cbcvebase.
CVE-2009-3103
published 2009-09-08

CVE-2009-3103: Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows…

PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
90.12%
99.8th percentile
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

port445/tcp
commandexploit/windows/smb/ms09_050_smb2_negotiate_func_index
commandsmbconn.send("\x00\x00\x00\x01")
port445
processsrv2.sys
  • Detect CVE-2009-3103 exploitation by monitoring for an ampersand character in the Process ID High header field of SMBv2 NEGOTIATE PROTOCOL REQUEST packets on port 445/tcp.
  • A malformed SMBv2 Negotiate Protocol Response (4-byte payload \x00\x00\x00\x01) immediately followed by connection close causes Windows SMB2 hosts to crash; monitor for anomalously short SMB negotiate responses on port 445.
  • The Metasploit module ms09_050_smb2_negotiate_func_index (exploit/windows/smb/ms09_050_smb2_negotiate_func_index) targets port 445/tcp; alert on exploit traffic matching this module's 951-byte exploit packet.
  • An SMB2 logoff request sent before a session has been correctly negotiated triggers a NULL pointer dereference in SRV2.SYS; monitor for out-of-order SMB2 LOGOFF commands on port 445/tcp.
  • Use Nessus Plugin ID 40877 (uncredentialed network check) to remotely detect unpatched CVE-2009-3103 hosts without credentials.
  • ·The vulnerability is reliably exploitable only on 32-bit systems; 64-bit systems may not be exploitable with the same reliability.
  • ·The DoS variant (ms09_050_smb2_session_logoff) affects Vista SP1/SP2 and possibly Server 2008 SP1/SP2; scope may differ from the RCE variant.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.