CSIRTUK advisories

ID: 3900
Date: 01/10/2009

---

Title: 3900 - Metasploit Project announces new SMB v2 code execution module
Platform level affected:Operating System
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Security software:Other
Other software: Other
Remediation Summary:The manufacturer has reported a problem with this product but has yet to publish a solution. CPNI advise that additional care is exercised when using this product.
Vendors affected:Microsoft
Applications affected:Windows
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Proof of concept
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Future
Type of fix: Workaround
Source: http://www.microsoft.com/technet/security/advisory/975497.mspx
Reliability of source: Trusted
Source URL: www.microsoft.com
CVE: CVE-2009-3103
Abstract: On September 8, Microsoft announced that a vulnerability in the SMB v2 protocol could allow remote code execution on Windows Vista, Windows Server 2008 and Windows 7 RC operating systems; there is now stable exploit code in the wild.

On September 27, the Metasploit Project announced that a new Microsoft Windows Server Message Block Version 2 (SMB v2) code execution module was available in the 3.3 development tree of their framework, and that it supports Microsoft Windows Vista Service Pack 1 and 2, and Windows Server 2008 Service Pack 1 and 2.

On September 8, Microsoft announced that a vulnerability in the SMB v2 protocol could allow remote code execution on Windows Vista, Windows Server 2008 and Windows 7 RC operating systems. (See http://www.microsoft.com/technet/security/advisory/975497.mspx.) While exploit code for the 32-bit versions of Vista and Server 2008 has been available to Immunity Inc.’s CANVAS Early Updates subscribers since September 18, stable exploit code is now in the wild with the Metasploit Project’s announcement.

Microsoft has released an MSI-based Windows installer (i.e., a Microsoft Fix It download - http://support.microsoft.com/kb/975497) to automate this as part of a Knowledge Base article linked to their advisory.

For more information, please see:
- Microsoft Security Advisory (975497):
http://www.microsoft.com/technet/security/advisory/975497.mspx
- Microsoft Security Research Center blog post:
http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx
- Metasploit Project blog post: http://blog.metasploit.com/2009/09/metasploit-33-developmentupdates.
html

 

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.