Windows 7, Vista exposed to 'teardrop attack'
Summary: Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to teardrop attacks.
[ UPDATE: Microsoft has now confirmed this vulnerability and warns of code execution risk ]
Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to the teardrop attacks that used to be popular on Windows 3.1 and Windows 95.
The demo code, published on the Full Disclosure mailing list, allows an attacker to remotely crash any Windows 7 or Windows Vista machine with SMB enabled. No user action is required.
From the advisory:
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication.
The researcher who discovered the issue said Windows 2000 and Windows XP are not affected because they do not have the vulnerable driver.
The exploit has been added to the Metasploit point-and-click attack tool. Metasploit's HD Moore believes the bug was introduced with Windows Vista SP1.
The folks at The H Online got the exploit to fire on Windows Vista but could not replicate the issue on Windows 7. In the absence of a patch from Microsoft, they suggest closing the SMB ports by un-ticking the boxes for file and printer access in the firewall settings.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Never let it be said
Vulnerable by default?
I presume this attack is able to bypass the firewall because if it can't, this isn't an issue for 99.9999% of Windows machines.
so as long as there is a good firewall
What do you mean by "excused"? nt
Perhaps I
I may be reading to much in to it so he can correct me if I'm wrong. If he was simply meaning to inform that we should make sure we keep our FW on until there is a fix and as a result no need for mass hysteria in the meantime, then thanks for the heads up.
You misunderstood.
"The demo code, published on the Full Disclosure mailing list, allows an attacker to remotely crash any Windows 7 or Windows Vista machine with SMB enabled. [b]No user action is required.[/b]"
User action is required because the default configuration is to block access to the port.
I see
Misunderstanding squared...
By default the built in firewall restricts access to the port in question.
In Vista and Windows 7 the firewall blocks access to the port if the "Public" setting has been selected. It restricts access to the port to the local subnet if the "Home" or "Private" network configuration has been selected.
Thus a user would have to take steps to enable access to the port. Furthermore honeymonster is claiming Network Discovery also has to be enabled. I have not been able to verify this but I've found his information to be reliable. Until more details are known about this vulnerability I have to hold off judgement. However it does appear serious enough to warrant an out-of-cycle patch as file serving is not an unreasonable service to make available and those systems needing to do so need to be protected.
I would tend to agree...
@jasonp: We disagree
I believe it does.
Not sure
disabled by default.
But there are a lot of people who will probably
turn it on if they have several machines.
If you have a hardware router or firewall (even
the cheap consumer ones), then it should block
incoming connections by default.
My experience on "cheap consumable"..
And by "consumable" I mean they end up consuming the users, personal ID and every other cotton picking thing they own, to try and lock it down!
Even your ISP can ruin the default on a lot of these worthless boxes. They aren't any better than most software firewalls on factory settings.
I never used to have these problems, it was better to have a locked down firewall, and help them over the phone(remote desktop), easily configure the services they needed.
"No user action is required." Except disabling the firewall.
Except disabling the firewall AND enabling network discovery
Network discovery is typically only enabled on
corporate networks or more advanced home
networks where you create shares on multiple
computers.
This flaw *can not* be triggered from the
Internet. SMB2 packages do *not* pass through
even the simplest firewalls, software or
hardware.
This flaw *can not* be leveraged to infect a
machine. It can not be used to create a mass-
infection.
This [b]is[/b] a serious problem for many.
Wrong and wrong
Why would you setup your notebook to be a file and print server? That makes no sense. Your home desktop or server, maybe, but your notebook? Nope, that is unlikely.
[i]When you take that same notebook out to a hotspot, you're on the internet and you're not behind your home NAT router.[/i]
Welcome to 2006, glad to have you. Since Vista, you specify whether a network is a Public network or a Private network and you can open [b]different[/b] sets of ports for each one. So even if you did setup your notebook as a file and print server on your private, home network, when you go to your coffee shop, you simply accept the default of Public network and those ports are closed.
So will this work...
Simple answer please - yes or no.
Thanks! :)
fresh install, no network config changes
In order for this to work, no NAT/Firewall between the vulnerable service and the malicious connection can exist.
So what we're saying is...
Which would mean that Ryan's article is wrong, wouldn't it?