----------------------------------------------------------------------

Want to join the Secunia Security Team?

Secunia offers a position as a security specialist, where your daily
work involves reverse engineering of software and exploit code,
auditing of source code, and analysis of vulnerability reports.

http://secunia.com/secunia_security_specialist/

----------------------------------------------------------------------

TITLE:
Windows SMB Denial of Service and Privilege Escalation

SECUNIA ADVISORY ID:
SA20635

VERIFY ADVISORY:
http://secunia.com/advisories/20635/

CRITICAL:
Less critical

IMPACT:
Privilege escalation, DoS

WHERE:
Local system

OPERATING SYSTEM:
Microsoft Windows XP Professional
http://secunia.com/product/22/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/

DESCRIPTION:
Two vulnerabilities have been reported in Microsoft Windows, which
can be exploited by malicious, local users to cause a DoS (Denial of
Service) and gain escalated privileges.

1) An input validation error exists within the
"MRxSmbCscIoctlOpenForCopyChunk()" function in MRXSMB.SYS when
handling certain DeviceIoControl requests. This can be exploited to
overwrite kernel memory and allows arbitrary code execution with
escalated privileges.

2) An input validation error exists within the
"MrxSmbCscIoctlCloseForCopyChunk()" function in MRXSMB.SYS when
handling certain requests. This can be exploited to cause a deadlock,
which potentially leads to a DoS, by passing an invalid handle to the
function.

SOLUTION:
Apply patches.

Microsoft Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6ec86784-6b12-410b-8068-028c58ed5df7

Microsoft Windows XP SP1 or SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=c17ddc07-204b-4a7f-8c5a-36b7865a030c

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=89fbbdd0-7504-4807-9337-08324aa457e7

Microsoft Windows Server 2003 (with or without SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=%2043d69a41-6acb-4c64-89dc-2b9aef6e98fd

Microsoft Windows Server 2003 (Itanium) (with or without SP1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=e1d13c18-72d1-40b8-95b3-08aef8db9213

Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=b6018a61-b0ec-467e-9025-059d3c9f1c5f

PROVIDED AND/OR DISCOVERED BY:
Discovered by Ruben Santamarta and reported via iDEFENSE.

ORIGINAL ADVISORY:
MS06-030 (KB914389):
http://www.microsoft.com/technet/security/Bulletin/MS06-030.mspx

iDEFENSE:
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=408
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=409

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------