"It is not a question of 'if' the software you use will be hacked but a question of 'when'. A secure computer software is an oxymoron."
Windows Vista/Seven have always been touted as being the most secure OSes. A "0 day attack" has been discovered by Laurent GaffiƩ which allows the attacker to launch a denial of service attack causing BSOD in systems running OS using SMB2.0 protocol.
Vulnerable OS: WindowsVista / Seven/Windows 2008 With SP2
(Windows 7 RTM and Server 2008 R2 RTM are not vulnerable to this exploit. 7/2008 R2 RC are, as are Vista/2008)
All systems running these OSes and having file sharing in network connection center enabled are vulnerable.
More info can be found at:
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
This 0 day attack was posted on full disclosure on 7th September, 2009. A metasploit port has also been created for this within a day it was disclosed.
http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/dos/windows/smb/smb2_negotiate_pidhigh.rb
Defences:As no patch is available at the moment, the only solution is to either close SMB feature altogether or don’t let any untrusted machine to be able to access your network services(dont let it be a part of your network).
a)The first defense works at the cost of (un)usability of one of the most important and most used network service. The information on how to disable SMB 2.0 can be found here:
http://blogs.technet.com/askperf/archive/2008/05/30/two-minute-drill-overview-of-smb-2-0.aspx
b)For the second defense, you can be secure at some level in case of wired network because of the physical security, but it becomes complicated in case wireless because of its borderless nature. Lets consider these scenarios:
DoS against enterprise network :
Attacker can get access to the enterprise network either by some misconfigured AP or rouge AP. Once the attacker gets the enterprise network access , attacker can lauch this dos attack crashing all systems running vulnerable OSes in that network.Finding clients running OS vulnerable to this attack is not a difficult task(any network scanner having OS fingerprints will do the trick).
DoS against a wireless client:
Using wifishfinder, attacker can easily find the SSIDs probed(with security settings) by unassociated client.These are the networks the client is willing to connect to. If any of the SSIDs is vulnerable to honeypot attack, we can make the client connect to our honeypot AP without any interaction from the user. And then, Bingo!!!, suddenly client gets a BSOD.
Keep looking for more updates......
Windows Vista/Seven have always been touted as being the most secure OSes. A "0 day attack" has been discovered by Laurent GaffiƩ which allows the attacker to launch a denial of service attack causing BSOD in systems running OS using SMB2.0 protocol.
Vulnerable OS: Windows
(Windows 7 RTM and Server 2008 R2 RTM are not vulnerable to this exploit. 7/2008 R2 RC are, as are Vista/2008)
All systems running these OSes and having file sharing in network connection center enabled are vulnerable.
More info can be found at:
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
This 0 day attack was posted on full disclosure on 7th September, 2009. A metasploit port has also been created for this within a day it was disclosed.
http://trac.metasploit.com/browser/framework3/trunk/modules/auxiliary/dos/windows/smb/smb2_negotiate_pidhigh.rb
Defences:As no patch is available at the moment, the only solution is to either close SMB feature altogether or don’t let any untrusted machine to be able to access your network services(dont let it be a part of your network).
a)The first defense works at the cost of (un)usability of one of the most important and most used network service. The information on how to disable SMB 2.0 can be found here:
http://blogs.technet.com/askperf/archive/2008/05/30/two-minute-drill-overview-of-smb-2-0.aspx
b)For the second defense, you can be secure at some level in case of wired network because of the physical security, but it becomes complicated in case wireless because of its borderless nature. Lets consider these scenarios:
DoS against enterprise network :
Attacker can get access to the enterprise network either by some misconfigured AP or rouge AP. Once the attacker gets the enterprise network access , attacker can lauch this dos attack crashing all systems running vulnerable OSes in that network.Finding clients running OS vulnerable to this attack is not a difficult task(any network scanner having OS fingerprints will do the trick).
DoS against a wireless client:
Using wifishfinder, attacker can easily find the SSIDs probed(with security settings) by unassociated client.These are the networks the client is willing to connect to. If any of the SSIDs is vulnerable to honeypot attack, we can make the client connect to our honeypot AP without any interaction from the user. And then, Bingo!!!, suddenly client gets a BSOD.
Keep looking for more updates......
Microsoft released an advisory today...
ReplyDeletehttp://www.microsoft.com/technet/security/advisory/975497.mspx
And yes...it works like a charm..just crashed a Vista machine :)