Tuesday, September 29, 2009

Immunity Predicts Out of Band SMB2 Patch Unlikely


I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMBv2 bug early, and our initial assessment is "no, they will not."

Our assessment is that the exploit works by relying on some key magic numbers - one of which is what redirects execution to the payload. In some circumstances, this magic number is always the same - i.e. in VMWare or in some specific hardware configurations. However, in many situations (i.e. you don't have the exact same hardware the exploit expects) this number will be different, resulting in a bluescreen.

Working around this issue in the current public exploit is probably two weeks of work. At that point, we're nearing Microsoft Tuesday and the need for an out of band patch is moot.


For those that haven't been watching the twitter feeds, there has been some discussion between security folks on the reliability of the current SMB2 Code Execution module.

HD Moore ( -
@bobmcmillan definitely works on at least *some* physical machines, but looks like it could use more testing. @msuiche says multi-cpu breaks

No comments:

Post a Comment