This module exploits a denial of service flaw in the Microsoft
Windows SMB service on versions of Windows Server 2003 that have been
configured as a domain controller. By sending a specially crafted election
request, an attacker can cause a pool overflow.
The vulnerability appears to be due to an error handling a length value
while calculating the amount of memory to copy to a buffer. When there are
zero bytes left in the buffer, the length value is improperly decremented
and an integer underflow occurs. The resulting value is used in several
calculations and is then passed as the length value to an inline memcpy
Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and
causes considerable damage to kernel heap memory. While theoretically possible,
it does not appear to be trivial to turn this vulnerability into remote (or
even local) code execution.
- jduck <firstname.lastname@example.org>