Windows SMBv1 Transaction race condition

Added: 03/15/2018
CVE: CVE-2017-0146
BID: 96707

Background

Server Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions.

Problem

A race condition when handling Transaction requests, combined with type confusion between WriteAndX and Transaction requests, allows remote attackers to overwrite the connection session information with an Administrator session, leading to command execution.

Resolution

Apply the patch referenced in MS17-010, or disable SMBv1.

References

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Limitations

Exploit works on Windows Vista through Windows 10. The target must allow anonymous access to the netlogon named pipe in order to succeed.

Due to the nature of the vulnerability, the success of this exploit may depend on the target's state. Success is more likely after the target is rebooted.

Platforms

Windows

Back to exploit index