Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Published 2009-09-08 22:30:01
Updated 2023-12-07 18:38:57
View at NVD,   CVE.org
Vulnerability category: Execute codeDenial of service

Products affected by CVE-2009-3103

Exploit prediction scoring system (EPSS) score for CVE-2009-3103

97.11%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2009-3103

  • Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
    First seen: 2020-04-26
    auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh
    This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem aff
  • Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference
    First seen: 2020-04-26
    auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff
    This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD. Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS
  • MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
    Disclosure Date: 2009-09-07
    First seen: 2020-04-26
    exploit/windows/smb/ms09_050_smb2_negotiate_func_index
    This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not s

CVSS scores for CVE-2009-3103

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
10.0
HIGH AV:N/AC:L/Au:N/C:C/I:C/A:C
10.0
10.0
NIST

CWE ids for CVE-2009-3103

  • Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-3103

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!