Vista SMB 2.0 exploitable hole points to need for new filters
Nearly two years ago, I proclaimed Microsoft's adoption of Server Message Block version 2 the #6 of ten best new features of Windows Server 2008. Essentially, it provides a way for servers utilizing the Common Internet File System to utilize modern filing tools such as symbolic links and transaction batches, to expedite the process of sending large files over the Internet.
It has taken this long for anyone to find what was described earlier today as a glaring hole in Windows SMB 2.0 security, but it's an embarrassing little hole nonetheless: A security researcher discovered that if you get the order of the words in the SMB 2.0 message headers wrong, in such a way that you end up sending an ampersand (&), where a zero should be in the high word of the Process ID field, then you can end up sending a message block that could literally crash the remote recipient. Conceivably, an exploit could be crafted that could remotely crash a Vista-based client.
The "in-security community," which no longer relies upon its own means to develop exploits but instead now waits for real researchers to do the job for them, pounced on the proof of concept after it was independently published by Laurent GaffiƩ, a security consultant for UK-based Byethost Hosting. But although GaffiƩ's comments clearly show the proof-of-concept was tested on Windows Vista SP2, the usual suspects proffered their story of the PoC as a "Windows 7 exploit," or at least, one in the making. At some point, apparently, a "/7" was added to the list of operating systems affected, even though there is no such thing yet as "Windows 7 SP1."
Meanwhile, Germany-based Heise Security tested the PoC, and while its team validated its impact on Vista, "the exploit had no apparent effect on a computer running Windows 7."
Heise's report today suggested that about the only way for Vista-based clients to protect themselves against a possible exploit would be to use their firewalls to close port 445. Veteran security researchers are already familiar with port 445, and have recommended that clients keep that port closed anyway.