Windows SMB2 exploit now public; Expect in-the-wild attacks soon
Summary: Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool
Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool, raising the likelihood for remote in-the-wild code execution attacks.
The exploit, created and released by Harmony Security's Stephen Fewer, provides a clear roadmap for hackers to plant malware or open backdoors on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server.
[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]
The release of the public exploit puts Microsoft under serious pressure to complete its patch-testing process and release a fix to head off in-the-wild attacks.
According to Microsoft's Johnathan Ness, the company's security response team has already completed more than 10,000 separate test cases in their regression testing and are currently doing "stress testing, 3rd-party application testing, and fuzzing."
Microsoft's next scheduled Patch Day is more than two weeks away -- on October 13, 2009 -- which means the company is now under pressure to issue an emergency, out-of-cycle fix for vulnerable Windows users.
The flaw, which was originally released on September 8 as a simple denial-of-service issue, does not affect the RTM version of Windows 7
[ SEE: Remote exploit released for Windows Vista SMB2 worm hole ]
On September 17, a team of exploit writers from Immunity created a remote exploit that’s been fitted into Immunity’s Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2.
Until Microsoft issues a patch, vulnerable Windows users should immediately implement the one-click "fix-it" workaround that's available. The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.
Here are direct links:
To revert the workaround, and re-enable SMBv2, you can: Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Another "researcher" makes a name for himself.
Of course this is one of those stories that is going to devolve into a Linux Vs Windows Vs Mac flame war within the next ten seconds or so; so within that time everyone will forget the original issue and the irresponsible behavior of these "security" companies.
Technically, it was a team of Bozos
The only thing that can accelerate the patching process in this case is for more people to volunteer to test the beta patches, though I am not sure if MS is taking volunteers.
You two are funny.
ANY EXPLOIT SHOULD BE FIXED IMMEDIATELY UPON DISCOVERY. PERIOD.
An exploit is an exploit, just because someone releases code to a specific site doesnt mean the code didnt exist wayyy prior to the initial public discovery process. The important word here... PRIOR. Yes 0 DAY flaws. Hackers/crackers and script kiddies love 0 dayz.
Just like the drug trade, you know its probably going on, you dont see it right away, but when it happens and the police go after them, you still have the people the drugs were already distributed to. In this case.. a 0 day.
I agree.
Here is an explanation from a man who is much more qualified to discuss this than I am, quoted directly from Bill Vass' blog:
[i]Imagine you enter the security line at the airport and there is a proprietary vendor in front of you with his locked suitcase telling the TSA official not to worry, and to trust him, stating he has checked everything in his suitcase and it is safe. How would this make you feel? Pretty vulnerable...right? Wouldn't it be better if the person in front of you is a true open source advocate and welcomes the TSA official to check anything he wants...because he has nothing to hide?
Who are you going to feel safe about getting on the plane with? It's a no-brainer...so why would you trust a vendor to put stuff on your server with life critical or mission critical systems, where no one can see what is on the server except for that one company, or that one group of people. I have sometimes heard some proprietary vendors say about open source code "but everyone can see how the security works." They are making the point for me! That is why open source code has to be made stronger on open source than on proprietary software products.[/i]
*sighs*
So no, this isn't irresponsible. Yes, they could have waited a little longer, but they forced the issue so now there's a quick fix for anyone not using SMBv2. Which happens to be most of the consumer world. Anyone not a business anyways. Unlikely that would have came out if this was still hacker only knowledge.
RE: Windows SMB2 exploit now public; Expect in-the-wild attacks soon
Never thought this would happen...
Jeremy.
Message has been deleted.
RE: Windows SMB2 exploit now public; Expect in-the-wild attacks soon
Now for the part that you wanted to come, if the SMB components were opensource this issue could have been found and correct a long time ago rather than leaving the customers open since the implementation of the affected platforms.
Rushing is not a good idea sometimes.
And even with all that testing, there a chance that a new vulnerability or wierd effect appends because of the complexe nature of the OS.
This applies on Macs and Linux also.
And this will get around my firewall and antivirus how
Re: And this will get around my firewall and antivirus how
It is possible for the firewall companies to issue an advisory to update the block list to include the structure of the malformed packets but it may also increase false positives and negatively effect your network resources. This is a network based attack and per my understanding it cannot be detected by a traditional antivirus program, since they search files on the system not packets coming through the network adapter.
If you have a hardware firewall
Hardware firewal and NATs
and you could block revelent ports on a software level until the patch arrives.
Firewalls should be able to filter smb2 traffic
I can set my software firewalls to block smb2 traffic from anywhere but computers/ip addresses on a whitelist in its settings. Most decent firewalls should have this capability. Even GNU/Linux (Firestarter) can do that. If FOSS can do it, anybody else providing firewall protection should be able to do it as well. If you can't, upgrade your soft firewalls on your LAN computers.
Blocking NetBIOS/smb2 (ports 138 and 139) at the hardware level firewall in your router will prevent WAN access.
My only vulnerable machine (Vista SP2) is my laptop that purposely dual boots Linux. Only time I could have a problem is away from home. But then I suggest you should always disable/block NetBIOS/smb2 on public LANs anyway.
You're kidding, right?
tl:dr, tms:du
Antivirus does jack all. Firewall generally won't stop exploits b/c it can't tell the difference between exploit and normal activity.
But in all cases other than exploits like these, releasing the virus code or attack path to the internet means that there'll be virus definitions, patches, updates, etc within hours in most cases.
This is only a problem for...
We should require individual licensing before allowing people onto the information super highway. Too many internet users, no matter their current citizenship, are like sheep blocking the road in a third world country. They're accidents waiting to happen. They're accidents waiting to happen. Licensing could at least hold them accountable for facilitating DDOS attacks and other mischief.
NAC for the whole Internet? That'll be the day
If there were a way to disallow endpoints from communicating on the Internet unless they met some basic level of security patching it would mitigate all of these types of problems. This could be accomplished through some sort of large scale Network Admission Control type solution. In a pie-in-the-sky world this would be the answer. The reality though is that it would be an ideal way for nefarious regimes to enforce censorship or to limit free speech.
This is quite a conundrum...
We can dream, can't we? (nt)
That didn't take long!
BTW, are those Dell laptops I see for over $1600 advertised
on ZDNet?
And I thought APPLE was expensive!!!