CVE-2011-0654, was a 0 day unauthenticated remote codeexecution vulnerability that exists in the way that the Common Internet File System(CIFS) Browser Protocol implementation parses malformed browser messages. An attempt to exploit the vulnerability would not require authentication. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The patch of the vulnerability was issued by Microsoft on April 12, 2011.
I decided to analyze the vulnerability, to derive the conditions for a signature. There can be many ways to perform the analysis of the vulnerability; one of which can be executing the publicly available exploit code in a debugger, finding the vulnerable function, and then deriving the conditions for generating IPS/IDS signature. Since in recent past, there have been vulnerabilities like CVE-2009-3103 in Microsoft's Product which were due to improper implementation of the standards defined in the protocol specification document by Microsoft, I decided to refer to the protocol specifications for the analysis of the vulnerability to derive the condition for the signature.
When we execute the malicious exploit code, the packet capture is as shown in figure 1.0. As it can be seen from the capture, server name is the malicious field which is sending malicious bytes for the exploitation of the vulnerability.
Figure 1.0 showing the packet capture when malicious bit are sent over the wire
If we refer to the protocol specification by the Microsoft "MS-BRWS]:Common Internet File System (CIFS) Browser Protocol Specification" section 2.2.3 Request Election Browser Frame, it can be seen that the server name as specified by specification has to beless than 16 bytes and has to be null terminated.
Figure 2.0 showing the details from MS-BRWS protocol specification
Hence for the intrusion prevention/detection device, it has to be ensured that the length of the server name in Browser Election request is less than16 bytes to prevent the exploitation of the vulnerability.
AlertLogic customers are protected against the exploitation of the vulnerability. We issued the signature on the same day when 0 day was reported.