Re: NSE Script to exploit the Windows Vista and 7 SMB 2.0 remote BSOD bug?

[Rob Nicholls <robert () robnicholls co uk>]

On Thu, 10 Sep 2009 09:03:04 -0500, Ron <ron () skullsecurity net> wrote:
> I haven't researched this -- do you know if there's a way to check for 
> this vulnerability without crashing (or actively exploiting) the
machine?

Hi Ron,

I was hoping there might be an easier/less invasive way of testing this by
checking the SMB2 version number, as they incremented the number from 2.001
to 2.002 with MS07-063:
http://blogs.technet.com/srd/archive/2007/12/27/ms07-063-insecure-smbv2-signing-algorithm.aspx

Sadly, it seems that Windows 7 RTM passes the same dialects as Vista ("SMB
2.002" and "SMB 2.???") so any tests based on this value alone would result
in false positives on Windows 7 RTM. Also, there's no guarantee that
Microsoft will bump the version number up with the new patch (MS07-063 was
an insecure implementation; the current exploit appears to be a stack
overflow from a single packet). Seeing as RTM didn't change the version
number when they fixed the issue, it's possible (or very probably) they
won't change the version with the new patch.

Rob


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org