Reversemode
Home arrow News Archive
Friday, 18 April 2014
 
 
BYTES & WORDS
Regarding SMB2.0 Negotiate BSOD published by Laurent Gaffié
(Tuesday, 08 September 2009) Written by Rubén

Today I wake up with an advisory published by Laurent Gaffié where a possible BSOD is announced. The advisory does not provide any technical detail and it is only based on empirical results so it needs to be verified. This is the result of my brief research. Change DoS to Remote Code Execution and Local Privilege Escalation.

Why?

Module: srv2.sys

Code (asm)

; int __stdcall Smb2ValidateProviderCallback(PVOID DestinationBuffer)
_Smb2ValidateProviderCallback@4 proc near


.text:000156B3 loc_156B3:                              ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j
.text:000156B3                                         ; Smb2ValidateProviderCallback(x)+4DEj
.text:000156B3                 movzx   eax, word ptr [esi+0Ch]; packet->SBM_Header->Process_ID_High
.text:000156B7                 mov     eax, _ValidateRoutines[eax*4]; BUG - out-of-bounds dereference.
.text:000156BE                 test    eax, eax
.text:000156C0                 jnz     short loc_156C9
.text:000156C2                 mov     eax, 0C0000002h
.text:000156C7                 jmp     short loc_156CC
.text:000156C9 ; —————————————————————————
.text:000156C9
.text:000156C9 loc_156C9:  ; CODE XREF: Smb2ValidateProviderCallback(x)+4F3j
.text:000156C9                 push    ebx
.text:000156CA                 call    eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x) - KABOOOM!!
  As you can see,[ ESI+0xC ] points to our packet, exactly to the ProcessIDHigh header field whose size is 16 bits. We can fully control this value. Later on this value is used as index to a Function Pointer within the function table _ValidateRoutines. Classic Bug, an out-of-bounds dereference since the code is not checking the size of the table before dereferencing the function pointer. This is the reason why this vulnerability is a Remote Code Execution and not only a DoS. And this is the reason why the exploit provided may or may not crash a machine. If the page pointed by the index is invalid the system will BSOD otherwise it might crash on another point or simply not to crash.

How to exploit it?

We see that ESI points to our packet, in addition this function table is located at .data which is located before .PAGE addresses so we can dereference a pointer in that area as well. We "only" need to find a suitable pointer to control the execution.

Vulnerable systems:
Vista, 7 RC and < 2008 Server R2 according to Microsoft.

Keep tuned, I'll post any further development regarding this issue.

More info on the blog (castilian) where I collaborate: http://blog.48bits.com

[ Back ]