Full Report
a) was the politely dropped kaminsky firefox bug [http://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html] It still requires a click for command execution, but considering its multi platform firefox ownage sans shellcode, i think its cool.. i think its even cooler that dan dropped it sans any fanfare.. b) has to be Pusscat‘s attack on the SMBv2 Remote bug published on [the VRT blog..] From the post: “we get lucky here as well in that there is a pointer srv!pSrvStatistics which also points to srvnet!SrvNetStatistics, and counts the number of requests that have been made to a specific call (as well as other things).
Analysis Summary
This summary synthesizes information from two distinct, unrelated security advisories referenced in the provided text fragment, as the context merges details from two different events (a Firefox bug and an SMBv2 flaw). Since the article provides only tangential descriptions without official CVEs or vendor advisories for these specific historical issues, the CVE sections will reflect the lack of explicit identification based *only* on the provided text.
---
# Vulnerability: Unspecified Firefox Multiform Bug & SMBv2 Remote Flaw (ca. 2009)
## CVE Details
- **CVE ID:** *Not explicitly provided in the text for either issue.*
- **CVSS Score:** *Not explicitly provided in the text.*
- **CWE:** *Not explicitly provided in the text.*
## Affected Systems
Due to the ambiguity and age of the referenced items, specific version details are derived contextually:
**Issue A (Firefox Bug):**
- **Products:** Mozilla Firefox (multi-platform).
- **Versions:** Unspecified (pre-September 2009).
- **Configurations:** Requires user click for command execution.
**Issue B (SMBv2 Bug - SensePost/Pusscat):**
- **Products:** Windows operating systems with the SMBv2 service enabled.
- **Versions:** Unspecified (vulnerable to the specific SMBv2 implementation referenced).
- **Configurations:** Remote connection to the affected SMBv2 service.
## Vulnerability Description
**Issue A (Firefox Bug - "Kaminsky Bug"):**
A vulnerability in Firefox that, despite requiring an interaction (a click) for command execution, was notable because it achieved multisystem exploitation without relying on traditional shellcode. The nature of the underlying technical flaw is not detailed beyond the interaction requirement.
**Issue B (SMBv2 Remote Bug):**
A remote vulnerability likely leading to Denial of Service or Remote Code Execution (RCE) within the SMBv2 protocol implementation (specifically referencing `srv2.sys` and `srvnet.sys`). The attack leverages an existing pointer (`srv!pSrvStatistics`, pointing to `srvnet!SrvNetStatistics`) used for counting requests. The exploit technique involves:
1. Incrementing `srvnet!SrvNetStatistics` to specific values (e.g., `ffe6`, `ffd6`, or `56c3`) that correspond to indirect execution instructions (like `jmp esi`, `call esi`, etc.).
2. Manipulating the `ProcessHighID` to calculate an address. This address lands execution outside of `srv2.sys` and into `srvnet.sys`.
3. Dereferencing the pointer to `srvnet!SrvNetStatistics`, which subsequently directs control flow to data provided within the malicious network packet, allowing code execution.
## Exploitation
**Issue A (Firefox Bug):**
- **Status:** PoC available (implicit, as it was researched and shared).
- **Complexity:** Medium (Requires a click, but complex payload/technique "sans shellcode").
- **Attack Vector:** Adjacent/Local (if delivered via a specially crafted webpage).
**Issue B (SMBv2 Bug):**
- **Status:** PoC available (based on the published technique/writeup).
- **Complexity:** High (Requires precise memory manipulation and RCE primitive setup).
- **Attack Vector:** Network.
## Impact
**Issue A (Firefox Bug):**
- **Confidentiality:** Potentially High (if RCE is achieved).
- **Integrity:** Potentially High (if RCE is achieved).
- **Availability:** Low (if limited to browser crash) / Potentially High (if system compromise occurs).
**Issue B (SMBv2 Bug):**
- **Confidentiality:** High (If RCE is achieved remotely).
- **Integrity:** High (If RCE is achieved remotely).
- **Availability:** High (If used for Denial of Service, which is likely given the focus on statistics pointers).
## Remediation
### Patches
*Specific patch information related to these historical vulnerabilities is not provided in the input text.* Remediation would require applying the relevant security updates released by Mozilla (for Issue A) and Microsoft (for Issue B) following their discovery in 2009.
### Workarounds
*No specific workarounds are detailed in the context.*
For SMBv2 flaws (Issue B), disabling SMBv2 or restricting access to the SMB service would be a theoretical initial mitigation attempt, although specific patches are necessary for full remediation.
## Detection
- **Indicators of Compromise:**
- Unusually high traffic flows involving unusual sequence numbers or values targeting the SMBv2 protocol handlers in memory.
- Unexpected instruction pointer redirection targeting kernel memory associated with SMB drivers (`srv.sys`, `srvnet.sys`).
- **Detection Methods and Tools:**
- Network intrusion detection systems (NIDS) monitoring for malformed SMBv2 packets if signatures exist.
- Post-incident memory forensics if the exploit succeeds.
## References
- Kaminsky Firefox Bug Disclosure: hxxp://lists.grok.org.uk/pipermail/full-disclosure/2009-September/070620.html (Defanged)
- SMBv2 Remote Bug Analysis (VRT Blog): hxxp://vrt-sourcefire.blogspot.com/2009/09/smbv2-quotes-dos-quotes.html (Defanged)