CVE-2010-0017
published 2010-02-10CVE-2010-0017: Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.88%
98.0th percentile
Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:established,to_client; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:4; metadata:created_at 2010_12_22, cve CVE_2010_0017, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes↗
ff 53 4d 42 72 00 00 00 00
bytes↗
\x03\x00\x00\x00 (Max buffer size set to 3, triggering the vulnerability)
- →Detect malicious SMB Negotiate Response by matching SMB header magic bytes (ff 53 4d 42) + command byte 0x72 at offset 4, followed by status 00 00 00 00, and a Max Buffer Size field value less than 4356 (0x1104) at offset 30 from the status field — the anomalously small value is the exploit trigger.
- →The exploit operates as a rogue SMB server on TCP 139 and TCP 445, responding to client Negotiate requests (SMB command 0x72) with a crafted Negotiate Response containing an abnormally small Max Buffer Size. ↗
- →The exploit also performs NBNS spoofing on UDP 137 and NetBIOS browser manipulation on UDP 138 to redirect victims to the rogue SMB server. Monitor for unexpected NBNS responses (transaction ID matching, query type 0x0110) from non-authoritative hosts. ↗
- →Delivery vector includes embedding a UNC path (\\HOST\share\something) in a web page or Word document to force a vulnerable client to connect to the rogue SMB server. ↗
- →The rogue server sends a Session Positive Response (0x82 0x00 0x00 0x00) before delivering the malicious Negotiate Response, which can be used as an additional detection step in the TCP stream. ↗
- ·The Snort/ET rule fires on traffic from $EXTERNAL_NET port 445 to $HOME_NET (server-to-client direction). Rogue SMB servers operating on TCP 139 instead of 445 will not be caught by this rule as written — separate coverage for port 139 inbound responses may be needed.
- ·The byte_test threshold of 4356 for Max Buffer Size is the key discriminator; legitimate SMB servers typically advertise 4356 or higher. Tuning may be required if internal servers advertise non-standard (but benign) low buffer sizes.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution
suricata·2010-12-22
CVE-2010-0017 ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution
ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution
Rule: alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:established,to_client; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:4; metadata:created_at 2010_12_22, cve CVE_2010_0017, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_i
Exploit-DB
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)
exploitdb·2010-04-16
CVE-2010-0017 Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)
---
# More Info: http://g-laurent.blogspot.com/2010/04/turning-smb-client-bug-to-server-side.html
import sys,SocketServer,socket,threading,time,random
from random import *
from time import sleep
from socket import *
if len(sys.argv)<=2:
sys.exit('Usage: pwn.py Your_ip Broadcast_ip\n\r Example: pwn.py 10.0.0.1 10.0.0.255')
ip = str(sys.argv[1])
nbns = str(sys.argv[2]),137
browser = str(sys.argv[2]),138
elec = "\x42\x4f\x00"
domainmasterbro = "\x42\x4c\x00"
##BROWSER election request
browserelect = [chr(int(a, 16)) for a in """
11 02 bd 82 c0 a8 00 96 00 8a 00 ae 00 00 20 46
47 45 4e 45 43 45 50 46 49 43 41 43 41 43 41 43
41 43 41 43 41 43 41 43 41 43 41 43 41 41 41 00
20 46 48 45 50 46 43 45 4c 45 48 46 43 45 50 46
46 46 41 43
Metasploit
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
metasploit
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise.
Bugzilla
CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
bugzilla·2010-12-03·CVSS 6.2
CVE-2010-4258 [MEDIUM] CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
CVE-2010-4258 kernel: failure to revert address limit override in OOPS error path [rhel-5.6]
Confirmed that patch has been added to latest kernel-2.6.18-238.el5.
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2011-0017.html
Bugzilla
CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
bugzilla·2010-09-13·CVSS 2.1
CVE-2010-3296 [LOW] CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
Description of problem:
http://lkml.org/lkml/2010/9/11/170
The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user.
Acknowledgements:
Red Hat would like to thank Dan Rosenberg for reporting this issue.
Discussion:
This commit
49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de
in David Miller's net-2.6 git repo
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
---
This issue has been addressed
http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8298http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8298
2010-02-10
Published