CVE-2019-0630 Microsoft Windows SMB Server SMBv2 Smb2UpdateLeaseFileName 远程代码执行漏洞分析说明
(部分排版不是很美观,预览的时候没有问题,发出来表格会有点乱,不知道为什么:))
一、漏洞信息
1. 漏洞简述
漏洞名称:Microsoft Windows SMB Server SMBv2 Smb2UpdateLeaseFileName Code Execution Vulnerability
漏洞编号:CVE-2019-0630, Bugtraq:106876
漏洞类型:Integer Overflow
漏洞影响:Code Execution
CVSS评分:7.5
利用难度:Medium
用户权限:需要
2. 组件概述
Server Message Block Protocol,服务器信息块协议(SMB),为网络计算机客户程序提供一种从服务程序读写文件并请求服务的方法。SMB协议可在互联网的TCP/IP协议或者互联网数据包交换和NetBEUI等协议之上使用。使用SMB协议,应用程序可访问远程服务器的文件以及打印机、信槽和命名管道等资源。因而,客户程序可以读、写以及更新远程计算机上的文件,它也可以跟接收SMB客户请求的任意服务程序通信。
• Microsoft Windows 7 • Microsoft Windows 8 • Microsoft Windows 8.1 • Microsoft Windows 10 • Microsoft Windows RT • Microsoft Windows RT 8.1 • Microsoft Windows Server 2008 • Microsoft Windows Server 2008 R2 • Microsoft Windows Server 2012 • Microsoft Windows Server 2012 R2 • Microsoft Windows Server 2012 R2 (Server Core) • Microsoft Windows Server 2016 • Microsoft Windows Server 2019 • Microsoft Windows Server version 1709 (Server Core Installation) • Microsoft Windows Server version 1803 (Server Core Installation)
The file being created or opened is a directory file. With this flag, the CreateDisposition field MUST be set to FILE_CREATE, FILE_OPEN_IF, or FILE_OPEN. With this flag, only the following CreateOptions values are valid: FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, FILE_DELETE_ON_CLOSE, and FILE_OPEN_REPARSE_POINT. If the file being created or opened already exists and is not a directory file and FILE_CREATE is specified in the CreateDisposition field, then the server MUST fail the request with STATUS_OBJECT_NAME_COLLISION. If the file being created or opened already exists and is not a directory file and FILE_CREATE is not specified in the CreateDisposition field, then the server MUST fail the request with STATUS_NOT_A_DIRECTORY. The server MUST fail an invalid CreateDisposition field or an invalid combination of CreateOptions flags with STATUS_INVALID_PARAMETER.
FILE_WRITE_THROUGH0x00000002
The server performs file write-through; file data is written to the underlying storage before completing the write operation on this open.
FILE_SEQUENTIAL_ONLY0x00000004
This indicates that the application intends to read or write at sequential offsets using this handle, so the server SHOULD optimize for sequential access. However, the server MUST accept any access pattern. This flag value is incompatible with the FILE_RANDOM_ACCESS value.
FILE_NO_INTERMEDIATE_BUFFERING0x00000008
File buffering is not performed on this open; file data is not retained in memory upon writing it to, or reading it from, the underlying storage.
FILE_SYNCHRONOUS_IO_ALERT0x00000010
This bit SHOULD be set to 0 and MUST be ignored by the server.<34>
FILE_SYNCHRONOUS_IO_NONALERT0x00000020
This bit SHOULD be set to 0 and MUST be ignored by the server.<35>
FILE_NON_DIRECTORY_FILE0x00000040
If the name of the file being created or opened matches with an existing directory file, the server MUST fail the request with STATUS_FILE_IS_A_DIRECTORY. This flag MUST NOT be used with FILE_DIRECTORY_FILE or the server MUST fail the request with STATUS_INVALID_PARAMETER.
FILE_COMPLETE_IF_OPLOCKED0x00000100
This bit SHOULD be set to 0 and MUST be ignored by the server.<36>
FILE_NO_EA_KNOWLEDGE0x00000200
The caller does not understand how to handle extended attributes. If the request includes an SMB2_CREATE_EA_BUFFER create context, then the server MUST fail this request with STATUS_ACCESS_DENIED. If extended attributes with the FILE_NEED_EA flag (see [MS-FSCC] section 2.4.15) set are associated with the file being opened, then the server MUST fail this request with STATUS_ACCESS_DENIED.
FILE_RANDOM_ACCESS0x00000800
This indicates that the application intends to read or write at random offsets using this handle, so the server SHOULD optimize for random access. However, the server MUST accept any access pattern. This flag value is incompatible with the FILE_SEQUENTIAL_ONLY value. If both FILE_RANDOM_ACCESS and FILE_SEQUENTIAL_ONLY are set, then FILE_SEQUENTIAL_ONLY is ignored.
FILE_DELETE_ON_CLOSE0x00001000
The file MUST be automatically deleted when the last open request on this file is closed. When this option is set, the DesiredAccess field MUST include the DELETE flag. This option is often used for temporary files.
FILE_OPEN_BY_FILE_ID0x00002000
This bit SHOULD be set to 0 and the server MUST fail the request with a STATUS_NOT_SUPPORTED error if this bit is set.<37>
FILE_OPEN_FOR_BACKUP_INTENT0x00004000
The file is being opened for backup intent. That is, it is being opened or created for the purposes of either a backup or a restore operation. The server can check to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur. The server can check for access rights to the file before checking the DesiredAccess field.
FILE_NO_COMPRESSION0x00008000
The file cannot be compressed. This bit is ignored when FILE_DIRECTORY_FILE is set in CreateOptions.
FILE_OPEN_REMOTE_INSTANCE0x00000400
This bit SHOULD be set to 0 and MUST be ignored by the server.
FILE_OPEN_REQUIRING_OPLOCK0x00010000
This bit SHOULD be set to 0 and MUST be ignored by the server.
FILE_DISALLOW_EXCLUSIVE0x00020000
This bit SHOULD be set to 0 and MUST be ignored by the server.
FILE_RESERVE_OPFILTER0x00100000
This bit SHOULD be set to 0 and the server MUST fail the request with a STATUS_NOT_SUPPORTED error if this bit is set.<38>
FILE_OPEN_REPARSE_POINT0x00200000
If the file or directory being opened is a reparse point, open the reparse point itself rather than the target that the reparse point references.
FILE_OPEN_NO_RECALL0x00400000
In an HSM (Hierarchical Storage Management) environment, this flag means the file SHOULD NOT be recalled from tertiary storage such as tape. The recall can take several minutes. The caller can specify this flag to avoid those delays.
FILE_OPEN_FOR_FREE_SPACE_QUERY0x00800000
Open file to query for free space. The client SHOULD set this to 0 and the server MUST ignore it.<39>