cbcvebase.
CVE-2010-2550
published 2010-08-11

CVE-2010-2550: The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.72%
99.5th percentile
The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate fields in an SMB request, which allows remote attackers to execute arbitrary code via a crafted SMB packet, aka "SMB Pool Overflow Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
commandTrans2 QUERY_FS_INFO Query FS Attribute Info with zero-size pool allocation (SMB command 0x32, subcommand 0x0003)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:established,to_server; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:4; metadata:created_at 2010_12_23, cve CVE_2010_2550, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
bytes
|ff 53 4d 42 32|
bytes
\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x01\xc8
  • Detect malicious SMB Trans2 QUERY_FS_ATTRIBUTE_INFO requests by matching the SMB command byte sequence |ff 53 4d 42 32| at offset 4 (depth 5) on TCP port 445, followed by |00 00 00 00| within 4 bytes, |00 00| at distance 30, and |00 03 00| at distance 19 — indicative of the zero-size pool allocation trigger.
  • The exploit targets SRV.SYS via the SrvSmbQueryFsInformation code path. Monitor for unexpected crashes or pool corruption events in SRV.SYS on Windows SMB servers as a host-based indicator.
  • Exploitation may occur without authentication if a guest-accessible SMB share exists. Audit shares for guest/anonymous read access as a risk-reduction and detection-scoping measure.
  • ·Authentication is normally required to reach the vulnerable code path; unauthenticated exploitation is only possible when a guest-readable share is present.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.