ID CVE-2009-3103
Summary Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
References
Vulnerable Configurations
  • Microsoft Windows Server 2008
    cpe:2.3:o:microsoft:windows_server_2008
  • cpe:2.3:o:microsoft:windows_server_2008:-:itanium
    cpe:2.3:o:microsoft:windows_server_2008:-:itanium
  • cpe:2.3:o:microsoft:windows_server_2008:-:x32
    cpe:2.3:o:microsoft:windows_server_2008:-:x32
  • cpe:2.3:o:microsoft:windows_server_2008:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:-:x64
  • Microsoft Windows Server 2008 Service Pack 2 for Itanium-Based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium
  • cpe:2.3:o:microsoft:windows_server_2008:sp2:x32
    cpe:2.3:o:microsoft:windows_server_2008:sp2:x32
  • cpe:2.3:o:microsoft:windows_server_2008:sp2:x64
    cpe:2.3:o:microsoft:windows_server_2008:sp2:x64
  • Microsoft Windows Vista
    cpe:2.3:o:microsoft:windows_vista
  • Microsoft Windows Vista Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_vista:-:sp1
  • Microsoft Windows Vista Service Pack 1 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp1:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows Vista Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp2:x64
CVSS
Base: 10.0 (as of 09-09-2009 - 13:32)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference. CVE-2009-3103. Remote exploit for windows platform
    id EDB-ID:16363
    last seen 2016-02-01
    modified 2010-07-03
    published 2010-07-03
    reporter metasploit
    source https://www.exploit-db.com/download/16363/
    title Microsoft Windows SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
  • description Windows 7 / Server 2008R2 Remote Kernel Crash. CVE-2009-3103. Dos exploit for windows platform
    id EDB-ID:10005
    last seen 2016-02-01
    modified 2009-11-11
    published 2009-11-11
    reporter laurent gaffie
    source https://www.exploit-db.com/download/10005/
    title Windows 7 / Server 2008R2 - Remote Kernel Crash
  • id EDB-ID:40280
    last seen 2018-11-30
    modified 2016-02-26
    published 2016-02-26
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40280
    title Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)
  • description Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050). CVE-2009-2526,CVE-2009-2532,CVE-2009-3103. Remote exploit for windows platform
    id EDB-ID:14674
    last seen 2016-02-01
    modified 2010-08-17
    published 2010-08-17
    reporter Piotr Bania
    source https://www.exploit-db.com/download/14674/
    title Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference MS09-050
  • description Windows SMB2 Negotiate Protocol (0x72) Response DOS. CVE-2009-3103. Dos exploit for windows platform
    id EDB-ID:12524
    last seen 2016-02-01
    modified 2010-05-07
    published 2010-05-07
    reporter Jelmer de Hen
    source https://www.exploit-db.com/download/12524/
    title Windows SMB2 Negotiate Protocol 0x72 Response DoS
  • description Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln. CVE-2009-3103. Dos exploit for windows platform
    file exploits/windows/dos/9594.txt
    id EDB-ID:9594
    last seen 2016-02-01
    modified 2009-09-09
    platform windows
    port
    published 2009-09-09
    reporter laurent gaffie
    source https://www.exploit-db.com/download/9594/
    title Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln
    type dos
metasploit via4
msbulletin via4
bulletin_id MS09-050
bulletin_url
date 2009-10-13T00:00:00
impact Remote Code Execution
knowledgebase_id 975517
knowledgebase_url
severity Critical
title Vulnerabilities in SMBv2 Could Allow Remote Code Execution
nessus via4
  • NASL family Windows
    NASL id SMB2_PID_HIGH_VULN.NASL
    description The remote host is running a version of Microsoft Windows Vista or Windows Server 2008 that contains a vulnerability in its SMBv2 implementation. An attacker can exploit this flaw to disable the remote host or to execute arbitrary code on it. EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 40887
    published 2009-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40887
    title MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback() Vulnerability (975497) (EDUCATEDSCHOLAR) (uncredentialed check)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS09-050.NASL
    description The remote Windows host contains a vulnerable SMBv2 implementation with the following issues : - A specially crafted SMBv2 packet can cause an infinite loop in the Server service. A remote, unauthenticated attacker can exploit this to cause a denial of service. (CVE-2009-2526) - Sending a specially crafted SMBv2 packet to the Server service can result in code execution. A remote, unauthenticated attacker can exploit this to take complete control of the system. (CVE-2009-2532, CVE-2009-3103) (EDUCATEDSCHOLAR) EDUCATEDSCHOLAR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 42106
    published 2009-10-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=42106
    title MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) (EDUCATEDSCHOLAR)
oval via4
accepted 2014-08-18T04:06:14.437-04:00
class vulnerability
contributors
  • name Dragos Prisaca
    organization Gideon Technologies, Inc.
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
description (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
family windows
id oval:org.mitre.oval:def:6489
status accepted
submitted 2009-10-13T13:00:00
title SMBv2 Negotiation Vulnerability
version 40
packetstorm via4
refmap via4
bid 36299
bugtraq
  • 20090908 Regarding Microsoft srv2.sys SMB2.0 NEGOTIATE BSOD
  • 20090909 SMB SRV2.SYS Denial of Service PoC
cert TA09-286A
cert-vn VU#135940
confirm http://www.microsoft.com/technet/security/advisory/975497.mspx
exploit-db 9594
fulldisc 20090907 Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
misc
ms MS09-050
osvdb 57799
sectrack 1022848
secunia 36623
xf win-srv2sys-code-execution(53090)
saint via4
bid 36299
description Windows SMB2 buffer overflow
id win_patch_smbv2ms09050
osvdb 57799
title windows_smb2
type remote
Last major update 24-06-2011 - 00:00
Published 08-09-2009 - 18:30
Last modified 12-10-2018 - 17:52
Back to Top