Signature Detail

SMB: Microsoft Windows SMB2 Client Message Size Overflow

This signature detects attempts to exploit a known remote code execution vulnerability in Microsoft Windows SMB Client. It is due to improper validation of certain SMB fields when parsing transaction responses. Remote unauthenticated attackers can exploit this by enticing a user to connect to a malicious SMB server and sending a specially crafted SMB response to the target machine. A successful attack allows for arbitrary code injection and execution with the privileges of the operating system kernel (Ring 0). Code injection that does not result in execution could crash the target system, and result in a denial-of-service condition.

Extended Description

Microsoft Windows is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute code with SYSTEM-level privileges. Failed exploit attempts will likely cause denial-of-service conditions.

Affected Products

• Avaya Meeting Exchange - Client Registration Server
• Avaya Meeting Exchange - Enterprise Edition
• Avaya Meeting Exchange - Recording Server
• Avaya Meeting Exchange - Streaming Server
• Avaya Meeting Exchange - Web Conferencing Server
• Avaya Meeting Exchange - Webportal
• Avaya Messaging Application Server 4
• Avaya Messaging Application Server 5
• Avaya Messaging Application Server MM 1.1
• Avaya Messaging Application Server MM 2.0
• Avaya Messaging Application Server MM 3.0
• Avaya Messaging Application Server MM 3.1
• Avaya Messaging Application Server
• Microsoft Windows 7 for 32-bit Systems
• Microsoft Windows 7 for x64-based Systems
• Microsoft Windows Server 2008 for Itanium-based Systems R2
• Microsoft Windows Server 2008 for x64-based Systems R2
• Nortel Networks CallPilot 1002Rp
• Nortel Networks CallPilot 1005R
• Nortel Networks CallPilot 201I
• Nortel Networks CallPilot 202I
• Nortel Networks CallPilot 600R
• Nortel Networks CallPilot 703T
• Nortel Networks Contact Center Administration
• Nortel Networks Contact Center Administration CCMA 6.0
• Nortel Networks Contact Center Administration CCMA 7.0
• Nortel Networks Contact Center Administration CCMA 7.1
• Nortel Networks Contact Center Express 7.1
• Nortel Networks Contact Center Express
• Nortel Networks Contact Center Manager
• Nortel Networks Contact Center Manager Server 6.0
• Nortel Networks Contact Center Manager Server 7.0
• Nortel Networks Contact Center Manager Server 7.1
• Nortel Networks Contact Center Manager Server
• Nortel Networks Contact Center NCC
• Nortel Networks Contact Center - TAPI Server
• Nortel Networks ENSM - Enterprise NMS 10.4
• Nortel Networks ENSM - Enterprise NMS 10.5
• Nortel Networks ENSM IP Address Manager
• Nortel Networks Symposium Agent

References

• BugTraq: 39340
• CVE: CVE-2010-0477