If a Windows client connects to a malicious SMB server and the server responds with a crafted response having more than 16 bytes, then Windows client systems crash i.e. The packet structure of a proper SMB2 TREE_CONNECT response packet is given below. Thus the client always expects the SMB2 TREE_CONNECT response length to be not more than 16 bytes. The total length of an SMB2 TREE_CONNECT response packet is 16 bytes in addition to the fixed SMB2 header. When an SMB tree connect request is processed successfully by the server, the server responds with SMB tree connect response packet. Microsoft Windows fails to handle a crafted SMB tree connect response from a malicious server. The vulnerability exists because of the manner in which Microsoft Windows handle SMB traffic. This vulnerability, however, cannot be used for code execution. ![]() This vulnerability is specifically a null pointer dereference error in SMB (server message block) which allows a remote, unauthenticated attacker to cause a denial of service condition on a vulnerable system. ![]() Since Microsoft failed to patch it in the past three months, he released it. Security researcher Gaffie discovered this vulnerability three months ago. A new zero-day exploit exists in the wild for Windows SMB.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
February 2023
Categories |