CVE-2018-0833
published 2018-02-15CVE-2018-0833: The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service…
PriorityP343medium5.3CVSS 3.0
AVNACHPRLUINSUCNINAH
EXPLOIT
EPSS
40.64%
98.5th percentile
The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | server_message_block | — | — |
| msrc | windows_8.1_for_32-bit_systems | — | — |
| msrc | windows_8.1_for_x64-based_systems | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2012_r2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
snort
alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:established,to_client; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, cve CVE_2018_0833, deployment Internal, confidence High, signature_severity Major, updated_at 2024_03_07;)
bytes↗
000000ecfd534d4241414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
- →Malicious payload is delivered FROM port 445 TO the SMB client (server-to-client direction); monitor inbound SMB responses, not just outbound requests.
- →The exploit payload begins with the byte sequence FD 53 4D 42 (\xfdSMB) at offset 4 of the TCP payload, distinguishing it from legitimate SMB2/3 traffic which uses FE 53 4D 42 (\xfeSMB).
- →Attacker stands up a rogue TCP server on port 445 and waits for SMB client connections; delivery vectors include redirectors and injected HTML header links that force the client to connect. ↗
- →Successful exploitation results in the target system becoming completely unresponsive (BSoD / kernel null-pointer dereference); sudden system freeze after outbound SMB connection to an untrusted host is a strong indicator. ↗
- ·The Snort/ET rule (sid:2025983) is scoped to the Internal deployment zone; it will not fire on perimeter sensors watching external-facing interfaces — ensure it is applied on internal network monitoring points.
- ·The byte-content match uses offset:4, meaning the detection anchors 4 bytes into the TCP payload; misconfigured sensors that strip NetBIOS session headers before inspection may miss the match.
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.3MEDIUMAV:N/AC:M/Au:S/C:N/I:N/A:C
vendor_msrc4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Denial of Service Vulnerability
vendor_msrc·2018-02-13·CVSS 4.8
CVE-2018-0833 [MEDIUM] Windows Denial of Service Vulnerability
Windows Denial of Service Vulnerability
Description: A denial of service vulnerability exists in implementations of the Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client. The vulnerability is due to improper handling of certain requests sent by a malicious SMB server to the client. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted.
To exploit the vulnerability, an attacker could use various methods such as redirectors, injected HTML header links, etc., which could cause the SMB client to connect to a malicious SMB server.
The security update addresses the vulnerability by correcting how the Microsoft SMBv2/SMBv3 Client handles specially crafted requests.
Windows SMB Server: Windows SMB
GHSA
GHSA-m84f-8362-3v3c: The Microsoft Server Message Block 2
ghsa_unreviewed·2022-05-14
CVE-2018-0833 [MEDIUM] CWE-476 GHSA-m84f-8362-3v3c: The Microsoft Server Message Block 2
The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".
Suricata
ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)
suricata·2018-08-08·CVSS 5.3
CVE-2018-0833 [MEDIUM] ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)
ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)
Rule: alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:established,to_client; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, cve CVE_2018_0833, deployment Internal, confidence High, signature_severity Major, updated_at 2024_03_07;)
No writeups or analysis indexed.
http://www.securityfocus.com/bid/102924http://www.securitytracker.com/id/1040375https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-0833https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833https://www.exploit-db.com/exploits/44189/http://www.securityfocus.com/bid/102924http://www.securitytracker.com/id/1040375https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-0833https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0833https://www.exploit-db.com/exploits/44189/
2018-02-15
Published