Wednesday, November 11, 2009

Windows 7 / Server 2008R2 Remote Kernel Crash

This bug is a real proof that SDL #_FAIL_

The bug trigger an infinite loop on smb{1,2}, pre-auth, no credential needed...

Can even be trigerred outside the lan via (IE*, over layer 5..)

The bug is sooooo noob, it should have been spotted 2 years ago by the SDL if the SDL would have ever existed:

netbios_header = struct.pack(">i", len(''.join(SMB_packet))+SMB_packet
(The netbios header provide the length of the incoming smb{1,2} packet)

If netbios_header is 4 bytes smaller or more than SMB_packet, it just blow !
WHAAAAAAAAT ?? you gotta be kidding me where's my SDL ???
Yeah scary shit.
"Most secure Os ever";
Oh yeah, what ever your firewall is set to, you can get remotly smashed via IE or even via some broadcasting nbns tricks (no user interaction)
How's that funny.

Here's the Advisory: http://g-laurent.blogspot.com

Check also: Windows 7 / Windows Server 2008 R2 Remote SMB Exploit

Metasploit how has PoC modules for Laurent Gaffie's new SMB2 bug as well as MS09-065

1 comment:

StorageCraft said...

I am shocked to see that a product like windows 7 can have so much of problem. On the other hand i have full confidence that windows will rectify these problems soon.