Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-063: Server service (Mailslot DoS and SMB Rename)

Published: 2006-10-10
Last Updated: 2006-10-10 19:21:10 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
There are two vulnerabilities in this advisory.  The first is a simple Denial of Service against all Windows platforms.  The attack vector is TCP ports 139 or 445.  Apparently, there is an unitialized buffer that could be modified remotely to crash the box.  Exploit code has been available for this bug since July 19, 2006.  Famed handler Swa covered it in a diary entry last month: http://isc.sans.org/diary.php?storyid=1599

It looks like the Core Security folks found this after the MS06-035 in July (http://www1.corest.com/common/showdoc.php?idx=562.  Microsoft also has a blog entry on it: http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx .

There probably isn't any need to freak out on this particular vulnerability.  The exploit has been out in the wild for several months.  If you are seeing some mysterious reboots on Windows machines and untrusted people can hit TCP 139 or 445 on those hosts, then this could potentially solve your problems (although Microsoft is claiming that it hasn't been used in the wild yet).  Otherwise, there are no code execution possibilities with this vulnerability, so you don't need to be in "emergency mode" to patch it.

The second vulnerability (SMB Rename) is a remote code execution bug against the Server service, but it requires authentication.  So this isn't readily wormable (except maybe in a corporate environment if a user with admin privileges was owned).  This one is a little higher priority than the DoS above.
Keywords: MSFT1006
0 comment(s)
Diary Archives