Windows SMB Exploit Code Released After No Fix From MS

[straycat19]

Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.

 

The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.
According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.

 

Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

 

However, the proof-of-concept exploit code, Win10.py, has already been released publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser.

 

The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.

 

"In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure," CERT said in the advisory. 

 

"By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys."

 

Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.

 

Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.

 

Source

[steven36]

Why dont you post the huperlinks from the source  ? Were we can see were it at?

 

Here is the proof of concept  i had to go too the source too find it.

https://github.com/lgandx/PoC/blob/master/SMBv3%20Tree%20Connect/Win10.py

Anywho if this is geting threw  its due too youre using a poor firewall

 

Quote

 

Kevin Beaumont  ? ‏@GossiTheDog 

@PythonResponder if you're already inside a network or they have poor firewall allowing SMB to internet, sure. WPAD etc.

 

https://twitter.com/PythonResponder/status/826926681701113861

they have too be inside you're network or have a poor firewall for it too work.

[steven36]

56 minutes ago, player said:

it is not the exploit described in this post, which is as of now unfixed

this one you linked is fixed in last november ("08/11/2016 - Vendor release MS16-137.")

I found it by now and posted the right one it was the OP fault that they did not  post the hperlinks in there post I corrected  mine  I never would of asked  or got confused  if he posted right.

if you look at the source the links are here https://github.com/lgandx/PoC/blob/master/SMBv3%20Tree%20Connect/Win10.py

https://twitter.com/PythonResponder/status/826926681701113861

https://www.kb.cert.org/vuls/id/867968

lol this give them something too patch  the 14th  this not the 1st time this happen with M$ or Google by law they have 90 days too patch. one time Google  was posting them as soon as they found them on Microsoft  and they made a 90 day law to stop Google  and both Microsoft and Google have been caught not patching things past 90 days since. 

 

If there was no law they be news of this everyday.

 

There's no need too fear the known its 0day bugs in the wild they never made public and the ones the hackers may never make public at all that may be out there for years   even you need too worry about..  that's why you must do every thing you can to protect yourself now today and not just depend on  patches alone.

 

Proprietary software vendors most the time wait 90 days to patch any reported ones some of them may be years old before a researcher finds them by the time they patched them blackhats done made new ones ..Linux patches stuff that's reported as soon as its found 

 

This makes  people who say they dont do updates since GWX  look even more crazy and people who use shitty FW that dont work good are really in trouble .