Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA20635] Windows SMB Denial of Service and Privilege Escalation
>
> TITLE:
> Windows SMB Denial of Service and Privilege Escalation
>
> SECUNIA ADVISORY ID:
> SA20635
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/20635/
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Privilege escalation, DoS
>
> WHERE:
> Local system
>
> OPERATING SYSTEM:
> Microsoft Windows XP Professional
> http://secunia.com/product/22/
> Microsoft Windows XP Home Edition
> http://secunia.com/product/16/
> Microsoft Windows Server 2003 Web Edition
> http://secunia.com/product/1176/
> Microsoft Windows Server 2003 Standard Edition
> http://secunia.com/product/1173/
> Microsoft Windows Server 2003 Enterprise Edition
> http://secunia.com/product/1174/
> Microsoft Windows Server 2003 Datacenter Edition
> http://secunia.com/product/1175/
> Microsoft Windows 2000 Server
> http://secunia.com/product/20/
> Microsoft Windows 2000 Professional
> http://secunia.com/product/1/
> Microsoft Windows 2000 Datacenter Server
> http://secunia.com/product/1177/
> Microsoft Windows 2000 Advanced Server
> http://secunia.com/product/21/
>
> DESCRIPTION:
> Two vulnerabilities have been reported in Microsoft Windows, which
> can be exploited by malicious, local users to cause a DoS (Denial of
> Service) and gain escalated privileges.
>
> 1) An input validation error exists within the
> "MRxSmbCscIoctlOpenForCopyChunk()" function in MRXSMB.SYS when
> handling certain DeviceIoControl requests. This can be exploited to
> overwrite kernel memory and allows arbitrary code execution with
> escalated privileges.
>
> 2) An input validation error exists within the
> "MrxSmbCscIoctlCloseForCopyChunk()" function in MRXSMB.SYS when
> handling certain requests. This can be exploited to cause a deadlock,
> which potentially leads to a DoS, by passing an invalid handle to the
> function.
>
> SOLUTION:
> Apply patches.
>
> Microsoft Windows 2000 SP4:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=6ec86
> 784-6b12-410b-8068-028c58ed5df7
>
> Microsoft Windows XP SP1 or SP2:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=c17dd
> c07-204b-4a7f-8c5a-36b7865a030c
>
> Microsoft Windows XP Professional x64 Edition:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=89fbb
> dd0-7504-4807-9337-08324aa457e7
>
> Microsoft Windows Server 2003 (with or without SP1):
> http://www.microsoft.com/downloads/details.aspx?FamilyId=%2043
> d69a41-6acb-4c64-89dc-2b9aef6e98fd
>
> Microsoft Windows Server 2003 (Itanium) (with or without SP1):
> http://www.microsoft.com/downloads/details.aspx?FamilyId=e1d13
> c18-72d1-40b8-95b3-08aef8db9213
>
> Microsoft Windows Server 2003 x64 Edition:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=b6018
> a61-b0ec-467e-9025-059d3c9f1c5f
>
> PROVIDED AND/OR DISCOVERED BY:
> Discovered by Ruben Santamarta and reported via iDEFENSE.
>
> ORIGINAL ADVISORY:
> MS06-030 (KB914389):
> http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx
>
> iDEFENSE:
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?id=408
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?id=409
>
>
|