HighProventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an SMB Negotiate request with a Process ID other than 0 as well as using an SMB 2.x dialect. This can result in remote code execution on certain versions of Windows.
This signature detects an SMB Negotiate request with a Process ID other than 0. This can result in remote code execution on certain versions of Windows.
High
Proventia Desktop: 2431, Proventia Network IPS: XPU 29.091, RealSecure Network: XPU 29.091, RealSecure Server Sensor: XPU 29.091, Proventia-G 1.1 and earlier: XPU 29.091, Proventia Network IDS: XPU 29.091, Proventia Network MFS: XPU 29.091, IBM Security Server Protection for Windows: 2.1.14.2431, IBM Security Server Protection for Windows: 1.0.914.2431, IBM Security Server Protection for Windows: 2.0.300.2431, Proventia Server IPS for Linux technology: 29.091, Virtual Server Protection for Vmware: 1.0
Microsoft Windows Vista, Microsoft Windows Vista: x64, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by an array indexing error in the Smb2ValidateProviderCallback() function within the SRV2.SYS kernel driver when parsing SMB packets. By sending a specially-crafted Server Message Block (SMB) Negotiate Protocol Request, a remote attacker could exploit this vulnerability to dereference out-of-bounds memory to execute arbitrary code on the system or cause the system to crash.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Laurent Gaffie blog
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
Microsoft Web site
Microsoft Windows
http://www.microsoft.com/windows/default.aspx
Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/975497.mspx
milw0rm.com [2009-09-09]
Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln
http://milw0rm.com/exploits/9594
IBM Internet Security Systems Protection Alert
Microsoft Windows SRV2.SYS Remote Code Execution
http://www.iss.net/threats/347.html
Microsoft Security Bulletin MS09-050
Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
Offensive Security Exploit Database [2010-08-17]
Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)
http://www.exploit-db.com/exploits/14674/
Microsoft Security Bulletin MS11-048
Vulnerability in SMB Server Could Allow Denial of Service (2536275)
http://www.microsoft.com/technet/security/bulletin/ms11-048.mspx
ISS X-Force
Microsoft Windows srv2.sys code execution
http://www.iss.net/security_center/static/53090.php
CVE
CVE-2009-3103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103