14 DAY TRIAL // Microsoft has confirmed a serious 0day vulnerability in Windows which disclosed publicly on Valentine's Day, but claims that a remote code execution exploit for it is unlikely.
An anonymous researcher sent details of the vulnerability, which he describes as a "MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow" to the Full Disclosure mailing list along with attack code to crash the target system.
Microsoft has confirmed the kernel mode blue screen triggered when exploiting the error which is located in the BROWSER protocol used to discover other computers and resources on the network.
The company noted that all Windows versions are vulnerable, but systems running as Primary Domain Controller are more likely to be affected, because they usually serve as Master Browser.
The vulnerable code is located in the mrxsmb.sys file and can be exploited by sending a specially crafted BROWSER message to the target computer.
After analyzing the vulnerability's effects, Microsoft's security research team concluded that while remote code execution is theoretically possible, developing an exploit for this purpose is unlikely.
"RCE [remote code execution] may also be possible if the corrupted memory is used by a thread running on another processor before the RtlCopyMemory triggers a bugcheck, and in a way that can be used to change code execution. [...] We feel that triggering any such timing condition reliably will be very difficult," Mark Wodrich of MSRC Engineering, explains.
Meanwhile, French vulnerability research vendor VUPEN Security also confirmed the issue and tested it on Windows Server 2003 SP2 and Windows XP SP3. The company does not exclude arbitrary code execution and rates the vulnerability as critical.
"This issue is caused by a heap overflow error in the 'BowserWriteErrorLogEntry()' function within the Windows NT SMB Minirdr 'mrxsmb.sys' driver when processing malformed Browser Election requests, which could be exploited by remote unauthenticated attackers or local unprivileged users to crash an affected system or potentially execute arbitrary code with elevated privileges," the company writes in its advisory.