nCircle VERT Blog

Vista/Windows 7 SMB Blue Screen of Death

It would appear as though this has been a bad month for Microsoft. We started the month with the IIS FTP DoS and now, less than 24 hours before Patch Tuesday officially kicks off, we have a SMB BSD (reportedly affecting Vista, Windows 7 and possibly 2008). I have confirmed that it works against Windows Vista. The report, along with source code, was released on the vulnerability discoverer's blog

Microsoft's !exploitable Crash Analyzer reports the following:


1: kd> !exploitable
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at srv2!Smb2ValidateProviderCallback+0x00000000000004ec (Hash=0x4f46440f.0x7c4b5e55)

The data from the faulting address is later used to determine whether or not a branch is taken.

The standard advice of blocking ports 139 and 445 is pretty solid here, and another option for people (a standard step I take before attending any conferences) is to disable the server service.

nCircle customers can use the following Focus query to find vulnerable systems:
(os:"Windows Vista" or os:"Windows Server 2008" or os:"Windows 7") AND app:"Direct SMB"

Posted by Tyler Reguly on September 7, 2009 11:11 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/360

Comments (1)

Brent West:

We have been able to confirm that Vista is vulnerable, as well as Server 2008. It appears that Server 2008 R2 and Windows 7 are not vulnerable to this particular attack.

Posted by Brent West | September 8, 2009 11:21 AM

Posted on September 8, 2009 11:21

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):


About

This page contains a single entry from the blog posted on September 7, 2009 11:11 PM.

The previous post in this blog was The Browser Landscape is a Scary Place These Days.

The next post in this blog is SMB2 Vulnerability -- Affected Platforms.

Many more can be found on the main index page or by looking through the archives.



Bio

Blog: VERT
Author: nCircle VERT

nCircle VERT is the research team behind nCircle, continuously publishing updates for nCircle IP360 and nCircle's family of products. VERT conducts deep research across a broad class of network security intelligence, creating unique, agentless detection for: vunerabilities, host configurations, applications, services, user accounts, operating systems, and other network security conditions. Members of the group use this blog to share their opinions on the security industry, emerging threats, technology trends, and the world at large.


Search

   


Recent Posts

   

Archives

   

Categories