Signature Detail

SMB: SMB 2.0 Negotiate Denial Of Service

This signature detects attempts to exploit a known vulnerability against Windows 7 SMB layer. A successful attack can result in a denial-of-service condition.

Extended Description

Microsoft Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the Server Message Block (SMB) Negotiate Protocol Request. NOTE: Reportedly, for this issue to be exploitable, file sharing must be enabled. An attacker can exploit this issue to execute code with SYSTEM-level privileges; failed exploit attempts will likely cause denial-of-service conditions. Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may also be affected. NOTE: Reportedly, Windows XP and 2000 are not affected. UPDATE (September 9, 2009): Symantec has confirmed the issue on Windows Vista SP1 and Windows Server 2008.

Affected Products

• Microsoft Windows 7 Beta
• Microsoft Windows 7 RC
• Microsoft Windows Server 2008 Datacenter Edition SP2
• Microsoft Windows Server 2008 Datacenter Edition
• Microsoft Windows Server 2008 Enterprise Edition SP2
• Microsoft Windows Server 2008 Enterprise Edition
• Microsoft Windows Server 2008 for 32-bit Systems SP2
• Microsoft Windows Server 2008 for 32-bit Systems
• Microsoft Windows Server 2008 for Itanium-based Systems SP2
• Microsoft Windows Server 2008 for Itanium-based Systems
• Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Windows Server 2008 for x64-based Systems
• Microsoft Windows Server 2008 Standard Edition SP2
• Microsoft Windows Server 2008 Standard Edition
• Microsoft Windows Vista Business
• Microsoft Windows Vista Business SP1
• Microsoft Windows Vista Business SP2
• Microsoft Windows Vista Enterprise
• Microsoft Windows Vista Enterprise SP1
• Microsoft Windows Vista Enterprise SP2
• Microsoft Windows Vista Home Basic
• Microsoft Windows Vista Home Basic SP1
• Microsoft Windows Vista Home Basic SP2
• Microsoft Windows Vista Home Premium
• Microsoft Windows Vista Home Premium SP1
• Microsoft Windows Vista Home Premium SP2
• Microsoft Windows Vista Ultimate
• Microsoft Windows Vista Ultimate SP1
• Microsoft Windows Vista Ultimate SP2
• Microsoft Windows Vista Business 64-bit edition SP1
• Microsoft Windows Vista Business 64-bit edition SP2
• Microsoft Windows Vista Business 64-bit edition
• Microsoft Windows Vista Enterprise 64-bit edition SP1
• Microsoft Windows Vista Enterprise 64-bit edition SP2
• Microsoft Windows Vista Enterprise 64-bit edition
• Microsoft Windows Vista Home Basic 64-bit edition SP1
• Microsoft Windows Vista Home Basic 64-bit edition SP2
• Microsoft Windows Vista Home Basic 64-bit edition
• Microsoft Windows Vista Home Premium 64-bit edition SP1
• Microsoft Windows Vista Home Premium 64-bit edition SP2
• Microsoft Windows Vista Home Premium 64-bit edition
• Microsoft Windows Vista Ultimate 64-bit edition SP1
• Microsoft Windows Vista Ultimate 64-bit edition SP2
• Microsoft Windows Vista Ultimate 64-bit edition
• Microsoft Windows Vista x64 Edition SP1
• Microsoft Windows Vista x64 Edition SP2
• Microsoft Windows Vista x64 Edition

References

• BugTraq: 36299
• CVE: CVE-2009-2532
• CVE: CVE-2009-3103
• URL: http://seclists.org/fulldisclosure/2009/Sep/0039.html