CVE-2010-0020
published 2010-02-10CVE-2010-0020: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2…
PriorityP264critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
32.03%
98.1th percentile
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
FF 53 4D 42 72 (SMB Negotiate Protocol Request magic + command 0x72)
bytes↗
FF 53 4D 42 32 (SMB Trans2 command 0x32 with overflow payload)
bytes↗
Trans2 overflow pattern: 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 02 61 42 42 42 42 41 41 41 41
- →Detect malformed SMB Trans2 (command 0x32) responses from a rogue server on TCP/445 containing a stack overflow pattern — the exploit operates as a malicious SMB server that sends crafted Trans2 responses to trigger a client-side stack overflow. ↗
- →Monitor for SMB client connections to untrusted servers on TCP 445 where the server returns an oversized or malformed Trans2 QUERY_FS_INFO response; the overflow payload overwrites EBP and EIP on the client stack. ↗
- →The exploit requires an authenticated SMB session (remote authenticated users); look for NTLMSSP_CHALLENGE exchanges followed immediately by a Trans2 QUERY_FS_INFO response that is anomalously short yet triggers a stack overwrite. ↗
- →Flag rogue SMB servers (listening on TCP/445) that send an NT Create AndX response followed by a Trans2 response containing the byte sequence 0x02 0x61 and repeated 0x41/0x42 padding bytes, indicative of EIP/EBP overwrite. ↗
- ·The PoC exploit code targets the SMB *client* (CVE-2010-0270 / MS10-020 Trans2 client stack overflow) and acts as a malicious server; the NVD entry for CVE-2010-0020 describes a server-side 'SMB Pathname Overflow Vulnerability'. The exploit-db entry notes both CVEs may apply, but the attack vector and affected component differ — validate which CVE applies before deploying detections. ↗
- ·The EBP and EIP values in the PoC are placeholder crash values (0x42424242 / 0x41414141) and not functional shellcode addresses; real exploitation would use different values depending on the target OS and patch level. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-phqx-w8fw-293w: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1,
ghsa_unreviewed·2022-05-02
CVE-2010-0020 [HIGH] CWE-20 GHSA-phqx-w8fw-293w: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1,
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability."
VMware
VMware ESXi 4.1 Update Installer SFCB Authentication Flaw
vendor_vmware·2010-12-21·CVSS 9.3
CVE-2010-4573 [CRITICAL] VMware ESXi 4.1 Update Installer SFCB Authentication Flaw
VMSA-2010-0020: VMware ESXi 4.1 Update Installer SFCB Authentication Flaw
a. ESXi 4.1 Update Installer SFCB Authentication Flaw Under certain conditions, the ESXi 4.1 installer that upgrades an ESXi 3.5 or ESXi 4.0 host to ESXi 4.1 incorrectly handles the SFCB authentication mode. The result is that SFCB authentication could allow login with any username and password combination. An ESXi 4.1 host is affected if all of the following apply: - ESXi 4.1 was upgraded from ESXi 3.5 or ESXi 4.0. - The SFCB configuration file /etc/sfcb/sfcb.cfg was modified prior to the upgrade. - The sfcbd daemon is running (sfcbd runs by default).
CVEs: CVE-2010-4573
Affected products: VMware ESXi, VMware Tools, VMware Workstation, VMware vSphere
No detection rules found.
http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8438http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8438
2010-02-10
Published