Vista/2008/Windows 7 SMB2 BSOD 0Day
We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.
We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.
Windows 2000/XP are NOT affected by this exploit.
We will update this diary with more information as we get it.
Update 1: Theodore, an ISC contributor has sent us a couple links on how to disable SMB version 2.0 on Vista or Server 2008. The first post is by Hameed on AskPerf here an the second post is by Daniel Petri here.
Update 2: Microsoft released an new advisory here that shows only the following OS are affected:
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Comments
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15
gptd
Sep 8th 2009
1 decade ago
-Al
Al Thiel of YourDataCenter.com
Sep 8th 2009
1 decade ago
TheLightCosine
Sep 8th 2009
1 decade ago
Freudi
Sep 9th 2009
1 decade ago
woohoo! @stephenfewer figured out a reliable remote EIP on Vista SP1, looks portable to SP2 and other platforms #SMB2
bugbear
Sep 16th 2009
1 decade ago