Search This Blog

Wednesday, December 12, 2007

[NT] Vulnerability in SMBv2 Allows Code Execution (MS07-063)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Vulnerability in SMBv2 Allows Code Execution (MS07-063)
------------------------------------------------------------------------


SUMMARY

A remote code execution vulnerability exists in the SMBv2 protocol that
could allow a remote anonymous attacker to run code with the privileges of
the logged-on user.

DETAILS

Mitigating Factors for SMBv2 Signing Vulnerability:
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:

* SMB signing is off by default in Windows Vista, which means that a
computer running Microsoft Vista won t use it unless it connects to
another host which requires it.

* When a previous operating system version is part of the communications,
SMBv2 will not be used. For example, Windows Vista would use SMB to
communicate with Windows XP, rather than SMBv2.

* Customers using SMBv1 are not affected by this vulnerability.

Workarounds for SMBv2 Signing Vulnerability:
Workaround refers to a setting or configuration change that does not
correct the underlying vulnerability but would help block known attack
vectors before you apply the update. Microsoft has tested the following
workarounds and states in the discussion whether a workaround reduces
functionality:

* Disable SMBv2

To disable SMBv2, follow these steps:

Note: The following procedure is necessary only if the user wants to use
SMB signing. If the user does not want to use SMB signing (the default
condition except on a Windows Server 2008 domain), they do not need to do
anything.

1. Create a .reg file with the following contents:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Smb2"=dword:00000000

2. Run the .reg file by clicking it.
3. Open a command prompt as Administrator.
4. Run the following command:
sc config mrxsmb20 start= disabled

5. Restart the computer.

Impact of workaround. Any performance improvements made to SMBv2 are not
available if SMBv2 is disabled.

* How to undo the workaround.

To enable SMBv2, follow these steps:

1. Create a .reg file with the following contents:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4d,00,52,00,78,00,53,00,6d,00,62,
00,32,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Smb2"=dword:00000001

2. Run the .reg file by double-clicking it.
3. Open a command prompt as Administrator.
4. Run the following command:
sc config mrxsmb20 start= demand

5. Restart the computer.

FAQ for SMBv2 Signing Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could gain the same user rights
as the local user. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with
administrative user rights.

What causes the vulnerability?
SMBv2 signing is not correctly implemented in a way that could allow an
attacker to modify an SMBv2 packet and re-compute the signature.

What is SMBv2?
Server Message Block (SMB) is the file sharing protocol used by default on
Windows based computers. SMB Version 2.0 (SMBv2) is an update to this
protocol and is only supported on computers running Windows Server 2008
and Windows Vista. SMBv2 can only be used if both client and server
support it. The SMB protocol version to be used for file operations is
decided during the negotiation phase. During the negotiation phase, a
Windows Vista client advertises to the server that it can understand the
new SMBv2 protocol. If the server (Windows Server 2008 or otherwise)
understands SMBv2, then SMBv2 is chosen for subsequent communication.
Otherwise the client and server use SMB 1.0.

What is SMBv2 Signing?
SMBv2 signing is a feature through which all communications using the
Server Message Block (SMB) protocol can be digitally signed at the packet
level. Digitally signing the packets enables the recipient of the packets
to confirm their point of origination and their authenticity.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. An attacker could then tamper with
data transferred via SMBv2, which could allow remote code execution in
domain configurations communicating with SMBv2. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could modify SMBv2 packets and impersonate a trusted source to
perform malicious operations.

What systems are primarily at risk from the vulnerability?
Windows Vista systems that communicate using SMBv2 signing are primarily
at risk.

What does the update do?
The update removes the vulnerability by correctly implementing signing for
SMBv2 packets.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5351>
CVE-2007-5351


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security Bulletin MS07-063.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx>

http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: