Mark Minasi's Windows Networking Tech Page
Issue #81 September 2009
Document copyright 2009 Mark Minasi; please see
below for info on subscribing, unsubscribing or copying portions of
- Tech Section
- Killer B's (SMBs, that is) On the Way
- To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email
Hi all —
I never thought I'd be saying this again, but... apparently someone
found a bug in Microsoft's new-and-improved version of the file server service,
SMB 2.0, and I'm sure that'll lead to a new and nasty worm, so it's time to do a
bit of Registry tweaking to batten down the hatches. But first, a word
from our sponsor...
Server 2012 Is the Biggest Server in Ages; Understand It in
Just Two Days in Chicago June 10/11, SF, DC, Alpharetta, Stamford or San Diego
Windows Server 2012, the latest in a nearly twenty-year-long
series of versions
of Windows Server, is out. I've been tracking
2012 since we got our first glimpse
of it early September 2011, and it
huge. That means that if you're the person who's got to plan
for 2012, to make the "do we upgrade or skip?" call about 2012, or to
get 2012 up and running, then you've got a lot of things to
learn. Which 2012 features will matter to your particular
organization, and which can you ignore? The answer's easy... just
download a zillion white papers, watch a year's worth of videos, and
stay up late trying it all out...
... Or you could join me for a two-day comprehensive,
independent and fun explanation of what Server 2012 offers. If
you'd like to find out more, the course outline is at
http://www.minasi.com/2012 and I'm delivering it in several
locations in the next few months, as you can see at http://www.minasi.com/pubsems.htm.
I hope you can join me, or perhaps invite me to present this material
exclusively for your organization.
Time to Learn PowerShell! Learn it in One Day with Mark
in the Same Cities
As someone who's worked with programming and scripting tools for, well,
um, many years, I have to say
that PowerShell is one of the best, and it's something that I think
that every admin can and should learn. Join me at a one-day
seminar on AD administration with PowerShell — AD administration is
just a sneaky excuse to teach you PowerShell while you're not looking
— and see how to save time by PowerShelling. Course outline at http://www.minasi.com/adposh1/ and, again, see our dates and locations at www.minasi.com/pubsems.htm .
Killer B's (SMBs, that is) On the Way
This week, we got news of a vulnerability that will, I think,
sort of take you back nearly a couple of decades to the Ping of
Death. Basically we found out that you can send just one
malformed packet to a Vista or Server 2008 system, and that system
bluescreens. Relax, though... again, this seems to only attack
Vista and Server 2008 and, yeah, I know, it's just me and five other
people who are using Vista. (Fortunately for me, though,
I'm not using 2008 because I've been waiting for R2 and I moved to
Windows 7 a few weeks ago.)
Seriously, though, this points to a serious screwup on
Microsoft's part and, if I'm reading the tea leaves right, a
downright irresponsible response to it on their part, worsened by an
irresponsible hacker who posted information about that screwup
and example exploit code without first informing Microsoft.
If you're in a hurry, though, the short version is that Vista and
2008 Server systems are at risk, but the vulnerability lies in the
file server service, and because very few folks are brave enough to
expose file server service-related TCP ports 139 and 445 to the
Internet, the fact is that any widespread attack won't get terribly
far. Furthermore, a simple Reg hack shuts down SMB 2.0 on any
Vista or later system. On to the details...
Last Monday, a
security researcher hacker named
Laurent Gaffié posted a report on his blog (http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html)
revealing that trying to start up an SMB 2.0 session with a
malformed packet would bluescreen a Windows system. (SMB 2.0
is the improved, faster version of the familiar old NET USE-related
file server software that we've been using in Microsoft networks
since 1985.) Gaffié's announcement in this manner was a sleazy
thing to do, as the fair way to announce a vulnerability in an OS is
to tell the OS vendor and give them the time to release a patch
before bragging to the world about your wondrous find.
(Imagine if Dan Kaminsky had sold his sure-fire DNS poisoning
exploit strategy when he conceived of it in early 2008 instead of
first getting all of the DNS vendors on board and only then
explaining it at Black Hat last summer. Heck, Kaminsky could
have sold the exploit to the highest bidder and become a rich man --
but didn't.) Just to ensure his place in the Dirtbags Hall of
Fame, Gaffié even posted a bit of sample exploit code in the blog
post. Good work, Laurie; you are a god in the eyes of millions
of disaffected wannabe hackers. Enjoy the adulation, pal; how
many jerks can say that they launched a true zero-day attack?
Meanwhile, last Monday was, as we all know, Patch Tuesday Eve,
and thus far too late for Microsoft to include Gaffié-exploit-relevant
patches with the "in-band" ones that Microsoft releases on the
second Tuesday of every month. (Could that timing have been on
purpose? Naaah.) How'd Microsoft respond? By
"Microsoft is investigating new public reports of a possible
vulnerability in Microsoft Server Message Block (SMB)
"Possible" gives the response a disquieting
large-company-unaccountability feel, as anyone with a Python
interpreter could try out the sample code in the blog post in oh,
about one minute, provided they had access to a Vista or Server 2008
system with a naked port 135 or 445. Good heavens, Microsoft,
it's time to ring the alarm bells, not say "uh, yeah, we're looking
into it!" But, as I see it, Microsoft looked even worse a
couple of days later when people trying out the exploit on Windows 7
and Server 2008 R2 RTM systems (that's the great thing about a
zero-day exploit: everyone gets to be a "security
researcher!") found, to their surprise, that those systems were
not vulnerable to the Killer SMB. So read the tea leaves
with me and ask, what does that mean?
Well, clearly it means that at least someone at Redmond
recognized that SMB 2.0 had a bug, and a serious one, and fixed it
in Windows 7/Server 2008 R2... but not in Vista and Server
2008, for some reason. But what was that reason? The
best possible spin is that the programmer who found the bug simply
never put the "if it's a Vista SMB 2.0 bug, it's a Win 7 SMB 2.0
bug" pieces together and moved the information up the chain. A
less friendly spin would note that Microsoft has one of the most
iron-clad change command systems around, and that the big players
just said, "heck, we can't have another embarrassing Vista
story -- let's sweep this one under the rug and hope that Apple
never mentions it in the next PC/Mac advertisement." That's an even
particularly creepier thought since the Microsoft security bulletin
reveals that an attacker exploiting this bug could not only
bluescreen a system but in fact could take complete control
of that system. I'm sure we'll never know the whole
Anyway, what should you do, assuming you have Vista and/or Server
2008 systems in-house? Obviously it's never a great idea to
expose TCP ports 139 or 445 to the big scary Internet, so if
someone's convinced your mother to turn her Vista firewall off, tell
her to turn it back on. On a larger scale, the Microsoft
security bulletin reveals a Registry hack to disable SMB 2.0 while
leaving the unaffected SMB 1.0 stack running. Apparently
adding a new REG_DWORD entry "smb2" to the HKLM\SYSTEM\CurrentControlSet\
Services\Lanmanserver\ Parameters key and setting that entry to 0,
then restarting the Server service kills SMB 2.0 while leaving SMB
1.0 intact. (Just delete the entry and restart the Server
service to undo it.) Let me clarify that as I write this,
there is no Internet-crawling worm based on this exploit... yet.
Nevertheless, I'd hasten to disable SMB 2.0 on any of my Vista or
2008 systems before the "killer SMB" worms appear.
And you thought it was going to be a quiet Monday.
To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2009 Mark Minasi. I encourage you to quote
this material, SO LONG as you include this entire document;