A new vulnerability has been discovered exploiting SMB component of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver. The vulnerability is known to be able to cause DoS and fully control of vulnerable machines. Proof of concept code for DoS had been released. There are reports that this exploit only work on local network segment (this hasn't been verified). The general practice of block port 138, 139 and 445 should be observed especially with this 0-day. More information on this exploit http://www.vupen.com/english/advisories/2011/0394
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London July 2022 |
Jason 93 Posts ISC Handler Feb 16th 2011 |
Thread locked Subscribe |
Feb 16th 2011 1 decade ago |
I believe that the browser election uses UDP packets. Does this mean that UDP port 137 should be blocked as well?
|
Anonymous |
Quote |
Feb 16th 2011 1 decade ago |
The advisory doesn't mention it, but if you are blocking NetBIOS traffic, blocking 137/udp and 138/udp should definitely be part of that.
|
Jasey 93 Posts |
Quote |
Feb 16th 2011 1 decade ago |
Secunia lists this vulnerability as Moderately Critical but the VUPEN lists it as Critical. Perhaps that is due to it affecting older operating systems? Anyone know if this is wormable?
|
@Miss_Sudo 12 Posts |
Quote |
Feb 16th 2011 1 decade ago |
Straining my language facilities here... "fully control of vulnerable machines" sounds "wormable" to me.
|
Hal 50 Posts |
Quote |
Feb 16th 2011 1 decade ago |
mrxsmb.dll <= i believe that you try to say mrxsmb.sys here if you are referring to BowserWriteErrorLogEntry vulnerability
|
Hal 1 Posts |
Quote |
Feb 17th 2011 1 decade ago |
Analysis from Microsoft suggests that Remote Code Execution is unlikely (Exploitability Index (XI) rating of ‘3’ – Functioning exploit code unlikely.): http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx |
Andy 3 Posts |
Quote |
Feb 17th 2011 1 decade ago |
So will disabling NetBIOS over TCP/IP or turning off the computer browser service do anything to mitigate against this?
|
Andy 6 Posts |
Quote |
Feb 17th 2011 1 decade ago |
It seems that MS's review is short sighted: if you can combine this and other vulnerabilities the attack would be 2-phased like I LOVE YOU worm. The simplest method - user opens attachment, running code, which kicks of the Master Browser PoC. The attack could even be aimed at the %logonserver%. Am I missing something that would make it any harder?
|
James 8 Posts |
Quote |
Feb 18th 2011 1 decade ago |
We have the browser service disabled on our Windows devices; are we insulated from this vulnerability? None of the write-ups I've seen say whether or not this is an effective workaround.
|
Anonymous |
Quote |
Feb 18th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!