Windows 7, Vista exposed to 'teardrop attack'

Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to teardrop attacks.

[ UPDATE: Microsoft has now confirmed this vulnerability and warns of code execution risk ]

Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to the teardrop attacks that used to be popular on Windows 3.1 and Windows 95.

The demo code, published on the Full Disclosure mailing list, allows an attacker to remotely crash any Windows 7 or Windows Vista machine with SMB enabled.  No user action is required.

From the advisory:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication.

The researcher who discovered the issue said Windows 2000 and Windows XP are not affected because they do not have the vulnerable driver.

The exploit has been added to the Metasploit point-and-click attack tool. Metasploit's HD Moore believes the bug was introduced with Windows Vista SP1.

The folks at The H Online got the exploit to fire on Windows Vista but could not replicate the issue on Windows 7.  In the absence of a patch from Microsoft, they suggest closing the SMB ports by un-ticking the boxes for file and printer access in the firewall settings.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All