CVE-2010-0269
published 2010-04-14CVE-2010-0269: The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
28.40%
97.9th percentile
The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for SMB responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Memory Allocation Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
commandSMB Trans2 QUERY_FS_INFO response with oversized/malformed parameter block triggering stack overflow↗
bytes↗
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes↗
FF 53 4D 42 32 (SMBv1 Trans2 command 0x32 malicious response trigger)
- →Detect rogue SMB servers responding to client connections on TCP/445 with crafted Trans2 (SMB command 0x32) responses — the exploit server listens on port 445 and sends a malicious Trans2 QUERY_FS_INFO response to trigger the client-side stack overflow. ↗
- →Alert on SMB client receiving a Trans2 response (SMB command byte 0x32) from an unexpected or external server — the vulnerability is in the Windows SMB *client* mishandling server responses, so outbound SMB connections to untrusted hosts are the attack vector. ↗
- →Monitor for SMB session sequences where the server sends NTLMSSP_CHALLENGE with STATUS_MORE_PROCESSING_REQUIRED followed immediately by a Trans2 response — this matches the exploit's multi-stage handshake pattern (Negotiate → SessionSetup → TreeConnect → NTCreate → Trans2). ↗
- →Flag man-in-the-middle scenarios on TCP/445 where crafted SMBv1 or SMBv2 responses are injected; the vulnerability affects both SMBv1 and SMBv2 client memory allocation. ↗
- ·The PoC uses hardcoded dummy EIP/EBP values (0x41414141 / 0x42424242) and is a crash-only proof-of-concept, not a weaponized exploit with working shellcode — real attacks would substitute valid return addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/39372http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7129http://secunia.com/advisories/39372http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7129
2010-04-14
Published