受影响系统:
Microsoft Windows XP SP3
Microsoft Windows XP Pro x64版SP2
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008
Microsoft Windows Server 2003 SP2
Microsoft Windows 7
描述:
BUGTRAQ ID: 42224
CVE ID: CVE-2010-2550
Microsoft Windows是微软发布的非常流行的操作系统。
Microsoft SMB协议软件在验证某些SMB字段时存在SMB池溢出漏洞,远程攻击者可以通过向运行Server服务的系统发送特制的SMB_COM_TRANSACTION2请求导致执行任意代码。
如果连接到SMB服务器的客户端对共享拥有至少只读权限,且客户端创建的恶意Trans2 “QUERY_FS_INFO Query FS Attribute info”中Max DataCount参数设置为0,则在处理SMB_COM_TRANSACTION2请求时,srv.sys驱动的SrvSmbQueryFsInformation()函数会从ntoskrnl.exe调用NtQueryVolumeInformationFile(FileFsSizeInformation)。NtQueryVolumeInformationFile使用了从未经验证用户输入所获取的大小分配池块:
kd> nt!NtQueryVolumeInformationFile+0x3de:
82a5779c ff7514 push dword ptr [ebp+14h] ;User controlled
82a5779f 50 push eax
82a577a0 e85d1fe6ff call nt!ExAllocatePoolWithQuotaTag (828b9702)
82a577a5 eb23 jmp nt!NtQueryVolumeInformationFile+0x40c (82a577ca)
kd>
NtQueryVolumeInformationFile函数的实际代码如下:
NTSTATUS
NtQueryVolumeInformationFile(IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileSystemInformation,
IN ULONG Length,
IN FS_INFORMATION_CLASS FileSystemInformationClass)
{
if (RequestorMode != KernelMode)
{
}
if (FileSystemInformationClass == FileFsDeviceInformation)
{
}
if (FileSystemInformationClass == FileFsDriverPathInformation)
{
PFILE_FS_DRIVER_PATH_INFORMATION Buffer, Source;
Source = (PFILE_FS_DRIVER_PATH_INFORMATION)FileSystemInformation;
Buffer = (PFILE_FS_DRIVER_PATH_INFORMATION)ExAllocatePoolWithQuota(NonPagedPool, Length);
RtlCopyMemory(Buffer, Source, Length);
NtStatus = IopGetDriverPathInformation(FileObject, Buffer, Length);
// […]
if (Buffer) ExFreePool(Buffer);
}
// Issue;
//SystemBuffer, which is the buffer used for the I/O, can be allocated with
//a size of zero because of the lack of length sanity check.
//Later this buffer is used for various operations, which is the source of
//trouble when the I/O Manager tries to release the buffer.
Irp->AssociatedIrp.SystemBuffer = ExAllocatePoolWithQuota(NonPagedPool,
Length);
// This buffer is freed later by the Windows I/O Manager.
}
<*来源:laurent gaffié (laurent.gaffié@gmail.com)
链接:http://secunia.com/advisories/40935/
http://marc.info/?l=full-disclosure&m=128152325912209&w=2
http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA10-222A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://marc.info/?l=full-disclosure&m=128152325912209&w=2
建议:
临时解决方法:
* 在防火墙阻断TCP 139和445端口。
厂商补丁:
Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-054)以及相应补丁:
MS10-054:Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)
链接:http://www.microsoft.com/technet/security/Bulletin/MS10-054.mspx?pf=true
0 条评论。