Mark Minasi's Windows Networking Tech Page
Issue #81 September 2009
Document copyright 2009 Mark Minasi; please see
below for info on subscribing, unsubscribing or copying portions of
- Tech Section
- Killer B's (SMBs, that is) On the Way
- To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email
Hi all —
I never thought I'd be saying this again, but... apparently someone
found a bug in Microsoft's new-and-improved version of the file server service,
SMB 2.0, and I'm sure that'll lead to a new and nasty worm, so it's time to do a
bit of Registry tweaking to batten down the hatches. But first, a word
from our sponsor...
Killer B's (SMBs, that is) On the Way
This week, we got news of a vulnerability that will, I think,
sort of take you back nearly a couple of decades to the Ping of
Death. Basically we found out that you can send just one
malformed packet to a Vista or Server 2008 system, and that system
bluescreens. Relax, though... again, this seems to only attack
Vista and Server 2008 and, yeah, I know, it's just me and five other
people who are using Vista. (Fortunately for me, though,
I'm not using 2008 because I've been waiting for R2 and I moved to
Windows 7 a few weeks ago.)
Seriously, though, this points to a serious screwup on
Microsoft's part and, if I'm reading the tea leaves right, a
downright irresponsible response to it on their part, worsened by an
irresponsible hacker who posted information about that screwup
and example exploit code without first informing Microsoft.
If you're in a hurry, though, the short version is that Vista and
2008 Server systems are at risk, but the vulnerability lies in the
file server service, and because very few folks are brave enough to
expose file server service-related TCP ports 139 and 445 to the
Internet, the fact is that any widespread attack won't get terribly
far. Furthermore, a simple Reg hack shuts down SMB 2.0 on any
Vista or later system. On to the details...
Last Monday, a
security researcher hacker named
Laurent Gaffié posted a report on his blog (http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html)
revealing that trying to start up an SMB 2.0 session with a
malformed packet would bluescreen a Windows system. (SMB 2.0
is the improved, faster version of the familiar old NET USE-related
file server software that we've been using in Microsoft networks
since 1985.) Gaffié's announcement in this manner was a sleazy
thing to do, as the fair way to announce a vulnerability in an OS is
to tell the OS vendor and give them the time to release a patch
before bragging to the world about your wondrous find.
(Imagine if Dan Kaminsky had sold his sure-fire DNS poisoning
exploit strategy when he conceived of it in early 2008 instead of
first getting all of the DNS vendors on board and only then
explaining it at Black Hat last summer. Heck, Kaminsky could
have sold the exploit to the highest bidder and become a rich man --
but didn't.) Just to ensure his place in the Dirtbags Hall of
Fame, Gaffié even posted a bit of sample exploit code in the blog
post. Good work, Laurie; you are a god in the eyes of millions
of disaffected wannabe hackers. Enjoy the adulation, pal; how
many jerks can say that they launched a true zero-day attack?
Meanwhile, last Monday was, as we all know, Patch Tuesday Eve,
and thus far too late for Microsoft to include Gaffié-exploit-relevant
patches with the "in-band" ones that Microsoft releases on the
second Tuesday of every month. (Could that timing have been on
purpose? Naaah.) How'd Microsoft respond? By
"Microsoft is investigating new public reports of a possible
vulnerability in Microsoft Server Message Block (SMB)
"Possible" gives the response a disquieting
large-company-unaccountability feel, as anyone with a Python
interpreter could try out the sample code in the blog post in oh,
about one minute, provided they had access to a Vista or Server 2008
system with a naked port 135 or 445. Good heavens, Microsoft,
it's time to ring the alarm bells, not say "uh, yeah, we're looking
into it!" But, as I see it, Microsoft looked even worse a
couple of days later when people trying out the exploit on Windows 7
and Server 2008 R2 RTM systems (that's the great thing about a
zero-day exploit: everyone gets to be a "security
researcher!") found, to their surprise, that those systems were
not vulnerable to the Killer SMB. So read the tea leaves
with me and ask, what does that mean?
Well, clearly it means that at least someone at Redmond
recognized that SMB 2.0 had a bug, and a serious one, and fixed it
in Windows 7/Server 2008 R2... but not in Vista and Server
2008, for some reason. But what was that reason? The
best possible spin is that the programmer who found the bug simply
never put the "if it's a Vista SMB 2.0 bug, it's a Win 7 SMB 2.0
bug" pieces together and moved the information up the chain. A
less friendly spin would note that Microsoft has one of the most
iron-clad change command systems around, and that the big players
just said, "heck, we can't have another embarrassing Vista
story -- let's sweep this one under the rug and hope that Apple
never mentions it in the next PC/Mac advertisement." That's an even
particularly creepier thought since the Microsoft security bulletin
reveals that an attacker exploiting this bug could not only
bluescreen a system but in fact could take complete control
of that system. I'm sure we'll never know the whole
Anyway, what should you do, assuming you have Vista and/or Server
2008 systems in-house? Obviously it's never a great idea to
expose TCP ports 139 or 445 to the big scary Internet, so if
someone's convinced your mother to turn her Vista firewall off, tell
her to turn it back on. On a larger scale, the Microsoft
security bulletin reveals a Registry hack to disable SMB 2.0 while
leaving the unaffected SMB 1.0 stack running. Apparently
adding a new REG_DWORD entry "smb2" to the HKLM\SYSTEM\CurrentControlSet\
Services\Lanmanserver\ Parameters key and setting that entry to 0,
then restarting the Server service kills SMB 2.0 while leaving SMB
1.0 intact. (Just delete the entry and restart the Server
service to undo it.) Let me clarify that as I write this,
there is no Internet-crawling worm based on this exploit... yet.
Nevertheless, I'd hasten to disable SMB 2.0 on any of my Vista or
2008 systems before the "killer SMB" worms appear.
And you thought it was going to be a quiet Monday.
To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email
To subscribe, visit http://www.minasi.com/nwsreg.htm.
To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.
To unsubscribe, link to http://www.minasi.com/unsubs.htm.
Visit the Archives at http://www.minasi.com/archive.htm.
Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.
All contents copyright 2009 Mark Minasi. I encourage you to quote
this material, SO LONG as you include this entire document;