Vulnerability Details : CVE-2011-0654 (1 public exploit)

Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability." NOTE: some of these details are obtained from third party information.
Publish Date : 2011-02-15 Last Update Date : 2011-10-25

Collapse All Expand All Select Select&Copy	Scroll To Vendor Statements(0) Additional Vendor Data(0) OVAL Definitions(0) Vulnerable Products(0) # Of Vulns By Products References(0) Metasploit Modules(0)	Comments View User Comments Add Comment	External Links Secunia Advisories XForce Advisories Vulnerability Details at NVD Vulnerability Details at Mitre Nessus Plugins Linux Kernel Git Repository First CVSS Guide
Related Tweets Even more tweets Search Twitter Search YouTube Search Google

- CVSS Scores & Vulnerability Types

Cvss Score	10.0
Confidentiality Impact	Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact	Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)
Availability Impact	Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)
Access Complexity	Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication	Not required (Authentication is not required to exploit the vulnerability.)
Gained Access	None
Vulnerability Type(s)	Denial Of ServiceExecute CodeOverflow
CWE ID	119

- Related OVAL Definitions

Title	Definition Id	Class	Family
Browser Pool Corruption Vulnerability	oval:org.mitre.oval:def:12637		windows
MS11-019: Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)	oval:gov.nist.fdcc.patch:def:11742		windows

OVAL (Open Vulnerability and Assessment Language) definitions define exactly what should be done to verify a vulnerability or a missing patch. Check out the OVAL definitions if you want to learn what you should do to verify a vulnerability.

- Products Affected By CVE-2011-0654

#	Product Type	Vendor	Product	Update	Edition
1	OS	Microsoft	Windows 2003 Server	R2		Details Vulnerabilities
2	OS	Microsoft	Windows 2003 Server			Details Vulnerabilities
3	OS	Microsoft	Windows 2003 Server	R2	X64	Details Vulnerabilities
4	OS	Microsoft	Windows 2003 Server	SP2	Itanium	Details Vulnerabilities
5	OS	Microsoft	Windows Server 2003	SP2	Itanium	Details Vulnerabilities
6	OS	Microsoft	Windows Server 2003	SP2	X64	Details Vulnerabilities
7	OS	Microsoft	Windows Server 2003		X64	Details Vulnerabilities
8	OS	Microsoft	Windows Server 2003	SP2		Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor	Product	Vulnerable Versions
Microsoft	Windows 2003 Server	4
Microsoft	Windows Server 2003	4

- References For CVE-2011-0654

http://archives.neohapsis.com/archives/fulldisclosure/current/0284.html
FULLDISC 20110214 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow

http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx CONFIRM

http://secunia.com/advisories/43299
SECUNIA 43299

http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx CONFIRM

http://www.securityfocus.com/bid/46360
BID 46360 Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability Release Date:2011-04-13

Exploit! http://www.exploit-db.com/exploits/16166
EXPLOIT-DB 16166 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow Author:Cupidon-3005 Release Date:2011-02-14 (windows) dos

http://www.securitytracker.com/id?1025328
SECTRACK 1025328

http://www.vupen.com/english/advisories/2011/0394
VUPEN ADV-2011-0394

http://www.vupen.com/english/advisories/2011/0938
VUPEN ADV-2011-0938

http://www.us-cert.gov/cas/techalerts/TA11-102A.html
CERT TA11-102A

http://technet.microsoft.com/en-us/security/bulletin/ms11-019
Microsoft Security Bulletin MS11-019 MS11-019 - Critical : Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455) - Version: 1.1 Release Date:1969-12-31

http://www.kb.cert.org/vuls/id/323172
CERT-VN VU#323172

http://xforce.iss.net/xforce/xfdb/65376
XF ms-win-server-browser-bo(65376)

- Metasploit Modules Related To CVE-2011-0654

Microsoft Windows Browser Pool DoS

This module exploits a denial of service flaw in the Microsoft Windows SMB service on versions of Windows Server 2003 that have been configured as a domain controller. By sending a specially crafted election request, an attacker can cause a pool overflow. The vulnerability appears to be due to an error handling a length value while calculating the amount of memory to copy to a buffer. When there are zero bytes left in the buffer, the length value is improperly decremented and an integer underflow occurs. The resulting value is used in several calculations and is then passed as the length value to an inline memcpy operation. Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and causes considerable damage to kernel heap memory. While theoretically possible, it does not appear to be trivial to turn this vulnerability into remote (or even local) code execution.