CVE-2011-0654
published 2011-02-16CVE-2011-0654: Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.08%
99.2th percentile
Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability." NOTE: some of these details are obtained from third party information.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ff 53 4d 42
- →Detect malformed BROWSER ELECTION messages sent over UDP port 138 to the \MAILSLOT\BROWSER named pipe; the exploit sends a crafted election packet with an oversized source name (~60–410 'A' bytes) triggering an integer underflow in BowserWriteErrorLogEntry. ↗
- →Monitor for integer underflow condition in kernel pool: the resulting memcpy length is fixed at -2 (0xFFFFFFFE), causing large kernel heap corruption — look for unexpected kernel pool corruption crash dumps (BSODs) on Windows Server 2003 DCs. ↗
- →Alert on SMB datagram (UDP/138) traffic containing the SMB command byte 0x25 (Trans) directed at the MAILSLOT\BROWSER pipe with anomalously large payload lengths, particularly from non-domain-member hosts. ↗
- →Focus detection on Windows Server 2003 domain controllers; the vulnerability is specifically triggered in the CIFS browser service when the host is configured as a domain controller. ↗
- →The exploit is broadcast-capable (SO_BROADCAST socket option set); monitor for UDP/138 broadcast traffic containing BROWSER ELECTION frames with unusually long source name fields as a network-level detection. ↗
- ·Remote code execution is considered unlikely; the vulnerability is most practically exploitable as a local or broadcast-context DoS. The integer underflow produces a fixed memcpy length of 0xFFFFFFFE, making controlled exploitation extremely difficult. ↗
- ·The exploit is effective in broadcast and pre-authentication context, meaning no credentials are required and the attacker only needs network adjacency (broadcast domain) to trigger the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
exploitdb·2011-02-14
CVE-2011-0654 Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
Microsoft Windows Server 2003 - AD BROWSER ELECTION Remote Heap Overflow
---
####################################################################################
#MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
#Release date: 2011-02-14
#Author: Cupidon-3005
#Greet: Winny Thomas, Laurent Gaffie, h07
#Bug: Heap Overflow
#Remote Exploitability: Unlikely
#Local Exploitability: Likely
#Context: Broadcast, Pre-Auth
#####################################################################################
#Mrxsmb.sys, around BowserWriteErrorLog+0x175, while trying to copy 1go from ESI to EDI ...
#Code will look something like this:
#if ((Len + 1) * sizeof(WCHAR)) > TotalBufferSize) { Len = TotalSize/sizeof(WCHAR) - 1; }
#-1 causes Len to go 0xFFFFFFFF
#Feel free to reuse th
Metasploit
Microsoft Windows Browser Pool DoS
metasploit
Microsoft Windows Browser Pool DoS
Microsoft Windows Browser Pool DoS
This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While t
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0284.htmlhttp://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspxhttp://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspxhttp://secunia.com/advisories/43299http://www.exploit-db.com/exploits/16166http://www.kb.cert.org/vuls/id/323172http://www.securityfocus.com/bid/46360http://www.securitytracker.com/id?1025328http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttp://www.vupen.com/english/advisories/2011/0394http://www.vupen.com/english/advisories/2011/0938https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-019https://exchange.xforce.ibmcloud.com/vulnerabilities/65376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12637http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0284.htmlhttp://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspxhttp://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspxhttp://secunia.com/advisories/43299http://www.exploit-db.com/exploits/16166http://www.kb.cert.org/vuls/id/323172http://www.securityfocus.com/bid/46360http://www.securitytracker.com/id?1025328http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttp://www.vupen.com/english/advisories/2011/0394http://www.vupen.com/english/advisories/2011/0938https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-019https://exchange.xforce.ibmcloud.com/vulnerabilities/65376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12637
2011-02-16
Published