Results 1 to 2 of 2

Thread: Vulnerability Report for Windows SMB DoS - SMBdie

  1. September 5th, 2002, 03:03 AM #1
    sumdumguy
    sumdumguy is offline
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210

    Vulnerability Report for Windows SMB DoS - SMBdie

    more details found here

    Summary
    SMB stands for "Server Message Block" and is also known as CIFS (Common Internet File System). This protocol is intended to provide an open cross-platform mechanism for client systems to request file services from server system over a network. Current CIFS implementation under Windows runs over port TCP/139 and/or port TCP/445 (Direct Host), depending whether NetBIOS over TCP/IP is enabled or not.
    The SMB_COM_TRANSACTION command allows the client and the server to define functions specific to a particular resource on a particular server. The functions supported are not defined by the protocol itself but by client and server implementations.
    By sending a specially crafted packet requesting the NetServerEnum2, NetServerEnum3 or NetShareEnum transaction, an attacker can mount a denial of service attack on the target machine. It might be possible to abuse this vulnerability to execute arbitrary code, although the research performed so far cannot confirm this possibility (see 'Technical Description' below for information that is more precise).
    In order to exploit the vulnerability a user account is needed for the NetShareEnum transaction and only anonymous access is necessary for NetServerEnum2 and NetServerEnum3.
    Windows operating system ship with anonymous access enabled by default and is therefore vulnerable to a denial of service attack.
    The effect of an attack will trigger an operating system halt (Blue Screen) as shown below (memory addresses may vary):
    *** STOP: 0x0000001E (0xC0000005, 0x804B818B, 0x00000001, 0x00760065)
    KMODE_EXCEPTION_NOT_HANDLED
    *** Address 804B818B base at 80400000, DateStamp 384d9b17 0 ntoskrnl.exe
    The physical memory is dumped and the system restarted (unless configured otherwise).


    Details
    Vulnerable systems:
    The problem was identified and tested on:

    - Windows NT 4.0 Workstation/Server
    - Windows 2000 Professional/Advanced Server
    - Windows XP Professional

    With all service packs and security HotFixes applied.

    Solution/Vendor Information/Workaround:
    Microsoft has released a fix to the problem. Refer to Microsoft Security Bulletin MS02-045 for patches and fixes to vulnerable systems.

    http://www.microsoft.com/technet/tre...n/MS02-045.asp
    fix is found here

    risk assessment low, additional info found here , here, and here
    Reply With Quote Reply With Quote
  2. September 6th, 2002, 08:03 PM #2
    t2k2
    t2k2 is offline
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Yeah, I read some sort of review for this where someone tested the SMBdie.exe, and it crashed all windows machines...pretty wicked. They positioned it as a way to force a reboot to finish the install/configuration of a virus or something...


    I just tried testing the SMBdie.exe and it was removed by my virus scan application as soon as I double-clicked on the icon...how about that! I'm sure it could still work on a machine without the virus scan enabled as long as it was running NetBios. The good thing is that we have our virus client password-protected so the users cannot disable it very easily.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules