CVE-2010-0270
published 2010-04-14CVE-2010-0270: The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB…
PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
48.19%
98.7th percentile
The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Transaction Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
commandSMB Trans2 QUERY_FS_INFO response with oversized/malformed parameter fields causing stack overflow↗
bytes↗
FF 53 4D 42 72 (SMBv1 Negotiate Protocol Request/Response magic)
bytes↗
FF 53 4D 42 32 (SMBv1 Trans2 command 0x32 malicious response trigger)
- →Detect rogue SMB servers sending crafted Trans2 (command byte 0x32) responses to Windows SMB clients — the exploit server listens on TCP/445 and responds to client-initiated SMB negotiation sequences with a malformed Trans2 QUERY_FS_INFO response to trigger the stack overflow. ↗
- →Monitor for SMB client connections (outbound TCP/445) from Windows 7 / Server 2008 R2 hosts to untrusted external SMB servers, especially where the server returns SMBv1 Trans2 responses with anomalous TotalDataCount/DataCount field values inconsistent with the declared buffer sizes. ↗
- →The PoC exploit uses a fixed EIP overwrite pattern (0x41414141) and EBP pattern (0x42424242) in the Trans2 response payload; look for these byte sequences (41 41 41 41 / 42 42 42 42) within SMB Trans2 response data fields as a sign of exploitation attempts. ↗
- →The malicious Trans2 response packet contains the ASCII padding sequence 'ABCDEFGHIJKLMNOPQRSTUV' (0x41–0x56) immediately before the EBP/EIP overwrite bytes; this distinctive byte run in an SMB Trans2 response body is a strong indicator of this exploit. ↗
- →Man-in-the-middle attack vector: alert on ARP spoofing or DNS poisoning activity that could redirect Windows SMB client traffic to a rogue server, as the vulnerability is exploitable by MITM attackers intercepting SMBv1 or SMBv2 transaction responses. ↗
- ·The PoC uses hardcoded dummy EIP/EBP values (0x41414141 / 0x42424242) suitable only for crash demonstration; a weaponized exploit would substitute valid ROP gadget or shellcode addresses, so byte-pattern detection should focus on the structural malformation of Trans2 fields rather than solely on these specific overwrite values. ↗
- ·The exploit note indicates CVE-2010-0020 may also apply to the same PoC code, so detections built for this traffic pattern may simultaneously cover that related vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005252; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005249; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005253; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_na
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005254; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005245; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005250; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005246; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mi
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005251; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Ac
Suricata
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0492 [HIGH] ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE
ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; classtype:web-application-attack; sid:2005255; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Acc
No writeups or analysis indexed.
http://secunia.com/advisories/39372http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7164http://secunia.com/advisories/39372http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-020https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7164
2010-04-14
Published