerability was announced (originally as a Denial of Service), the discoverer also published proof-of-concept code that easily and reliably produced a denial of service (BSOD or Blue Screen of Death). At the time of initial publication, a proof-of-concept (PoC) exploit proving remote code execution was not publicly available. However, our independent research (and the private research of others) had proven that remote code execution was indeed possible, making this vulnerability much more severe than originally anticipated. On Sept. 28, 2009, a working remote code execution PoC was publicly released. There are a few mitigating factors for this vulnerability. SMB is not typically available through the firewall, so attacks may be limited to those on unprotected networks or inside the firewall. Also, customers that do not allow widespread use of file sharing through SMB 2 or who are not using the vulnerable operating systems, are not impacted. Customers running vulnerable operating systems that require file sharing should deploy protection immediately and apply patches once they are made available.
*CVSS:	Base Score:		10.0
		Access Vector:	Network
		Access Complexity:	Low
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete
		Impact Bias:	Normal
	Adjusted Temporal Score:		8.3
		Exploitability:	Functional
		Remediation Level:	Official Fix
		Report Confidence:	Confirmed
Affected Products:	For a full list of affected versions, see XFDB reference below.
Technical Description:	Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by an array indexing error in the Smb2ValidateProviderCallback() function within the SRV2.SYS kernel driver when processing SMB packets. By sending a specially-crafted Server Message Block (SMB) Negotiate Protocol Request, a remote attacker could exploit this vulnerability to dereference out-of-bounds memory to execute arbitrary code on the system or cause the system to crash.
Remediation:	Patches for this issue were made available on October 13, 2009. See References for details.

References

XFDB	http://xforce.iss.net/xforce/xfdb/53090
Microsoft	http://www.microsoft.com/technet/security/advisory/975497.mspx
	http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx

Revision History

1.0	Initial publication.
1.1	Updated Business Impact to include the new proof-of-concept exploit code for remote code execution.
1.2	Added link to patch. changed CVSS, and added alias.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.