SMB stands for "Server Message Block" and is also known as CIFS (Common Internet File System). This protocol is intended to provide an open cross-platform mechanism for client systems to request file services from server system over a network. Current CIFS implementation under Windows runs over port TCP/139 and/or port TCP/445 (Direct Host), depending whether NetBIOS over TCP/IP is enabled or not.
The SMB_COM_TRANSACTION command allows the client and the server to define functions specific to a particular resource on a particular server. The functions supported are not defined by the protocol itself but by client and server implementations.
By sending a specially crafted packet requesting the NetServerEnum2, NetServerEnum3 or NetShareEnum transaction, an attacker can mount a denial of service attack on the target machine. It might be possible to abuse this vulnerability to execute arbitrary code, although the research performed so far cannot confirm this possibility (see 'Technical Description' below for information that is more precise).
In order to exploit the vulnerability a user account is needed for the NetShareEnum transaction and only anonymous access is necessary for NetServerEnum2 and NetServerEnum3.
Windows operating system ship with anonymous access enabled by default and is therefore vulnerable to a denial of service attack.
The effect of an attack will trigger an operating system halt (Blue Screen) as shown below (memory addresses may vary):
*** STOP: 0x0000001E (0xC0000005, 0x804B818B, 0x00000001, 0x00760065)
*** Address 804B818B base at 80400000, DateStamp 384d9b17 0 ntoskrnl.exe
The physical memory is dumped and the system restarted (unless configured otherwise).
The problem was identified and tested on:
- Windows NT 4.0 Workstation/Server
- Windows 2000 Professional/Advanced Server
- Windows XP Professional
With all service packs and security HotFixes applied.
Microsoft has released a fix to the problem. Refer to Microsoft Security Bulletin MS02-045 for patches and fixes to vulnerable systems.