Wednesday, August 11, 2010

MS SMB Remote Trans2 Zero Size Pool Allocation (MS10-054)

This SMBv1 vulnerability has been disclosed to MS back in february 2010 and patched this month in MS10-054 bulletin.

This vulnerability is quite interesting since it's present in all Windows version since Windows 2000, and can be triggered easily in at least 2 different Trans2 opcode by setting a Max Data Count to 0;
- QUERY_FS_INFO Query FS Attribute Info
- QUERY_FS_INFO, Query FS Volume Info


You can find the full advisory here: http://seclists.org/fulldisclosure/2010/Aug/122
SRD blog entry: http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspx