Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Remotely triggering a bluescreen on Vista / Windows 7 / 2008

  • 08-09-2009 9:37pm
    #1
    Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭


    Using an SMB2.0 vulnerability

    Based on information from: http://seclists.org/fulldisclosure/2009/Sep/0039.html via an article on slashdot, so it's pretty public.

    I did this: http://www.youtube.com/watch?v=fRStGwdWBeg

    I didn't write the python script, and I don't personally understand exactly how it works, but it's worrying how easy it is to do.

    I mean *I* can do it. I'm a ****ing moron and I can make it work.

    Supposedly works with vista and windows 7, including the RTM Windows 7. Patch available in....


Comments

  • Closed Accounts Posts: 13,874 ✭✭✭✭PogMoThoin


    I'm impressed. How long before they patch it, service pack 3?


  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz


    PogMoThoin wrote: »
    I'm impressed. How long before they patch it, service pack 3?

    Probably... It's pretty widly public now, half the intertubes is probably buzzing about it now that it was on /.


  • Closed Accounts Posts: 1,377 ✭✭✭An Fear Aniar


    I get the impression that you can't do it over the internet? You need to be inside a network. Is that right?

    .


  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz


    It seems to be...

    I tried it over the web to someone who was watching, and it didn't work. But they were behind a NAT router. If it was a PC with a direct connection it might work, but I don't know anyone who has.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Dartz wrote: »
    It seems to be...

    I tried it over the web to someone who was watching, and it didn't work. But they were behind a NAT router. If it was a PC with a direct connection it might work, but I don't know anyone who has.

    Dartz, great video, nicely done. I was working on PoC code in perl myself for this vulnerability, but something else came up, and I had to shelve it. Ill PM you it when its done if you want.

    When it comes to the question of whether it works over the internet, if you have a firewall which blocks smb(Ports 137, 138, 139, and 335) then this will not work. Likewise if your behind a NAT'ing router it will not work. However, if your on a broadband modem, and have no firewall or the firewall does not block SMB, you are still vulnerable.
    So if you have a speedtouch 330 or a Netopia modem, you may be vulnerable if you do not have a firewall. Also, please note if you connect to the internet using any kind of 3g or wireless "modem" you may be vulnerable, as these do not do any filtering of their own, they just give you a public IP Address.

    Again, great vid, and well done for bringing to more public attention.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz


    syklops wrote: »
    Dartz, great video, nicely done. I was working on PoC code in perl myself for this vulnerability, but something else came up, and I had to shelve it. Ill PM you it when its done if you want.

    When it comes to the question of whether it works over the internet, if you have a firewall which blocks smb(Ports 137, 138, 139, and 335) then this will not work. Likewise if your behind a NAT'ing router it will not work. However, if your on a broadband modem, and have no firewall or the firewall does not block SMB, you are still vulnerable.
    So if you have a speedtouch 330 or a Netopia modem, you may be vulnerable if you do not have a firewall. Also, please note if you connect to the internet using any kind of 3g or wireless "modem" you may be vulnerable, as these do not do any filtering of their own, they just give you a public IP Address.

    Again, great vid, and well done for bringing to more public attention.

    Thanks, but it has plenty of public attention already.... I found it via slashdot. The unsettling thing is really how easy it is to do, rather than it's reach. Poke and die horribly, like some cheesy martial arts film...

    The 2 PC's I killed with it, both were running their own firewalls (It was a haome network mind).


  • Moderators, Arts Moderators, Regional Abroad Moderators Posts: 11,106 Mod ✭✭✭✭Fysh


    After reading this article on it yesterday, I was curious and tried it at work.

    We've proven that it works when you completely unload F-Secure and allow all network traffic. (F-Secure Client Security being our sitewide security tool).

    I haven't tried it on a clean vista install running only the native firewall, but that's going to be the real factor in deciding how big an issue this becomes. Given the stats on how long it takes on average for an unprotected XP box to get infected if connected directly to the internet, this is just the latest in a long list of reasons to not let a Windows computer on the internet without taking security precautions...


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    Moved to security,

    Ping of death all over again


  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz


    Fysh wrote: »
    After reading this article on it yesterday, I was curious and tried it at work.

    We've proven that it works when you completely unload F-Secure and allow all network traffic. (F-Secure Client Security being our sitewide security tool).

    I haven't tried it on a clean vista install running only the native firewall, but that's going to be the real factor in deciding how big an issue this becomes. Given the stats on how long it takes on average for an unprotected XP box to get infected if connected directly to the internet, this is just the latest in a long list of reasons to not let a Windows computer on the internet without taking security precautions...

    I did it on a home machine running Kaspersky Internet Security 2010.... and it had been configured to use a network share, so I think the port was open.

    It was the same on the other PC I tried it on.


  • Closed Accounts Posts: 4,564 ✭✭✭Naikon


    And people wonder why I only use Unix
    based operating systems:)

    Plenty of nasty shellcode out there, including
    some for Unix, but security is much more proactive
    on that front because marketing isn't a concern.

    Honestly, is anyone suprised about this?
    Lets not get started on their RPC implementation.

    Windows 7 will be as secure as an open air market.
    The snake oil merchants will profit though : (


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz




  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    TBH

    there is no need for SMB service to be on by default on most home user pc's


    any half decent hardware firewall would block this by default , but some software ones might not


    and any windows machine where sharing is enabled should be behind a hardware firewall, even if it's just NAT


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    Fysh wrote: »
    the stats on how long it takes on average for an unprotected XP box to get infected if connected directly to the internet,
    8 seconds


  • Registered Users, Registered Users 2 Posts: 4,405 ✭✭✭Dartz


    I always run a firewall.... even on Linux. (which actually is just a GUI for configuring iptables, as I recall.)

    And I've seen enough odd-things poking at it to make me even more paranoid. Most of my computers are actually behind a NAT router anyway, which blocks most of the crap on the internet.

    And I still get the odd prod against it from the PC downstairs whenever it manages to get infected.


Advertisement