Tuesday, October 6, 2009

SMB2 Bug Found by Simple Fuzzer in Three Seconds

Via Laurent Gaffié blog -

This short post is an answer to the many questions i received regarding how i found the smb2 bug. I said to securityfocus: "this bug was found in 3 seconds and 15 packet with my home made fuzzer"; it's true. I also pointed at MS lack of S.Q.A on SMB2; it's true. I was studying SMB and RPC since a while, and all my tests/fuzzing was failure, until i changed my fuzzing approach with SMB2; Single Network Byte Fuzzing.


MS performed a code review on SMB2 after which they said :
"For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing. They are now in stress testing, 3rd-party application testing, and fuzzing. We'd sure like to complete all that testing before the update needs to be released"
Yep it sounds nice, clean and transparent, but if they would have done this on the MS07-063 patch they would have found this bug in 3 seconds not in 4 weeks of hardcore fuzzing and this is a fact ;)


See Laurent's full post for the fuzzer code...

MS07-063 = Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)

Adding to Laurent's statement, is the face that CVE-2007-5351, which was fixed in MS07-063, was reported by Microsoft and not by another outside party...

No comments:

Post a Comment