Windows SMB PsImpersonateClient null token vulnerability

Added: 07/13/2017
CVE: CVE-2017-0144
BID: 96704

Background

Server Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network.

Problem

A remote attacker can execute arbitrary commands with SYSTEM privileges by overwriting the token to a null value and forcing PsImpersonateClient to run, causing the running thread to use the primary token.

Resolution

Apply the fix referenced in MS17-010.

References

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Limitations

Exploit works on Windows Server 2008 R2. The target system must allow anonymous access to the SAMR, NETLOGON, or LSARPC named pipe in order for this exploit to succeed.

Due to the nature of the vulnerability, the success of this exploit may vary depending on the state of the target system.

Platforms

Windows

Back to exploit index