Vulnerabilities > CVE-2010-0021 - Race Condition vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Multiple race conditions in the SMB implementation in the Server service in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allow remote attackers to cause a denial of service (system hang) via a crafted (1) SMBv1 or (2) SMBv2 Negotiate packet, aka "SMB Memory Corruption Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Msbulletin

bulletin_idMS10-012
bulletin_url
date2010-02-09T00:00:00
impactRemote Code Execution
knowledgebase_id971468
knowledgebase_url
severityImportant
titleVulnerabilities in SMB Server Could Allow Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS10-012.NASL
    descriptionThe remote host is affected by several vulnerabilities in the SMB server that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id44422
    published2010-02-09
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44422
    titleMS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(44422);
     script_version("1.24");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2010-0020", "CVE-2010-0021", "CVE-2010-0022", "CVE-2010-0231");
     script_bugtraq_id(38049, 38051, 38054, 38085);
     script_xref(name:"MSFT", value:"MS10-012");
     script_xref(name:"MSKB", value:"971468");
    
     script_name(english:"MS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468)");
     script_summary(english:"Checks version of Srv.sys");
    
     script_set_attribute(
      attribute:"synopsis",
      value:
    "It is possible to execute arbitrary code on the remote Windows host
    due to flaws in its SMB implementation."
     );
     script_set_attribute(
      attribute:"description",
      value:
    "The remote host is affected by several vulnerabilities in the SMB
    server that may allow an attacker to execute arbitrary code or perform
    a denial of service against the remote host."
     );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-012");
     script_set_attribute(
      attribute:"solution",
      value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista, 2008, 7, and 2008 R2."
     );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(20, 94, 264, 310, 362);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/09");
     script_set_attribute(attribute:"patch_publication_date", value:"2010/02/09");
     script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/09");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS10-012';
    kbs = make_list("971468");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    kb = "971468";
    
    if (
      # Win7/Win2008 R2
      hotfix_is_vulnerable(os:"6.1", sp:0, file:"Srv.sys", version:"6.1.7600.16481",                               dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:0, file:"Srv.sys", version:"6.1.7600.20591", min_version:"6.1.7600.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      # Vista/Win2008
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.16977",                               dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:0, file:"Srv.sys", version:"6.0.6000.21179", min_version:"6.0.6000.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.18381",                               dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:1, file:"Srv.sys", version:"6.0.6001.22581", min_version:"6.0.6001.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Srv.sys", version:"6.0.6002.18164",                               dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"Srv.sys", version:"6.0.6002.22286", min_version:"6.0.6002.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      # Win2003 / XP 64
      hotfix_is_vulnerable(os:"5.2", sp:2, file:"Srv.sys", version:"5.2.3790.4634",                                dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      # WinXP
      hotfix_is_vulnerable(os:"5.1", sp:3, file:"Srv.sys", version:"5.1.2600.5923",                                dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Srv.sys", version:"5.1.2600.3662",                                dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
    
      # Win2000
      hotfix_is_vulnerable(os:"5.0",       file:"Srv.sys", version:"5.0.2195.7365",                                dir:"\system32\drivers", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idWIN_SERVER_2008_NTLM_PCI.NASL
    descriptionAccording to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id108811
    published2018-04-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108811
    titleWindows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)
  • NASL familyWindows
    NASL idSMB_KB971468.NASL
    descriptionThe remote host is affected by several vulnerabilities in the SMB server that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. These vulnerabilities depend on access to a shared drive, but do not necessarily require credentials.
    last seen2020-06-01
    modified2020-06-02
    plugin id47556
    published2010-09-13
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/47556
    titleMS10-012: Vulnerabilities in SMB Could Allow Remote Code Execution (971468) (uncredentialed check)

Oval

accepted2012-03-26T04:04:20.788-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameDragos Prisaca
    organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
descriptionMultiple race conditions in the SMB implementation in the Server service in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allow remote attackers to cause a denial of service (system hang) via a crafted (1) SMBv1 or (2) SMBv2 Negotiate packet, aka "SMB Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:8524
statusaccepted
submitted2010-02-08T13:00:00
titleSMB Memory Corruption Vulnerability
version44