Hi,
Just to confirm that Microsoft has not fixed the NtClose/ZwClose
DeadLock vulnerability. The bulletin MS06-030 addressed this flaw as
"SMB Invalid Handle Value" which is just an euphemism under my point of
view.
The code added to mrxsmb.sys is just a wrapper in order to avoid the
"Invalid Handle".
I am sure that Microsoft has its own reasons to do this, I do not care
about. I'm not interested in discussing. However, I think that the
Driver Developer community should be informed that using
NtClose/ZwClose, the driver will be exposed to a security issue by
default. If this issue is considered as a feature, please, document it.
A developer is not extrictely required to know this behaviour.
------
case IOCTL_CLOSEHANDLE_DEADLOCK:
inBuf = Irp->AssociatedIrp.SystemBuffer;
ZwClose((HANDLE)inBuf[0]);
------
References: -Reversing mrxsmb.sys , Chapter II "NtClose DeadLock"-
http://www.reversemode.com/index.php?option=com_content&task=view&id=14&Itemid=1
Rubén Santamarta,
www.reversemode.com
