Sunday, October 4, 2009

More explication on CVE-2009-3103

This short post is an answer to the many questions i received regarding how i found the smb2 bug.
I said to securityfocus: "this bug was found in 3 seconds and 15 packet with my home made fuzzer"; it's true.
I also pointed at MS lack of S.Q.A on SMB2; it's true.
I was studying SMB and RPC since a while, and all my tests/fuzzing was failure, until i changed my fuzzing approach with SMB2;
Single Network Byte Fuzzing.
So i hardcoded a pretty simple fuzzer (python) for this approach:
----------------------------------------------------------
from socket import *
from time import sleep
from random import choice

host = "IP_ADDR", 445

#Negotiate Protocol Request
packet = [chr(int(a, 16)) for a in """
00 00 00 90
ff 53 4d 42 72 00 00 00 00 18 53 c8 00 00 00 00
00 00 00 00 00 00 00 00 ff ff ff fe 00 00 00 00
00 6d 00 02 50 43 20 4e 45 54 57 4f 52 4b 20 50
52 4f 47 52 41 4d 20 31 2e 30 00 02 4c 41 4e 4d
41 4e 31 2e 30 00 02 57 69 6e 64 6f 77 73 20 66
6f 72 20 57 6f 72 6b 67 72 6f 75 70 73 20 33 2e
31 61 00 02 4c 4d 31 2e 32 58 30 30 32 00 02 4c
41 4e 4d 41 4e 32 2e 31 00 02 4e 54 20 4c 4d 20
30 2e 31 32 00 02 53 4d 42 20 32 2e 30 30 32 00
""".split()]


while True:
#/Core#
what = packet[:]
where = choice(range(len(packet)))
which = chr(choice(range(256)))
what[where] = which
#/Core#
#sending stuff @host
sock = socket()
sock.connect(host)
sock.send(' '.join(what))
sleep(0.1) # dont flood it
print 'fuzzing param %s' % (which.encode("hex"))
print 'complete packet %s' % (''.join(what).encode("hex"))
# When SMB Or RPC die (with TCP), sock get a timed out and die @the last packet, printing these things is more than usefull
sock.close()
----------------------------------------------------------

This simple fuzzer pwned smb2 in 3 seconds.
Nothing special here, no wheel reinvented.
Alot of security gurus were claming that auditing SMB/Netbios/TCP-IP on MS* was a waste of time.
I dont believe in these assumptions, and I definatly prefer to "waste my time"...

Also MSRC and I had a 40 emails discussion, regarding this disclosure and BLAH...
As I said in those emails, if it would've been just a little harder to find, I would've done a coordinated disclosure.
This stupid bug is a good example on how assumptions sucks, and also of how you can't rely on relational marketing. When bugs
like this hits the fan everyone goes WTF, and it gets healthy in the end, for the lambda user. MS performed a code review on SMB2
after which they said :
"For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing.
They are now in stress testing, 3rd-party application testing, and fuzzing. We'd sure like to complete all that testing
before the update needs to be released"
Yep it sounds nice, clean and transparent, but if they would have done this on the MS07-063 patch they would have found this
bug in 3 seconds not in 4 weeks of hardcore fuzzing and this is a fact ;)

Yes Full-Disclosure is usefull, and yes i believe in it.

12 comments:

Anonymous said...

MS07-063 is a red herring, the vulnerability you found is present in Vista RTM.

Anonymous said...

Nice fuzzing utility! -kc

Anonymous said...

Very inspiring, thanks for sharing!

Wendy said...

awesome. keep it up

hapbt said...

thanks for finding this and the soulseek bugs, not just announcing them, but explaining them and providing examples, very helpful to everyone involved.
the question nobody asks is, if you found this in 3 seconds, how long has it been in-use and simply not disclosed by whoever else has found it?

Anonymous said...

I never saw a fuzzer like that before, it's just awesome!

Anonymous said...

"As I said in those emails, if it would've been just a little harder to find, I would've done a coordinated disclosure."

Meanwhile you put those of us running 32bit Vista at risk?

Oh yes, my vendor should have protected me better, I know.

I understand that you feel that full disclosure ultimately protects customers better, but I don't care how much a jerk a vendor is, you give them an appropriate time to react.

The minute you put anyone at risk, the minute we all fail.

Anonymous said...

@last post
Bawwwwwwwwwww! Turn on your firewall scrub.

Anonymous said...

If you use eEye Digital Security's Blink Endpoint protection suit, you can mitigate the threat this poses to you.

Either way, that is a nice fuzzing tool. Have considered developing fuzzing tools (closed source) of your own to sell?

Anonymous said...

your fuzzer is incredibly small and so powerfull!

Anonymous said...

nice work

Anonymous said...

Thanks for posting your homebrew fuzzer. This is very helpful to those of us new to this type of research.

This may be obvious to some but I had to remove the space in ' ' for sock.send(' '.join(what)) to get this to work.

Post a Comment