Follow:

Policy:Win/SMB.CIFS.RCE!CAN-2005-1206

Severity rating
Critical

Class/Type
Policy

Discovered date
2005-06-14T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in Server Message Block (SMB).



Impact

An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.



Technical details (analysis)

Server Message Block (SMB), and its follow-on, Common Internet File System (CIFS), is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers. A vulnerable buffer exists in named pipe calls to IPC$ via RPC. This buffer can be over run by sending crafted large message that bypasses the checks for the receiving buffer forcing a particular path of execution for this service.



Affected software

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition



Non-affected software

Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
Microsoft Windows Millennium Edition (ME)



References




Solutions




NIS signature

Name: Policy:Win/SMB.CIFS.RCE!CAN-2005-1206
Release Date: 2005-06-14T00:00:00



Known false positives

This is a policy bases signature that limits the size of data sent to a named pipe transaction. This size length will preclude valid data from passing through SMB named pipes. Thus this signature should only be enabled knowing it will block legitimate SMB traffic.



Work-arounds

Block TCP ports 139 and 445 at the firewall.
To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003.
To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.
To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.