TippingPoint Threat Management Center


TSRT-06-02: Microsoft SRV.SYS Mailslot Ring0 Memory Corruption Vulnerability
July 11th, 2006

CVE ID:

CVE-2006-1314

Affected Vendor:

Microsoft

Affected Products:

Windows 2000
Windows XP SP1
Windows XP SP2
Windows 2003
Windows 2003 SP1

TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since July 11, 2006 by Digital Vaccine protection filter ID 4266. For further product information on the TippingPoint IPS:

   http://www.tippingpoint.com

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Microsoft Windows operating system. Authentication is not required to exploit this vulnerability and code execution occurs within the context of the kernel.

According to the Microsoft Developer Network (MSDN) documentation, Mailslot communications are divided into two classes. First-class Mailslots are connection oriented and operate over SMB/TCP. Second-class Mailslots provide connectionless messaging for broadcast messages and operate over SMB/UDP. Second-class Mailslots are limited to 424 bytes per message. First-class Mailslots are officially unsupported in the Windows 2000, XP and 2003 operating systems.

The specific flaw exists within the SRV.SYS driver, which is responsible for handling all Server Message Block (SMB) traffic. During the processing of first-class Mailslot messages, an exploitable memory corruption condition is created. As a side effect, attackers are also capable of exceeding the second-class Mailslot message size limitation.

It is important to note that this vulnerability affects more than just the Windows kernel. Applications built on Mailslot communications that rely on the message size restriction of second-class Mailslots are likely to be affected by this vulnerability.

Vendor Response:

Microsoft has issued an update to correct this vulnerability. More details can be found at:

   http://www.microsoft.com/technet/security/bulletin/MS06-035.mspx

Disclosure Timeline:
2006.03.01 Vulnerability reported to vendor
2006.07.11 Digital Vaccine released to TippingPoint customers
2006.07.11 Coordinated public release of advisory

Credit:

This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team in collaboration with HD Moore, Metasploit.

GETTING STARTED CONTACT SUPPORT 3COM CAREERS SITE MAP ©2006 3Com Corporation. All rights reserved.   Terms & Conditions