Zero-Day Windows Security Flaw Can Crash Systems, Cause BSODs

Orome1 quotes a report from Help Net Security: A zero-day bug affecting Windows 10, 8.1, Windows Server 2012 and 2016 can be exploited to crash a vulnerable system and possibly even to compromise it. It is a memory corruption bug in the handling of SMB traffic that could be easily exploited by forcing a Windows system to connect to a malicious SMB share. Tricking a user to connect to such a server should be an easy feat if clever social engineering is employed. The vulnerability was discovered by a researcher that goes by PythonResponder on Twitter, and who published proof-of-exploit code for it on GitHub on Wednesday. The researcher says that he shared knowledge of the flaw with Microsoft, and claims that "they had a patch ready 3 months ago but decided to push it back." Supposedly, the patch will be released next Tuesday. The PoC exploit has been tested by SANS ISC CTO Johannes Ullrich, and works on a fully patched Windows 10. "To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers," he noted, and added that "it isn't clear if this is exploitable beyond a denial of service." Until a patch is released, administrators can prevent it from being exploited by blocking outbound SMB connections (TCP ports 139 and 445, UDP ports 137 and 138) from the local network to the WAN, as advised by CERT/CC. "The tweet originally announcing this issue stated that Windows 2012 and 2016 is vulnerable," the researcher said. "I tested it with a fully patched Windows 10, and it got an immediate blue screen of death."

10 = Blue Screen

[turkeydance]

didn't they change it to a green screen?

Re:10 = Blue Screen

[The-Ixian]

I believe that it is whatever accent color you choose for Windows 10 in general.

Our Windows Server 2012 R2 servers have been...

crashing constantly all day. We don't have those ports open to the Internet since only port 443 is allowed in, but they're still crashing.

Re:Our Windows Server 2012 R2 servers have been...

[cavreader]

Crashing all day? I suggest getting a book or taking a class on how to install and configure 2012 servers. Or maybe just get someone who knows what the hell they are doing to setup your server(s). The #1 cause of server exploits in both Windows and Linux OS's are the idiot administrators.

Re:Our Windows Server 2012 R2 servers have been...

And I have VM hosts under heavy load that have over a year of uptime. Sounds like whoever is running the show is inept as hell.

Re:Our Windows Server 2012 R2 servers have been...

If a system/domain/network administrator needs a class or a book to setup a stable basic system, they are in the wrong line of work. Most of the security related defaults are pretty sensible these days for most operating systems these days - you have to intentionally install/enable rather than intentionally uninstall/disable dangerous things for the most part.

On the other hand, once the custom/3rd party/vendor supported stuff comes on board, administrators have more uncertainty. For a not-so-hypothetical situation: How many different possible printer combinations might an admin need to deal with? Sure, the base OS as a file/print server is a known thing - no problem. Next thing you know, a delivery arrives from CDW attn: you. Yes, the three vetted printer models work just fine but surprise! An exec just purchased some all-in-one piece of crap with a 600 MB installer and they want ALL the features.

Guess which all-in-one installer package caused the BSOD. Guess what is a part of the system/domain/network - it isn't just the bits and the chips - it is the hardware, software, wetware, politics, finances and all the other warts existing in all organizations. Hell, the fact the zero days exists is because someone, somewhere was motivated by something. That something was a reward of some kind - someone benefited and the system as a whole had to pay the price for that reward.

Re:Our Windows Server 2012 R2 servers have been...

We usually have 9.1 crashes per day on our Windows servers, but today we had over three hundred. We have TCP port 139 open from our internal network to production, so maybe one of our employees has an infection. After closing that port about twenty minutes ago, there's only been a single Windows server that crashed. Glad I found this story.

Re:Our Windows Server 2012 R2 servers have been...

Are people logged into those servers and browsing the web? This hole can be exploited if your network allows *outbound* traffic on ports 137/138/139/445. A malicious or compromised web page can embed a link like <img src="\\1.2.3.4\share$\exploit"> and now you're owned, even if inbound SMB is blocked.

Re:Our Windows Server 2012 R2 servers have been...

[gravewax]

I would suggest looking in a mirror to find the issue then.

Re:Our Windows Server 2012 R2 servers have been...

unless you are a retard and allow those users to logon to your servers and browse internet and emails from there this is almost certainly not the issue. this is not an inbound attack.

Re:Our Windows Server 2012 R2 servers have been...

[cavreader]

I didn't mean to imply all administrators are idiots. There are a lot of very good administrators out there but at the same time there are also a lot of not so good administrators.

"If a system/domain/network administrator needs a class or a book to setup a stable basic system, they are in the wrong line of work"
Maybe they are just entry level newbies that do need books and classes to supplement their real world experience.

What do Linux users and BLM have in common ?

They both hate windows :)

Eh

[AlphaBro]

Unless there's a PoC that demonstrates remote code execution, this isn't really newsworthy.

Re: Our Windows Server 2012 R2 servers have been..

I bet the crashes happened before the update too.

Ha!

[HideyoshiJP]

Ha! Joke's on you! I'm still running SMBv1 with NTLMv1!

Re:Ha!

so you don't care that it only took me 11 minutes to bruteforce your PASSWORD ?

Re:Ha!

Are you serious? You can't brute force his passwd, because he doesn't have any type of passwd on his network.

Re: Our Windows Server 2012 R2 servers have been..

Of course they crash several times a day since they're under a heavy load, but they're crashing much more often this afternoon.

Re: Our Windows Server 2012 R2 servers have been.

I'd bet it's not Windows itself causing the problem.

Re: Our Windows Server 2012 R2 servers have been..

How often did they crash before today? We only get about twenty minutes out of Server 2012 before we have to reboot. That's why we bought an expensive F5 load balancer to put in front of them.

"It's a Bird... It's a Plane... It's SMB!"

[weedjams]

sry, been drinkin' since noon. *grin* game on all and be safe.

Re: Our Windows Server 2012 R2 servers have been.

When they blue screen constantly, then maybe it's the app, but I blame Windows.

Yet another reason...

[LVSlushdat]

Yet another reason, if we really *need* another, to quit using MS products. I used/supported MS products for 20 years as a sysadmin, but when I retired in 2010, I decided I was done with Windows on my personal systems. I had been dualbooting Win7 and Linux, but once I made the decision, I simply deleted the Win7 partition, and reinstalled grub. After 6 years of zero MS, I've not missed it a bit.. In fact, I'm forced to use Windows in a part-time volunteer support position with a local charity, and I find that using Windows now, after being 100% Linux for going on 7 years, is very unnatural. After seeing all of the multiple forms of abuse MS heaps on those who still use Windows, I couldn't be happier with my decision...

Re:Yet another reason...

[Gravis+Zero]

Yet another reason, if we really *need* another, to quit using MS products.
[...]
After seeing all of the multiple forms of abuse MS heaps on those who still use Windows...

Hold your horses buddy! You can't just take my schadenfreude joy away! I mean, come on, not when the real suffering is just about to begin! ;)

You CAN blame it on Trump. Won't be true . . .

[mmell]

but we can certainly blame Trump - say, because he's making Microsoft come to him to ask for an exception on the (Muslim) immigration ban. Without access to employees willing to be chained to their oars . . . er, desks, how can Microsoft continue to bring us the innovative software we've come to know and expect from them?

No, on second thought let's not blame it on Trump. There's plenty else he correctly deserves the blame for, and Microsoft alone is responsible for the reputation and state of the OS software they provide. Software which while not perfect has nonetheless improved considerably over the years. They've made numerous mistakes along the way but as a UNIX Administrator with well over two decades of experience I can tell you their current product offering is considerably more stable, more usable and less vulnerable than it used to be. Anybody that remembers Windows 2.0, 3.1, 95, 98, ME and XP will no doubt have horror stories relating to feeling like Microsoft's crash test dummies. It hasn't stopped, but my personal experience is that it seems to happen less often than it used to.

pointless?

[gravewax]

If you have found someone stupid enough that you can socially engineer this way then you can get them to do something far worse without any need to exploit a bug. seems a pointless exploit at this point unless someone can work out a way to engineer a remote attack that doesn't involve user stupidity.

Stupid

[duke_cheetah2003]

Attacking SMB is retarded. SMB services should -never- ever be exposed to the internet, under any circumstances. Anyone who does expose SMB to the internet deserves to get hacked. Bury that crap in a VPN, use a firewall, and disregard this silliness.

Re:Stupid

[Lord+Crc]

SMB services should -never- ever be exposed to the internet, under any circumstances.

If it's like the last SMB issue, then the issue is not that they send packets to an SMB server, but rather get the machine to connect (outbound) to a malicious SMB server, which replies with malicious packets.

This can be done using standard phishing tricks.

This is why one should block outbound SMB traffic as well.

Re:Stupid

pointless to block, a moron that will fall for such a standard phishing technique will just as easily fall for something far more malicious like running an executable or filling in his credentials in a fake web site.

Re:Stupid

It's not about exposing SMB services, it's about permitting SMB clients.

Re:Stupid

[duke_cheetah2003]

This is why one should block outbound SMB traffic as well.

As I said, firewall. Keep that junk contained to a intranet/VPN. SMB does not belong on the internet, in the clear at least.

Re:Stupid

[Billly+Gates]

This is why one should block outbound SMB traffic as well.

As I said, firewall. Keep that junk contained to a intranet/VPN. SMB does not belong on the internet, in the clear at least.

No Grandma ... look go to 192.168.1.1. No grandma in your browser ... no in Chrome type that in ... no go to firewall ...

Re:Stupid

And that will prevent an attack from inside your network exactly how? Even if you disallow any foreign machines from attaching to your network, it only takes one connection to an existing compromised machine to spread. The only solution is to get rid of SMB network or fix the SMB stack.

Re:Stupid

Yup - only companies like Sony have those ports open to the world...

Re:Stupid

[fisted]

Attacks from inside the network can typically be traced to one particular machine+user. Who's then getting fired and/or sued.

Re:Stupid

[140Mandak262Jamuna]

What if the night janitor is bribed to plug in an usb dongle to some exposed usb port in some machine?

Re: Our Windows Server 2012 R2 servers have been.

Those blue screens and the event viewer are probably trying to tell you something. You may want to look into it.

My bet is bad memory or some other faulty component or a bad driver.

Irresponsible disclosure

[Etcetera]

Regardless of whether they pushed it back or not, if they're planning to release next Tuesday then disclosing the hole with PoC exploit code is just irresponsible. You could have waited 5 more days.

Re:Irresponsible disclosure

[phantomfive]

Make sure your SMB is behind a firewall.

Re: Irresponsible disclosure

[subk]

Make sure your SMB is behind a firewall.

RTFA: It is not an attack on your SMB. It's a phishing-style attack vector that tricks users into contacting a malicious server. More appropriately, one should block outbound SMB traffic to "not your SMB".

Re: Irresponsible disclosure

[phantomfive]

one should block outbound SMB traffic to "not your SMB".

Yeap.

Re:Irresponsible disclosure

[Billly+Gates]

Regardless of whether they pushed it back or not, if they're planning to release next Tuesday then disclosing the hole with PoC exploit code is just irresponsible. You could have waited 5 more days.

Probably because it will break a SHIT load of intranet and Sharepoint apps on corporate networks. Then the next headline on Slashdot is ... MS RELEASES EVIL UPDATE THAT RUINS CORPORATE NETWORKS ... then we see the negative comments here about updates etc.

MS can not catch a break either way.

Yes having SMB over TCP/IP sounds outright retarded. But many corporate apps on different subnets can not route SMB because of NetBie which is a non routable protocol layer 2 . So Sharepoint and VBScript encapsulate this over TCP/IP as a workaround.

Re:Irresponsible disclosure

[MalleusEBHC]

It depends on his motivations. He could be doing this to embarrass MS, but it may be that he's pressuring them to ensure that the patch gets released on Tuesday. He's been sitting on a 0-day for three months, so he could embarrass them at any time of his choosing. Why do it a few days before a patch Tuesday, i.e. when it will have the smallest impact?

Re:Irresponsible disclosure

Going by my own experience reporting bugs to Microsoft, unless you're a big customer, a known security researcher, an AV vendor or the like, they simply won't take you seriously, even if you've got exploit code. I can see how if the security issue is big enough, you'd publish the exploit code simply to force them to take you seriously.

Re: Irresponsible disclosure

[Bert64]

Many ISPs actually block the default windows ports by default across their networks...

horrible microsoft

its a good thing that i havent and will never "downgrade" to windows 10.

windows 7 forever!

FTFY

[linear+a]

" ... Windows ... Can Crash Systems, Cause BSODs " FTFY

Re: Our Windows Server 2012 R2 servers have been..

How do you have 0.1 of a crash?

Re: you know how to stop this?

Well don't feel silly now with 2 posts next to each other.
Maybe you should actually refresh the page and not expect the browser to get data you haven't requested yet.

Where's my villain mustache and hat?

[bheerssen]

I have an SMB server on my network and I think I just found a way to convince my family to switch to Linux.

Re: Our Windows Server 2012 R2 servers have been..

How do you have 0.1 of a crash?

Divide by 10

Modern software

You mean I have to install an exploit to get what used to be standard Windows functionality? Ridiculous.

Re: Our Windows Server 2012 R2 servers have been.

[fisted]

Yeahh, they trying to tell you about a segfault at address 0xdeadbeef in binary blob xyz, but sorry, you don't get to debug it. tough shit. keep the money flowing anyway, k?

You get what you deserve

That's what you get for using Microsoft shit, dickheads! Keep using M$..
How many of these exploits you find on Linux? Not many.. instead Windows is plagued with these, every few months a critical issue is found.
Bleah!!

Trump's Phone

I heard Trump's phone has NOT been secured yet. What OS is he on?

From "They Live" - "I've got one that can SEE!"

See my subject: That's EXACTLY how it works which IS why you're being downmoderated for telling it how it REALLY is!

APK

P.S.=> Worst part is, the "powers that be" will try to 'spin' the truth with "alternate facts" fake news bs to try cover up their utterly transparent bullshit lies when you tell the truth of things... apk