Saturday, September 12, 2009

Windows Vista / 7 SMB Protocol Reboot Vulnerability

A vulnerability in Microsoft's implementation of the SMB2 protocol can be exploited via the net to crash or reboot Windows Vista and Windows 7 systems. The root of the problem is an error in how the srv2.sys driver handles client requests when the header of the "Process Id High" field contains an ampersand. The attack does not require authentication; port 445 of the target system merely has to be accessible, which in the default Windows local network configuration, it usually is. SMB2 is an extension of the conventional server message block protocol.

Exploit code is already available online and The code is getting integrated in MetaSploit and its gona be cool, point, click and reboot Windows Vista / 7 machines.

The vulnerability exists in SRV2.SYS which fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.

The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for futher communication.

No comments: