[Full-disclosure] Microsoft SMB Information Disclosure Vulnerability CVE-2006-1315
H D Moore
fdlist at digitaloffense.net
Wed Jul 12 01:52:40 BST 2006
Yet another SMB memory leak. There are tons of these in SRVSVC. The key to
finding them is to force large padding values (ie. holes between
DataOffset/ParameterOffset and end of packet). A quick hack is to use the
SMB ECHO command with a non-aligned byte size. I have yet to see anything
actually *useful* get leaked. The leak data usually contains parts of
packets that I sent it previously - my few attempts at testing a busy
domain controller never leaked anything I found interesting. Maybe McAfee
found a way to leak larger blocks?
-HD
On Tuesday 11 July 2006 19:41, Alexander Sotirov wrote:
> This is hardly a "description" of the vulnerability. Your post does not
> include any information that was not already included in the Microsoft
> bulletin this morning.
Full-Disclosure is hosted and sponsored by Secunia.