Executive Summary

Title Vulnerabilities in SMB Could Allow Remote Code Execution
Name KB975497 First vendor Publication 2009-09-08
Vendor Microsoft Last vendor Modification 2009-10-13
Severity (Vendor) N/A Revision 2.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


General Information

Executive Summary

Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-050 to address this issue. For more information about this issue, including download links for an available security update, please review MS09-050. The vulnerability addressed is the SMBv2 Negotiation Vulnerability - CVE-2009-3103.


  • You can provide feedback by completing the form by visiting the following Web site.
  • Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see the Microsoft Help and Support Web site.
  • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
  • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.


The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (September 8, 2009): Advisory published.
  • V1.1 (September 17, 2009): Clarified the FAQ, What is SMBv2? Added a link to Microsoft Knowledge Base Article 975497 to provide an automated Microsoft Fix it solution for the workaround, Disable SMB v2.
  • V1.2 (September 23, 2009): Clarified the FAQ, What is Server Message Block Version 2 (SMBv2)? Also clarified the impact of the workaround, Disable SMB v2.
  • V2.0 (October 13, 2009): Advisory updated to reflect publication of security bulletin.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/975497.mspx

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6489
Oval ID: oval:org.mitre.oval:def:6489
Title: SMBv2 Negotiation Vulnerability
Description: Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Family: windows Class: vulnerability
Reference(s): CVE-2009-3103
Version: 3
Platform(s): Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): SMBv2
Definition Synopsis:

CPE : Common Platform Enumeration

Os 7
Os 5

SAINT Exploits

Description Link
Windows SMB2 buffer overflow More info here

ExploitDB Exploits

id Description
2009-09-09 Windows Vista/7 SMB2.0 Negotiate Protocol Request Remote BSOD Vuln

OpenVAS Exploits

Date Description
2009-10-15 Name : Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability
File : nvt/secpod_ms09-050-remote.nasl
2009-10-01 Name : Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Executio...
File : nvt/ms_smb2_highid.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
57799 Microsoft Windows srv2.sys Kernel Driver SMB2 Malformed NEGOTIATE PROTOCOL RE...

Microsoft Windows contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a malicious user sends a specially crafted NEGOTIATE PROTOCOL REQUEST SMBv2 packet with an & (ampersand) character in a Process ID High header field, causing an attempted dereference of an out-of-bounds memory location. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows SMB malformed process ID high field denial of service attempt
RuleID : 26643 - Revision : 6 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB malformed process ID high field remote code execution a...
RuleID : 15930 - Revision : 23 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2009-10-13 Name : The remote SMB server can be abused to execute code remotely.
File : smb_nt_ms09-050.nasl - Type : ACT_GATHER_INFO
2009-09-08 Name : Arbitrary code may be executed on the remote host through the SMB port
File : smb2_pid_high_vuln.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
Date Informations
2020-05-23 13:17:11
  • Multiple Updates
2016-03-05 21:25:10
  • Multiple Updates
2016-03-05 17:24:18
  • Multiple Updates
2014-01-19 21:29:42
  • Multiple Updates
2013-09-05 21:20:21
  • Multiple Updates
2013-05-11 00:46:47
  • Multiple Updates