20 Eylül 2012 Perşembe

MS09-001 followup - Just DoS bugs?

It appears that the 3 vulnerabilities convered in MS09-001 due not lead to code execution. We spent the last few days really tearing into these and could not produce any conditions that were controllable that would lead to code execution. The ANDX bug had already been determined to be simply a DOS but it was thought that the NTTRANS/TRANS2 bugs could lead to code execution. Opon further review, we found that in the case of both bugs, a buffer underflow could be caused in which a buffer would be allocated with not enough memory which would later be zeroed out later in the SMB processing functions of transaction requests. It was here that the now corrupted system heap pool would crash in srv.sys during a pool-bugcheck. The crashs can actually be triggered a number of ways - leading to a similiar crash - just with different origins. Were still looking into possible avenues of taversing the MPX functionality but as for now... code execution does not look possible.

Think the group will try to spend some time this week looking at other possible vulnerable functionality in SMB. Seems like there is alot of room for error.

-xort

Hiç yorum yok:

Yorum Gönder