New hole in Windows file sharing
On the Full Disclosure mailing list, an unknown contributor has disclosed a previously unknown security problem involving files shared via SMB under Windows. A buffer overflow in the heap can be exploited to inject arbitrary code into a system and execute it. The contributor also provided suitable code to demonstrate the problem.
Security firms Vupen and Secunia have confirmed the threat; they were able to reproduce the problem on Windows XP SP3 and Windows Server 2003 SP2. The flaw can be exploited remotely by using overly long server name strings sent in a specially crafted "Browser Election Request" packet. The buffer overflow is triggered via the BowserWriteErrorLogEntry() function in the mrxsmb.sys driver. No user authentication at the server is required.
Microsoft has not yet released a statement, let alone a patch. The best way of protecting systems is to place the access to shared Windows files behind a firewall. If you are connected to a network marked as "public", Windows Firewall already reliably does this.
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
