Vulnerabilities > CVE-2010-0017 - Race Condition vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 11 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description | Proof of Concept for MS10-006 SMB Client-Side Bug. CVE-2010-0017. Dos exploit for windows platform |
id | EDB-ID:12258 |
last seen | 2016-02-01 |
modified | 2010-04-16 |
published | 2010-04-16 |
reporter | laurent gaffie |
source | https://www.exploit-db.com/download/12258/ |
title | Windows - SMB Client-Side Bug Proof of Concept MS10-006 |
Metasploit
description | This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word document otherwise. |
id | MSF:AUXILIARY/DOS/WINDOWS/SMB/MS10_006_NEGOTIATE_RESPONSE_LOOP |
last seen | 2019-12-20 |
modified | 2017-08-25 |
published | 2010-04-15 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb |
title | Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop |
Msbulletin
bulletin_id | MS10-006 |
bulletin_url | |
date | 2010-02-09T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 978251 |
knowledgebase_url | |
severity | Critical |
title | Vulnerabilities in SMB Client Could Allow Remote Code Execution |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS10-006.NASL |
description | The version of the SMB client software installed on the remote Windows host is affected by two vulnerabilities that could allow arbitrary code execution : - Improper validation of fields in SMB responses can lead to a pool corruption issue and in turn to arbitrary code execution with SYSTEM level privileges. (CVE-2010-0016) - Improper handling of a race condition involving SMB |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 44416 |
published | 2010-02-09 |
reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/44416 |
title | MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) |
code |
|
Oval
accepted | 2014-03-03T04:01:25.907-05:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
description | Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:8298 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
submitted | 2010-02-08T13:00:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
title | SMB Client Race Condition Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
version | 46 |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 38100 CVE ID: CVE-2010-0017 Microsoft Windows是微软发布的非常流行的操作系统。 SMB客户端实现没有正确的验证SMB Negotiate响应报文中的字段,远程攻击者可以通过向初始SMB请求的客户端回复特制的SMB响应触发竞争条件,导致完全控制受影响的系统。 这个漏洞在Windows Vista和Windows Server 2008平台上只能导致崩溃或权限提升。 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008 Microsoft Windows 7 临时解决方法: * 在防火墙阻断TCP 139和445端口。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-006)以及相应补丁: MS10-006:Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251) 链接:http://www.microsoft.com/technet/security/Bulletin/MS10-006.mspx?pf=true |
id | SSV:19147 |
last seen | 2017-11-19 |
modified | 2010-02-20 |
published | 2010-02-20 |
reporter | Root |
title | Microsoft Windows SMB客户端实现竞争条件漏洞(MS10-006) |