BSOD Zero-Day Exploit: Vista/2008/Windows 7
SANS Handlers Diary
Published: 2009-09-08,
Last Updated: 2009-09-08 13:09:06 UTC
by Guy Bruneau (Version: 1)


We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.

We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

Windows 2000/XP are NOT affected by this exploit.

We will update this diary with more information as we get it.
http://isc.sans.org/diary.html?storyid=7093

Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

• Release date: September 7th, 2009
• Discovered by: Laurent Gaffi - http://g-laurent.blogspot.com/
• Severity: Medium/High
  I. VULNERABILITY Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.

indows vista and newer Windows comes with a new SMB version named SMB2. See:
http://en.wikipedia.org/wiki/Windows_Vista...ssage_Block_2.0 for more details.

IMPACT
An attacker can remotly crash without no user interaction, any Vista/Windows 7 machine with SMB enable.
Windows Xp, 2k, are NOT affected as they dont have this driver.

SYSTEMS AFFECTED
Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008
as it use the same SMB2.0 driver (not tested).

SOLUTION
Vendor contacted, but no patch available for the moment.
Close SMB feature and ports, until a patch is provided.

Insecure.org Full Disclosure