Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Regarding "SMB Invalid Handle Value" - MS06-030. Vulnerability not fixed.

From: Reversemode <advisories () reversemode com>
Date: Thu, 15 Jun 2006 20:43:06 +0200

Hi,

Just to confirm that Microsoft has  not fixed the NtClose/ZwClose
DeadLock vulnerability. The bulletin MS06-030 addressed this flaw as
"SMB Invalid Handle Value" which is just an euphemism under my point of
view.

The code added to mrxsmb.sys is just a wrapper in order to avoid the
"Invalid Handle".

I am sure that Microsoft has its own reasons to do this, I do not care
about. I'm not interested in discussing. However, I think that the
Driver Developer community should be informed that using
NtClose/ZwClose, the driver will be exposed to a security issue by
default.  If this issue is considered as a feature, please, document it.
A developer is not extrictely required to know this behaviour.

------
case IOCTL_CLOSEHANDLE_DEADLOCK:
        
        inBuf = Irp->AssociatedIrp.SystemBuffer;
        ZwClose((HANDLE)inBuf[0]);
------

References: -Reversing mrxsmb.sys , Chapter II "NtClose DeadLock"-
http://www.reversemode.com/index.php?option=com_content&task=view&id=14&Itemid=1


Rubén Santamarta,
www.reversemode.com
Previous By Date Next
Previous By Thread Next

Current thread: