While investigating the Microsoft Server Service Mailslot heapoverflow vulnerability reported in Microsoft Security Bulletin MS06-035[1], Core Security Technologies researcher Gerardo Richarte discovereda second bug in the server service.
This new vulnerability affects Windows systems with and without theMS06-035 and any subsequent patches up to the date of publication ofthis advisory.
Proof-of-concept code to exploit the vulnerability was made publiclyavailable in or around July 19th, 2006 and at least one third partysecurity vendor published a security advisory describing the bug.
Further analysis of the vulnerability seems to indicate thatexploitation is limited to a remote denial of service attack withoutthe need of user authentication.
The vendor was notified of the finding on July 14th, 2006 and hasindicated that issuance of a fix is tentatively scheduled for theNovember patch release.
Vulnerable Systems:
* Windows 2000 SP0-Sp4
* Windows NT4 SP6a
* Windows XP SP0-SP2
* Windows 2003 SP0-SP1
Immune Systems:
* Windows Vista beta 2 build 5381
The vulnerability can be triggered by sending a malformedSMB_COM_TRANSACTION SMB message (0x25) that includes a string that isnot properly null terminated.
The crash was originally triggered by sending a SMB_COM_TRANSACTIONmessage using the string "\\MAILSLOT\LANMAN" (without NUL termination)in an attempt to reproduce the MS06-035 bug(s).
The observed crash was actually inside __imp___wcsnicmp, when thestring "\\MAILSLOT" is compared to a NULL pointer. The following code,from ExecuteTransaction(), is where wcsnicmp() is called from.
SRV.SYS:0002f487: push 9
SRV.SYS:0002f489: push "\\MAILSLOT"
SRV.SYS:0002f48f: push dword ptr [eax+24h] <-- [eax+24] is NULL
SRV.SYS:0002f492: call ds:__imp___wcsnicmp <-- Crash Inside (tm)
SRV.SYS:0002f498: add esp, 0ch
SRV.SYS:0002f49b: test eax, eax
SRV.SYS:0002f49d: jnz loc_2f4aa
SRV.SYS:0002f49f: push esi
SRV.SYS:0002f4a0: call _MailslotTransaction@4 <- execution flow does
not reach this point
SRV.SYS:0002f4a5: jmp loc_20bf6
SRV.SYS:0002f4aa:
Since the call to MailslotTransaction() is never reached and the crashis triggered before that call we conclude that the bug is notspecifically related to MAILSLOT functionality. Upon furtherinvestigation it became apparent that any SMB_COM_TRANSACTION messagewith a string that is not null terminated will trigger a crash.
