Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Vista/2008/Windows 7 SMB2 BSOD 0Day SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vista/2008/Windows 7 SMB2 BSOD 0Day

We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.

We have confirmed  it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

Windows 2000/XP are NOT affected by this exploit.

We will update this diary with more information as we get it.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

 Guy

472 Posts
ISC Handler
Sep 8th 2009
Subscribe Sep 8th 2009
1 decade ago
There are indications this might be a Remote Exploit vulnerability and not merely a DOS.
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15
 Anonymous
Quote Sep 8th 2009
1 decade ago
I have seen port 445 scanning on average one every three minutes per target IP for a few weeks now. This is much higher than normal for my networks. Chances are this exploit was known before now and is just reaching the kit level. There is much more early distribution of real exploit code going on now than ever before, especially if it does more than a simple DoS.

-Al
 Al of Your Data Center

80 Posts
Quote Sep 8th 2009
1 decade ago
Perhaps, but more likely they're looking for any number of other SMB vulnerabilities that have been disclosed over the past 2 years. SMB has got to be one of the biggest offenders for 0days from Microsoft for a while now. In our enterprise, the top vulns are all SMB or Adobe based.
 TheLightCosine

5 Posts
Quote Sep 8th 2009
1 decade ago
According to http://www.microsoft.com/technet/security/advisory/975497.mspx the RTM versions of Windows 7 and Windows Server 2008R2 are not affected.
 Anonymous
Quote Sep 9th 2009
1 decade ago
From @hdmoore

woohoo! @stephenfewer figured out a reliable remote EIP on Vista SP1, looks portable to SP2 and other platforms #SMB2
 Tim

9 Posts
Quote Sep 16th 2009
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!