Sign in with
Sign up | Sign in

Windows 7, Vista Zero-Day Brings BSoD

By - Source: Tom's Hardware US | B 32 comments

An exploit in the SRV2.SYS driver can allow an attacker to remotely crash a PC with Windows 7 or Windows Vista.

Security researcher Laurent Gaffie reports that a zero-day vulnerability affecting both Windows 7 and Vista could allow an attacker to invoke the dreaded Blue Screen of Death. Apparently there is a flaw in a Server Message Block 2 (SMB2) driver that's causing the critical system failure. Gaffie's blog, posted yesterday, says that the driver fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. Windows Server 2008 may also be affected by the exploit.

"An attacker can remotely crash any Vista/Windows 7 machine with SMB enabled," the blog reads. Apparently, Windows XP and 2000 are not affected, as they do not have the SRV2.SYS driver. Gaffie provides a proof of concept sample, and suggests that users close the SMB ports by un-ticking the boxes for file and printer access in the firewall settings until Microsoft releases a patch. Gaffie also contacted Microsoft, however no reply has been provided as of this writing.

The H Security expands on the problem's definition, reporting that the driver crashes when the header of the "Process Id High" field contains an ampersand. The attack can travel through port 445 of the target system, and does not require authentication. The H Security also said that an exploit written in Python is already available.

The site's German associate actually tested the exploit, and succeeded in remotely rebooting a Windows Vista system. The test had no affect on the Windows 7 machine. According to ZDNet, Security researcher (and author of Metasploit) HD Moore suggests in this tweet that a SMB bug may have already been introduced into Vista SP1.

Display 32 Comments.
This thread is closed for comments
Top Comments
  • 13 Hide
    vladtepes , September 8, 2009 9:29 PM
    BSODs are to Windows as the spinning beach ball of death is to Mac OSX
  • 13 Hide
    jhansonxi , September 8, 2009 10:36 PM
    The fact that it also affects Vista proves that Microsoft is serious about backwards compatibility. :D 
Other Comments
  • 13 Hide
    vladtepes , September 8, 2009 9:29 PM
    BSODs are to Windows as the spinning beach ball of death is to Mac OSX
  • 0 Hide
    NightLight , September 8, 2009 9:43 PM
    Someone should invent a BSOD vista gadget :p 
    Mine would be stuck on "0"!
  • 6 Hide
    theLaminator , September 8, 2009 9:47 PM
    I'm still waiting to get a BSOD on my cell phone running Win Mobile, I'd quite possibly laugh my ass off. Though I'd be quite pissed if I lost data
  • 4 Hide
    sot010174 , September 8, 2009 9:48 PM
    Sorry, but even the pentagon can be hacked, so why Windows would be more secure? I don't see the point in trying to spoil win7 launch party...
  • 6 Hide
    BallistaMan , September 8, 2009 9:52 PM
    @vladtepes: Actually, Macs have kernal panics as well - basically a black screen saying "Your computer has crashed" and no useful data (well duh it crashed :p ). My dad's Macbook Pro gets one of those every month or two at least.
  • 7 Hide
    vladtepes , September 8, 2009 10:06 PM
    BallistaMan@vladtepes: Actually, Macs have kernal panics as well - basically a black screen saying "Your computer has crashed" and no useful data (well duh it crashed ). My dad's Macbook Pro gets one of those every month or two at least.


    Yes I know about that, but the "beachball of death" is much funnier than "kernel panic"
  • 4 Hide
    dingumf , September 8, 2009 10:09 PM
    Sweet, has this been patched yet?

    No? OH SHI-
  • 0 Hide
    aspireonelover , September 8, 2009 10:10 PM
    vladtepesBSODs are to Windows as the spinning beach ball of death is to Mac OSX

    actually
    BSODs are to Windows as the Kernel Panic is to Mac OSX ;) 
  • 4 Hide
    geoffs , September 8, 2009 10:13 PM
    BallistaMan@vladtepes: Actually, Macs have kernal panics as well - basically a black screen saying "Your computer has crashed" and no useful data (well duh it crashed ). My dad's Macbook Pro gets one of those every month or two at least.
    Sounds like a hardware problem or an incompatible extension (.kext).

    My MBP has only given that message 1-2x in 24 months, and I've only seen the spinning beachball a few times. My MBP is rarely rebooted, I usually just put it to sleep.
  • 0 Hide
    IzzyCraft , September 8, 2009 10:17 PM
    not bug Feature
  • 0 Hide
    False_Dmitry_II , September 8, 2009 10:24 PM
    It's not like you can steal stuff from the computers. It would just be an annoyance, cause then you hit the power button, and continue. You could possibly lose stuff that you were working on but that's about it. I'm sure we'll see a hotfix in the near future.

    If it was in vista too, how come it took this long to find?
  • 13 Hide
    jhansonxi , September 8, 2009 10:36 PM
    The fact that it also affects Vista proves that Microsoft is serious about backwards compatibility. :D 
  • 4 Hide
    JohnnyLucky , September 8, 2009 10:44 PM
    Time to shut port 455. Years ago we used to shut down ports that were not necessary for operation. The idea was to prevent security problems.
  • 0 Hide
    CircusMusic , September 8, 2009 11:20 PM
    Quote:
    The test had no affect on the Windows 7 machine.

    confirmed to work on windows 7 64bit (crashed it three times about 20 minutes ago...)
  • 3 Hide
    rooket , September 8, 2009 11:30 PM
    Does this exploit work over LAN or WAN? Doesn't matter to me at all if it is LAN only. Nice article but for those of us who aren't geniuses kind of looks like something that is a non issue.
  • -1 Hide
    matt87_50 , September 9, 2009 12:12 AM
    if only you could have 3rd party SMB for windows. sadly they seemed to want to monopolies this.
  • 1 Hide
    geoffs , September 9, 2009 12:14 AM
    JohnnyLuckyTime to shut port 455. Years ago we used to shut down ports that were not necessary for operation. The idea was to prevent security problems.
    That's but one of many reasons I recommend a separate firewall/router for all users. That router should block all traffic on Windows/CIFS/SMB ports, there is no viable reason to have those accessible on the Internet. That doesn't eliminate the problem, but it localizes it to your LAN, thus minimizing the exposure. If your LAN is as dangerous as the Internet, you've got bigger issues.

    If you need to connect into work, use a VPN and those ports/protocols can run over the VPN.
  • 0 Hide
    CircusMusic , September 9, 2009 12:18 AM
    rooketDoes this exploit work over LAN or WAN? Doesn't matter to me at all if it is LAN only. Nice article but for those of us who aren't geniuses kind of looks like something that is a non issue.

    I think most ISPs block traffic on this port because of all the issues it brings... like file shares over the internet (I had fun with that lol). Most routers should be blocking it as well but that doesn't mean your safe. plug directly into the internet with an ISP that doesn't block traffic on that port and your vulnerable.

    It's a very real concern for any user. for example: piss of someone in an online chat or something and they could DoS your computer. a simple loop in the python script and as long as your computer is connected to the internet you wouldn't be able to use it (would normal users think to unhook the internet when they get a BSOD? not unless they take it in to be "fixed" = $$$ free cash for the tech)

    Just because this implementation of the exploit causes BSODs doesn't mean it's the only thing the bug could do.. maybe there's an opening for getting arbitrary code to execute?
  • 2 Hide
    Anonymous , September 9, 2009 12:24 AM
    Bring Back C:\con\con!!!!!!
  • 0 Hide
    hemelskonijn , September 9, 2009 12:36 AM
    rooket:

    If it works over lan it will work over wan since wan is like a huge lan working on the same principles.
    However in the best/worse case scenario a lan exploit needs some tweaking in order to become effective over wan.
Display more comments