Windows SMBv3 Zero Day Vulnerability

Introduction:
A buffer overflow vulnerability in SMBv3 was made public on Feb 12017, by Laurent Gaffie. The CVE-ID is CVE-2017-0016. A PoC for the same is also available here. The bug affects Windows 2012, Server 2016 and Windows 10. At the moment the PoC only demonstrates DoS attack on the target, we are not sure if this vulnerability can be exploited for code execution. The United States Computer Emergency Readiness Team (US-CERT) has released an official advisory addressing this issue.

SMB is used to request file and print services from server systems over the local network. The communication between the client and server follows a request/response model. Client request and server responds.

Exploit:
The PoC starts custom SMB service on port 445. An attacker would need to host this SMB server internally and trick the target user in to connect to it. Once the TCP connection is established the client will send a “Tree Connect Request”, the server will respond with modified “Tree Connect Response” with abnormal length. The usual length of the “Tree Connect Response” header is 8 bytes, but in this case the message includes a long trailer. So when the target machine receives the packet it will read beyond 8 bytes and causes buffer overflow.

Conclusion:
There is no official patch for the bug. Microsoft will presumably release a fix this patch Tuesday. We request our customers to scan their network with QID 370297 . For information about this vulnerability please follow up on ThreatProtect.

References:
InfoSec Handlers Diary Blog
Vulnerability Note VU#867968
PoC
Connecting to a Share

 

Leave a Reply

Your email address will not be published. Required fields are marked *