Windows SMBv1 Transaction race condition
Added: 03/15/2018CVE: CVE-2017-0146
BID: 96707
Background
Server Message Block (SMB) is the protocol used by Microsoft Windows computers to communicate over a network. SMBv1 was the first version of this protocol and is still supported by modern Windows versions.Problem
A race condition when handling Transaction requests, combined with type confusion between WriteAndX and Transaction requests, allows remote attackers to overwrite the connection session information with an Administrator session, leading to command execution.Resolution
Apply the patch referenced in MS17-010, or disable SMBv1.References
https://technet.microsoft.com/en-us/library/security/ms17-010.aspxLimitations
Exploit works on Windows Vista through Windows 10. The target must allow anonymous access to the netlogon named pipe in order to succeed.Due to the nature of the vulnerability, the success of this exploit may depend on the target's state. Success is more likely after the target is rebooted.
Platforms
WindowsBack to exploit index