cbcvebase.
CVE-2010-0017
published 2010-02-10

CVE-2010-0017: Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.88%
98.0th percentile
Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

port139
port445
snort
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:established,to_client; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:4; metadata:created_at 2010_12_22, cve CVE_2010_0017, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
ff 53 4d 42 72 00 00 00 00
bytes
\x03\x00\x00\x00 (Max buffer size set to 3, triggering the vulnerability)
  • Detect malicious SMB Negotiate Response by matching SMB header magic bytes (ff 53 4d 42) + command byte 0x72 at offset 4, followed by status 00 00 00 00, and a Max Buffer Size field value less than 4356 (0x1104) at offset 30 from the status field — the anomalously small value is the exploit trigger.
  • The exploit operates as a rogue SMB server on TCP 139 and TCP 445, responding to client Negotiate requests (SMB command 0x72) with a crafted Negotiate Response containing an abnormally small Max Buffer Size.
  • The exploit also performs NBNS spoofing on UDP 137 and NetBIOS browser manipulation on UDP 138 to redirect victims to the rogue SMB server. Monitor for unexpected NBNS responses (transaction ID matching, query type 0x0110) from non-authoritative hosts.
  • Delivery vector includes embedding a UNC path (\\HOST\share\something) in a web page or Word document to force a vulnerable client to connect to the rogue SMB server.
  • The rogue server sends a Session Positive Response (0x82 0x00 0x00 0x00) before delivering the malicious Negotiate Response, which can be used as an additional detection step in the TCP stream.
  • ·The Snort/ET rule fires on traffic from $EXTERNAL_NET port 445 to $HOME_NET (server-to-client direction). Rogue SMB servers operating on TCP 139 instead of 445 will not be caught by this rule as written — separate coverage for port 139 inbound responses may be needed.
  • ·The byte_test threshold of 4356 for Max Buffer Size is the key discriminator; legitimate SMB servers typically advertise 4356 or higher. Tuning may be required if internal servers advertise non-standard (but benign) low buffer sizes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.