Mark Minasi's Windows Networking Tech Page
Issue #81 September 2009

Document copyright 2009 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Join Me At a Seminar
  • Tech Section
    • Killer B's (SMBs, that is) On the Way
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

I never thought I'd be saying this again, but... apparently someone found a bug in Microsoft's new-and-improved version of the file server service, SMB 2.0, and I'm sure that'll lead to a new and nasty worm, so it's time to do a bit of Registry tweaking to batten down the hatches.  But first, a word from our sponsor...

My Three-Day Server 2012/2012R2 Class is Running in California at a Great Price!

MISAC, a nonprofit group of IT pros who work in support roles for cities throughout California, have hired me to do my in-depth three-day Server 2012/2012R2 class in three cities in California. The class normally runs $1600 per student, but they're offering it to their members for $799/student. Now, I've unfortunately been too busy to put together a public seminar calendar for 2014 yet -- apologies -- so I asked them if they'd be interested in opening their enrollment to the public at large, and they kindly agreed. They're offering seats for non-MISAC members for $999, a $601 discount. The first class runs next Tuesday-Thursday (25-27 February 2014) in Petaluma, followed by a session in March at Diamond Bar (25-27 March 2014) and then in April in Encinitas (22-24 April 2014). Anyone's welcome, and you'd register with MISAC on their Web site, not me. Find out more here: http://www.misac.org/

Tech Section: Killer B's (SMBs, that is) On the Way

This week, we got news of a vulnerability that will, I think, sort of take you back nearly a couple of decades to the Ping of Death.  Basically we found out that you can send just one malformed packet to a Vista or Server 2008 system, and that system bluescreens.  Relax, though... again, this seems to only attack Vista and Server 2008 and, yeah, I know, it's just me and five other people who are using Vista.  (Fortunately for me, though,  I'm not using 2008 because I've been waiting for R2 and I moved to Windows 7 a few weeks ago.)

Seriously, though, this points to a serious screwup on Microsoft's part and, if I'm reading the tea leaves right, a downright irresponsible response to it on their part, worsened by an irresponsible hacker who posted information about that screwup and example exploit code without first informing Microsoft.  If you're in a hurry, though, the short version is that Vista and 2008 Server systems are at risk, but the vulnerability lies in the file server service, and because very few folks are brave enough to expose file server service-related TCP ports 139 and 445 to the Internet, the fact is that any widespread attack won't get terribly far.  Furthermore, a simple Reg hack shuts down SMB 2.0 on any Vista or later system.  On to the details...

Last Monday, a security researcher hacker named Laurent Gaffié posted a report on his blog (http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html) revealing that trying to start up an SMB 2.0 session with a malformed packet would bluescreen a Windows system.  (SMB 2.0 is the improved, faster version of the familiar old NET USE-related file server software that we've been using in Microsoft networks since 1985.)  Gaffié's announcement in this manner was a sleazy thing to do, as the fair way to announce a vulnerability in an OS is to tell the OS vendor and give them the time to release a patch before bragging to the world about your wondrous find.  (Imagine if Dan Kaminsky had sold his sure-fire DNS poisoning exploit strategy when he conceived of it in early 2008 instead of first getting all of the DNS vendors on board and only then explaining it at Black Hat last summer.  Heck, Kaminsky could have sold the exploit to the highest bidder and become a rich man -- but didn't.)  Just to ensure his place in the Dirtbags Hall of Fame, Gaffié even posted a bit of sample exploit code in the blog post.  Good work, Laurie; you are a god in the eyes of millions of disaffected wannabe hackers.  Enjoy the adulation, pal; how many jerks can say that they launched a true zero-day attack?

Meanwhile, last Monday was, as we all know, Patch Tuesday Eve, and thus far too late for Microsoft to include Gaffié-exploit-relevant patches with the "in-band" ones that Microsoft releases on the second Tuesday of every month.  (Could that timing have been on purpose?  Naaah.)  How'd Microsoft respond?  By saying that

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation..."

"Possible" gives the response a disquieting large-company-unaccountability feel, as anyone with a Python interpreter could try out the sample code in the blog post in oh, about one minute, provided they had access to a Vista or Server 2008 system with a naked port 135 or 445.  Good heavens, Microsoft, it's time to ring the alarm bells, not say "uh, yeah, we're looking into it!"  But, as I see it, Microsoft looked even worse a couple of days later when people trying out the exploit on Windows 7 and Server 2008 R2 RTM systems (that's the great thing about a zero-day exploit:  everyone gets to be a "security researcher!") found, to their surprise, that those systems were not vulnerable to the Killer SMB.  So read the tea leaves with me and ask, what does that mean?

Well, clearly it means that at least someone at Redmond recognized that SMB 2.0 had a bug, and a serious one, and fixed it in Windows 7/Server 2008 R2... but not in Vista and Server 2008, for some reason.  But what was that reason?  The best possible spin is that the programmer who found the bug simply never put the "if it's a Vista SMB 2.0 bug, it's a Win 7 SMB 2.0 bug" pieces together and moved the information up the chain.  A less friendly spin would note that Microsoft has one of the most iron-clad change command systems around, and that the big players just said, "heck, we can't have another embarrassing Vista story -- let's sweep this one under the rug and hope that Apple never mentions it in the next PC/Mac advertisement." That's an even particularly creepier thought since the Microsoft security bulletin reveals that an attacker exploiting this bug could not only bluescreen a system but in fact could take complete control of that system.   I'm sure we'll never know the whole story.

Anyway, what should you do, assuming you have Vista and/or Server 2008 systems in-house?  Obviously it's never a great idea to expose TCP ports 139 or 445 to the big scary Internet, so if someone's convinced your mother to turn her Vista firewall off, tell her to turn it back on.  On a larger scale, the Microsoft security bulletin reveals a Registry hack to disable SMB 2.0 while leaving the unaffected SMB 1.0 stack running.  Apparently adding a new REG_DWORD entry "smb2" to the HKLM\SYSTEM\CurrentControlSet\ Services\Lanmanserver\ Parameters key and setting that entry to 0, then restarting the Server service kills SMB 2.0 while leaving SMB 1.0 intact.  (Just delete the entry and restart the Server service to undo it.)  Let me clarify that as I write this, there is no Internet-crawling worm based on this exploit... yet.  Nevertheless, I'd hasten to disable SMB 2.0 on any of my Vista or 2008 systems before the "killer SMB" worms appear.

And you thought it was going to be a quiet Monday.

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2009 Mark Minasi.  I encourage you to quote this material, SO LONG as you include this entire document; thanks.