Windows 7, Vista exposed to 'teardrop attack'

Windows 7, Vista exposed to 'teardrop attack'

Summary: Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to teardrop attacks.

SHARE:

[ UPDATE: Microsoft has now confirmed this vulnerability and warns of code execution risk ]

Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to the teardrop attacks that used to be popular on Windows 3.1 and Windows 95.

The demo code, published on the Full Disclosure mailing list, allows an attacker to remotely crash any Windows 7 or Windows Vista machine with SMB enabled.  No user action is required.

From the advisory:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication.

The researcher who discovered the issue said Windows 2000 and Windows XP are not affected because they do not have the vulnerable driver.

The exploit has been added to the Metasploit point-and-click attack tool. Metasploit's HD Moore believes the bug was introduced with Windows Vista SP1.

The folks at The H Online got the exploit to fire on Windows Vista but could not replicate the issue on Windows 7.  In the absence of a patch from Microsoft, they suggest closing the SMB ports by un-ticking the boxes for file and printer access in the firewall settings.

Topics: Security, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

66 comments
Log in or register to join the discussion
  • Never let it be said

    that Microsoft has no respect for tradition.
    Yagotta B. Kidding
  • Vulnerable by default?

    [i]Exploit code for a remote reboot flaw in Microsoft's implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to the teardrop attacks that used to be popular on Windows 3.1 and Windows 95.[/i]

    I presume this attack is able to bypass the firewall because if it can't, this isn't an issue for 99.9999% of Windows machines.
    NonZealot
    • so as long as there is a good firewall

      any blocked vulnerability is excused?
      Viva la crank dodo
      • What do you mean by "excused"? nt

        .
        ye
        • Perhaps I

          misunderstood but Nonzealots remark seems to indicate that as long as a firewall effectively protects the OS, that the vulnerability is as good as not there and reporting on it is simply nitpicking.

          I may be reading to much in to it so he can correct me if I'm wrong. If he was simply meaning to inform that we should make sure we keep our FW on until there is a fix and as a result no need for mass hysteria in the meantime, then thanks for the heads up.

          Viva la crank dodo
          • You misunderstood.

            He appears to have a problem with the following:

            "The demo code, published on the Full Disclosure mailing list, allows an attacker to remotely crash any Windows 7 or Windows Vista machine with SMB enabled. [b]No user action is required.[/b]"

            User action is required because the default configuration is to block access to the port.
            ye
          • I see

            fair enough
            Viva la crank dodo
          • Misunderstanding squared...

            The way I read that sentence, it tells me that there is no user action required for the exploit to affect them, ie they don't have to click on a malformed URL or open an email or do anything for the machine with SMB enabled to be affected by this particular problem. What it doesn't tell me is that no user action is required to keep the exploit from affecting them. Not exactly sure how you came to that conclusion.
            jasonp@...
          • By default the built in firewall restricts access to the port in question.

            In Windows XP SP2 and higher the firewall blocks access to the port by default. One would have to specifically take steps to permit access.

            In Vista and Windows 7 the firewall blocks access to the port if the "Public" setting has been selected. It restricts access to the port to the local subnet if the "Home" or "Private" network configuration has been selected.

            Thus a user would have to take steps to enable access to the port. Furthermore honeymonster is claiming Network Discovery also has to be enabled. I have not been able to verify this but I've found his information to be reliable. Until more details are known about this vulnerability I have to hold off judgement. However it does appear serious enough to warrant an out-of-cycle patch as file serving is not an unreasonable service to make available and those systems needing to do so need to be protected.
            ye
          • I would tend to agree...

            that this doesn't rise to a high enough threat level to need an out of cycle patch. That's why I didn't mention that. I only mentioned that your explanation of the verbiage "no user action is required" appeared to be incorrect. I'll stand by that assessment. You'll note there isn't (and wasn't in my original posting) any commentary from on this being a major problem. Glad we got that squared away.
            jasonp@...
          • @jasonp: We disagree

            [i]I would tend to agree that this doesn't rise to a high enough threat level to need an out of cycle patch.[/i]

            I believe it does.
            ye
    • Not sure

      Not sure - I think file sharing is actually
      disabled by default.

      But there are a lot of people who will probably
      turn it on if they have several machines.

      If you have a hardware router or firewall (even
      the cheap consumer ones), then it should block
      incoming connections by default.
      CobraA1
      • My experience on "cheap consumable"..

        firewalls. The "smart firewalls" of today have everything from P2P to ICPM port listening enabled. I can poke holes through them by just having the wrong service enabled at firewall setup time.

        And by "consumable" I mean they end up consuming the users, personal ID and every other cotton picking thing they own, to try and lock it down!

        Even your ISP can ruin the default on a lot of these worthless boxes. They aren't any better than most software firewalls on factory settings.

        I never used to have these problems, it was better to have a locked down firewall, and help them over the phone(remote desktop), easily configure the services they needed.
        JCitizen
  • "No user action is required." Except disabling the firewall.

    And this one doesn't count. According to the official ZDNet talkback rules PoC code doesn't count nor does any code that does not run with administrative privileges. The PoC code appears to be DoS only.
    ye
    • Except disabling the firewall AND enabling network discovery

      which is disabled by default in Vista and W7.

      Network discovery is typically only enabled on
      corporate networks or more advanced home
      networks where you create shares on multiple
      computers.

      This flaw *can not* be triggered from the
      Internet. SMB2 packages do *not* pass through
      even the simplest firewalls, software or
      hardware.

      This flaw *can not* be leveraged to infect a
      machine. It can not be used to create a mass-
      infection.
      honeymonster
      • This [b]is[/b] a serious problem for many.

        If you have a notebook at home, you're going to have file sharing and print sharing switched on. When you take that same notebook out to a hotspot, you're on the internet and you're not behind your home NAT router. You're behind somebody else's, and you have no flippin' idea how it's set up.
        sporkfighter
        • Wrong and wrong

          [i]you're going to have file sharing and print sharing switched on.[/i]

          Why would you setup your notebook to be a file and print server? That makes no sense. Your home desktop or server, maybe, but your notebook? Nope, that is unlikely.

          [i]When you take that same notebook out to a hotspot, you're on the internet and you're not behind your home NAT router.[/i]

          Welcome to 2006, glad to have you. Since Vista, you specify whether a network is a Public network or a Private network and you can open [b]different[/b] sets of ports for each one. So even if you did setup your notebook as a file and print server on your private, home network, when you go to your coffee shop, you simply accept the default of Public network and those ports are closed.
          NonZealot
  • So will this work...

    ...if Windows Firewall - which is switched on by default in Vista and W7 - is active?

    Simple answer please - yes or no.

    Thanks! :)
    Sleeper Service
    • fresh install, no network config changes

      if that's the case, no it will not work.

      In order for this to work, no NAT/Firewall between the vulnerable service and the malicious connection can exist.
      JoeMama_z
      • So what we're saying is...

        ...that without user intervention - which includes changing the default security settings - this can't work?

        Which would mean that Ryan's article is wrong, wouldn't it?
        Sleeper Service