Page 1 of 2
ALERT! Win 7 and vista users, re SMB
Posted: Wed Sep 09, 2009 9:59 am
by vampyrewolf
http://seclists.org/fulldisclosure/2009/Sep/0039.html
and a proof of concept on command line
http://www.dereenigne.com/
http://hackaday.com/2009/09/09/windows- ... b-exploit/
Essentially puts it forward that if you have file sharing enabled you can recieve a BSoD.
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used
to identify the SMB dialect that will be used for futher communication.
#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
Posted: Wed Sep 09, 2009 11:29 am
by tonydahose
what does that mean in English please :)
Posted: Wed Sep 09, 2009 11:56 am
by vampyrewolf
from
wiki:
In computer networking, Server Message Block (SMB) operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an authenticated Inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it is often known as "Microsoft Windows Network".
When discussing SMB, one should distinguish:
* the SMB protocol
* the SMB services that run on the protocol
* NetBIOS
* the DCE/RPC services that use SMB as an authenticated Inter-process communication channel (over named pipes)
* the "Network Neighborhood" protocols which primarily (but not exclusively) run as datagram services directly on the NetBIOS transport
pretty much means that an "invalid" request has the ability to kill your system if you have that port open (default is port 443 I believe). And that it's not hard to send an invalid request maliciously. Only affects systems with the driver installed, which means Win 7, Vista and Server 2008 (as far as I can find).
Best bet is to close the port until someone finds a fix for it.
Posted: Wed Sep 09, 2009 11:57 am
by 65535
Mac for the win.
Posted: Wed Sep 09, 2009 11:59 am
by vampyrewolf
xp pro and opensuse :p
Posted: Wed Sep 09, 2009 2:09 pm
by psimonl
Thanks for the infos, Vampyrewolf, but...
Some of your computer related thread are very hard to understand... :confused:
Simon
Posted: Wed Sep 09, 2009 2:53 pm
by vampyrewolf
I confuse folks any time I talk to most people about computers :p
And then when I talk with IT folks few of em understand why I have a backup server with hardware that's 6-7 years old
Posted: Wed Sep 09, 2009 4:40 pm
by Kuolema
Argh, another problem with my operating system.
All's I got to say is when I get my Win 7 Professional upgrade on my NetBook, this problem better be fixed. :mad:
Thanks for the heads up, though. I'm never ontop of these things and with me relying on my PC's and Laptops for University, you could have just saved my life. :p
Thanks again!
Posted: Wed Sep 09, 2009 4:51 pm
by Tank
vampyrewolf wrote:
Best bet is to close the port until someone finds a fix for it.
I have vista, so how do I close this port?
Thanks
Posted: Wed Sep 09, 2009 5:43 pm
by vampyrewolf
Not sure where vista hides the firewall, I'd have to look it up.
SMB is on port 445, you'd just have to close that port on the firewall.
Posted: Wed Sep 09, 2009 6:57 pm
by mikebandw186
psimonl wrote:Thanks for the infos, Vampyrewolf, but...
Some of your computer related thread are very hard to understand... :confused:
Simon
I get the same reaction when I say stuff like "Peel ply carbon fiber, S30V, micro serrations and a wire clip!"
Posted: Wed Sep 09, 2009 7:45 pm
by araneae
Can I just use duct tape?
Posted: Wed Sep 09, 2009 11:13 pm
by hickster
65535 wrote:Mac for the win.
Rodger that!
hickster
Posted: Thu Sep 10, 2009 6:15 am
by The Deacon
Question is, would this be an issue if your computer is configured so that file sharing is only allowed with computers within your trusted zone?
Posted: Thu Sep 10, 2009 7:42 am
by vampyrewolf
There is always the possibility of having a bad request come from internally, but blocking SMB external and forcing the use of FTP for external should take care of an extranl attack. And as far as internal users breaking it, thats why we keep backups, right?
Posted: Thu Sep 10, 2009 11:20 am
by m.and
65535 wrote:Mac for the win.
+1. Love my Macs. :D
Posted: Thu Sep 10, 2009 12:18 pm
by The Deacon
Ok, so if (BIG IF) I'm understanding this correctly, this is not really a security issue. By that I mean no real harm is done, no viruses, no file corruption, nothing phoning home with your banking details. Worst case, you machine locks up, but when you reboot, things are back to normal. Mine never was set up to allow file sharing, I still do transfers to and from my laptop the old fashioned way, sneaker net. :o :D
Truth be known, I'm quite happy overall with Vista. Aside from the single annoying habit of rebooting without warning to install updates, it's been rock steady for me since I got this machine.
Posted: Thu Sep 10, 2009 12:31 pm
by tonydahose
The Deacon wrote:
Truth be known, I'm quite happy overall with Vista. Aside from the single annoying habit of rebooting without warning to install updates, it's been rock steady for me since I got this machine.
i know i am going out on a really thin branch here but can't you change that in the settings of windows update? at least to pick which ones to install?
Posted: Thu Sep 10, 2009 2:23 pm
by The Deacon
tonydahose wrote:i know i am going out on a really thin branch here but can't you change that in the settings of windows update? at least to pick which ones to install?
Tony, your correct. More a mixture of procrastination and forgetfulness on my part. Every time it happened I swore I was going to fix it - later. :o Finally changed the settings. :D
Posted: Mon Oct 05, 2009 2:09 pm
by Tank
any word if this issue has been resolved?