Watchout For Evil SMB Servers: MS10-006

Searching_ _ _ · Feb 18, 2010

MS10-006 is a vulnerability in the SMB client that can be exploited by connecting to a malicious server. So how do you exploit something like that?
Well, as Laurent mentioned, I wrote a tool awhile back called Nbtool (specifically, nbpoison or, in the upcoming release, nbsniff) that will intercept NetBIOS requests on the local network and respond with a chosen address. If the user is trying to access a local resource using NetBIOS name lookups, it becomes a race condition for the attacker.
Click to expand...

http://www.skullsecurity.org/blog/?p=452
Related info:
https://www.wilderssecurity.com/showthread.php?t=265020&highlight=ms10-006

Rmus · Feb 19, 2010

Interesting article! I wonder how many cybercriminals have his Nbtool and are just waiting for exploit code to spread around!

NETBIOS requests, of course, are carried out via Ports 135 - 139, which are used for those set up for network file sharing. Also port 445

Otherwise, closing these ports at the firewall prevents the attack:

Microsoft Security Bulletin MS10-006 - Critical
Vulnerabilities in SMB Client Could Allow Remote Code Execution (978251)
http://www.microsoft.com/technet/security/bulletin/ms10-006.mspx

Workarounds

• Block TCP ports 139 and 445 at the firewall
Click to expand...

Of course, a patch is now released!

----
rich

Log in or Sign up

Watchout For Evil SMB Servers: MS10-006

Searching_ _ _ Registered Member

Rmus Exploit Analyst

Log in or Sign up

Watchout For Evil SMB Servers: MS10-006

Searching_ _ _ Registered Member

Rmus Exploit Analyst

Useful Searches