Yesterday, a vulnerability (Lexsi Ref. 12225) announced as a remote denial of service affecting Microsoft Windows Vista, Seven and 2008 has been published by a security researcher. It affects the driver for the SMBv2 protocol, a new version of the well-known SMB. By changing a single parameter of a "negotiation protocol" SMB query, a remote attacker could cause a BSOD.

But let's have a more closer look...

The execution of the exploitation code against one of our test machines causes the following blue screen:

We note that the impacted driver is srv2.sys and that the instruction causing the PAGE_FAULT is located at 0x8E18A749. If we open the driver using a disassembler, we observe the following code:

We can see that the modified value in the packet (here eax) is then directly used as an index of a functions array! The vulnerability could then be exploited to redirect the execution flow to a memory area we control, allowing remote execution of arbitrary code with the privileges of the kernel ...

It is unfortunate that the researcher has not adopted the practice of responsible disclosure, by reporting the vulnerability to Microsoft without publishing it, to give time to the editor to correct it before any exploitation in the wild occurs. Perhaps he thought that a simple denial of service was not "that" critical ...