back to article New SMB bug: How to crash Windows system with a 'link of death'

US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar. "Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined …

  1. silent_count
    Facepalm

    If it compiles, ship it

    "This mean that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems."

    Honestly now, is anyone surprised?

    1. Mikel

      Re: If it compiles, ship it

      Surprised? Not really. Nobody at Microsoft really knows how SMB file sharing actually works any more. They had to have the Samba team come in and prepare the documentation for them.

      1. tr1ck5t3r

        Re: If it compiles, ship it

        > Nobody at Microsoft really knows how SMB file sharing actually works any more

        MS like all typical big businesses with a corporate mindset got rid of the staff that originally worked on most of windows core anyway. Even the dude who wrote the core of MS Word is long gone now.

        MS made redundant their expertise in return for short term profit, and if you really understand capitalism, the ever lasting light bulb and the Phoebus Cartel, you'll know these are nothing more than deliberate actions on the part of MS, but your EULA means you cant sue them.

        It would be illogical to draw any other conclusion.

        https://en.wikipedia.org/wiki/Phoebus_cartel

        They are the corporate heroin dealers of software, you want to leave and use another operating system, but you cant as the software you need, doesn't exist elsewhere.

        You want an alternative but they just don't exist, the same conformity that ushered in the Nazi's is now being used against you, people are lazy, they have been told you cant go wrong with MS, it used to be you cant go wrong with IBM, tomorrow it will be some other company you have yet to hear of.

        Face it, we are all corporate clones with just enough intelligence to recognise some problems but not enough intelligence to come up with a solution.

        1. Doctor Syntax Silver badge

          Re: If it compiles, ship it

          "your EULA means you cant sue them"

          Except where it fails on the ground of statute law.

          1. Anonymous Coward
            Anonymous Coward

            Re: If it compiles, ship it

            you cant sue them"....Except where it fails on the ground of statute law

            You could in theory sue them, yes. But under UK rules that lawyers have to abide by, they'll want proof that you can pay your own and Microsoft's costs if you lose. In the putative case of Syntax vs Microsoft, no lawyer would be allowed to take the case unless you're a billionaire. Nobody would even take the case on through a no-win, no-fee basis, because you or they would still be exposed to Microsoft's costs if you lost. The only way that statute law can be used in civil cases against Microsoft are:

            a) Small claims they can't be arsed to defend, for perhaps a couple of hundred notes

            b) Where the state takes a civil case against Microsoft

            c) Where a third party litigation funder will finance the case (and take most of any settlement)

            And there are companies that exist solely as litigation funders. But they are an extension of the patent trolling industry. You only go to these people when you've got a bullet proof, high value case yet nobody else will touch it. And even then, you still need to find a law firm with the competence to take on the legal A-listers that big companies will happily pay for. Sadly, you and I have little or no redress against big companies if they want to take a stand.

            Note for US readers: In the UK, in a civil law case, the losing party usually has to pay the winning party's legal costs. That normally works much better than the US "each to pay their own" system, in that it discourages risky or frivolous cases, but it does mean that your lawyer has to believe (or in high value cases, have proof) you can cover the costs of both sides before a lawyer will take the case.

            1. a_yank_lurker

              Re: If it compiles, ship it

              @Ledswinger - The EULA may be void in many jurisdictions and depending on the jurisdiction a nasty civil suit may be much easier to get started. Also, there may criminal statutes that could come in play for various jurisdictions. All it really takes is for someone to file the nuclear lawsuit in the Slurp in a legally unfriendly jurisdiction to have the hammer drop very hard. US is probably friendlier for certain types of cases but check local product liability laws particularly the criminal ones.

              Lose a couple of major lawsuits and watch the legal beagles salivate worldwide because much of the work has already been done in another jurisdiction. Think VW in the US, if anyone wishes to come after VW most of the legal work has been done for you by the ferals free of charge. Slurp's primary defences seem to be inertia and FUD - too lazy to make the change away and to scared to sue when you have a strong case under local laws. It only takes a few in both areas to break the logjam and whole rotten edifice to crash.

          2. Anonymous Coward
            Anonymous Coward

            Re: If it compiles, ship it

            Surely they have an obligation to provide things with reasonable care / skill / fitness for purpose - which becomes debatable if the supplier knows of a flaw, can rectify it, yet chooses not to? For services, the UK wording is

            "where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill"

            If the EULA tries to get out of those duties, it will fail the statute law test, surely?

      2. Anonymous Coward
        Anonymous Coward

        'Nobody at Microsoft really knows how SMB file sharing actually works any more'

        Probably because the original design is from IBM, not MS. While Samba benefitted greatly when the EU ruling forced MS to disclose its protocols specs for interoperability.

    2. a_yank_lurker

      Re: If it compiles, ship it

      No, with Slurp I am sometimes surprised if they got a clean compile. </snark>

    3. Doctor Syntax Silver badge

      Re: If it compiles, ship it

      Except the fix appears to have compiled and they didn't ship it.

    4. Howard Hanek
      Terminator

      Re: If it compiles, ship it

      I imagine over the years that MSs code auditors simply atrophied into complete immobility and sustained for a while by life support systems that were later eliminated through budget cuts. Their naturally mummified remains were uncovered by cleaning staff recently but their identities remain a mystery as all records concerning them were expunged.

    5. Anonymous Coward
      Anonymous Coward

      Re: If it compiles, ship it

      I have little sympathy for anyone still using Windows at this point. At one point, people had to use Windows. Now there are plenty of options on the server side and Mac/Chrome OS/Linux (not to mention Android and iOS) on the end user side. You don't have to go get some Linux distro from a small company or no company if that concerns you. You can buy an OS with enterprise support from Apple or Google, the number one and two most valuable companies in the world (pretty enterprise legit). People who use Windows anyway should just expect this sort of thing.

      1. Anonymous Coward
        Anonymous Coward

        Re: If it compiles, ship it

        Do you noticed Apple switched to SMB as its default network file system? And even in many Linux setups Samba is preferred to NFS due to the known NFS issues, especially in NFS 3?

        1. hmv

          Re: If it compiles, ship it

          Just because Linux and Apple can do SMB or CIFS doesn't mean they're vulnerable to this. Of course being appropriately paranoid means assuming they are vulnerable until demonstrated otherwise.

      2. ArrZarr Silver badge

        Re: If it compiles, ship it

        At work, I use excel all day, often with large amounts of data so that even excel for windows creaks under the strain. What is your replacement?

        At home, I game. What is your replacement?

        It's all very well saying that your use case is supportable under mint flavoured gnome sized penguins but computers are used for a lot of things[citation needed]

        1. Anonymous Coward
          Anonymous Coward

          Re: If it compiles, ship it

          "At work, I use excel all day, often with large amounts of data so that even excel for windows creaks under the strain. What is your replacement?"

          Answer - Google Apps (G Suite). It runs on a cluster of servers. If you are working with large amounts of data on a PC, you are doing it wrong. Data belongs on servers.

          "At home, I game. What is your replacement?"

          Answer - PS4.

  2. Mr Flibble
    FAIL

    Interesting… the bug was submitted to Microsoft, they ‘fixed’ it then released it anyway before applying the fix. Why not merely revert the bug or just not apply it to their code in the first place?

    Or was it a bug report which was submitted and later released…

  3. Bronek Kozicki

    Just a quick check

    Blocking following ports for outbound traffic on the firewall should mitigate the problem, right?

    TCP ports 137 139 445

    UDP ports 137 138

    Did I miss something?

    1. Doctor Syntax Silver badge

      Re: Just a quick check

      "Did I miss something?"

      Malicious server inside the firewall.

      The ports having to be open for reasons which apply in a potential victim's use case but not in yours.

      Maybe others.

      1. Roland6 Silver badge

        Re: Just a quick check

        >Malicious server inside the firewall.

        I thought he was referring to the Windows (client) firewall, given SMB was (is?) a local LAN service. But thinking about it you are probably correct, although I'm not sure why I would want to run a malicious server as a vm inside the Windows firewall.

        1. Doctor Syntax Silver badge

          Re: Just a quick check

          "SMB was (is?) a local LAN service"

          Generally but it relies on IP addressing, unlike the old Netware protocol which wasn't routeable. This extract from TFA doesn't mention any such restrictions:

          This can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server and getting the mark to visit the site using Internet Explorer, for example."

          1. Anonymous Coward
            Anonymous Coward

            Re: Just a quick check

            You CAN route IPX, although I feel sorry for the poor sod still using it!

            1. P. Lee

              Re: Just a quick check

              >You CAN route IPX, although I feel sorry for the poor sod still using it!

              Remember when Netware was slated for having no memory protection between processes?

            2. Anonymous Coward
              Anonymous Coward

              Re: Just a quick check

              "You CAN route IPX"

              Yes. Your IPX address(es) are generally the MAC address of the interfaces and they are associated with a subnet address of the form aabbccdd ie 32 bit. See https://en.wikipedia.org/wiki/Internetwork_Packet_Exchange for details.

              I get flashbacks nowadays when setting up IPv6 (mmm RIPnSAP vs SLAAC) 8)

            3. Anonymous Coward
              Anonymous Coward

              Re: Just a quick check

              Nothing wrong with IPX/SPX just lack of central control limited extension, it does pretty much everything TCP/IP does with lower overhead.

              Not really suprising as the former was inspired by the later but for PCs, when they weren't powerful enough for full fat unix

              1. Roland6 Silver badge

                Re: Just a quick check

                Not really suprising as the former was inspired by the later but for PCs, when they weren't powerful enough for full fat unix

                Netware, like many networking systems targetted at workstations was based on Xerox Network System (XNS), which was designed for use on LANs ie. over high-speed low-error media such as Ethernet (another Xerox invention that was inspired by ALOHAnet), unlike TCP/IP. Additionally

                As for PC's not being powerful enough for full fat Unix, that's an interesting take on the computing scene in the 1970's and early 1980's when these protocol suites were being developed...

          2. Roland6 Silver badge

            Re: Just a quick check

            re: "his can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server "

            Yes I read that and did scratch my head, I admit I did dismiss it as hype (ie. making the danger seem greater than it really is). But then the only times I've used SMB and other local network services over the Internet has been via VPN and hence effectively still on the same subnet.

            But then given the pressure to enhance the Apple Bonjour discovery service to support multiple subnets, it is hardly surprising that such local subnet services will deliver unexpected surprises when enhanced to support wider access.

        2. Kiwi
          Trollface

          Re: Just a quick check

          although I'm not sure why I would want to run a malicious server as a vm inside the Windows firewall.

          Why not? With all the other malicious/slurpy code running inside a Windows box these days, who'd notice a little extra?

        3. Anonymous Coward
          Stop

          Re: Just a quick check

          Who said that "you" are the one to setup and run a VM, or configure a server for SMB, on your local network? Makes a nice APT for the unwary.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just a quick check

            "Not really suprising as the former was inspired by the later but for PCs, when they weren't powerful enough for full fat unix"

            Is'nt it more that people couldn't afford UNIX?

            Also indeed - who allows smb through the perimeter firewalls, and if it needs to be a local melicious smb share you need an other vulnerability to get that going.

        4. Bronek Kozicki
          Facepalm

          Re: Just a quick check

          I was referring to a firewall at the network boundary, blocking outgoing SMB traffic. If I have malicious server inside the firewall I'm f*d anyway, no matter whether or not my SMB client layer is buggy (e.g. because such server could hijack DHCP and then apply MitM rather than exploit SMB, to list one of many possible attack scenarios). To prevent against that threat, a half-solution could be to setup IPsec + DNSsec on the internal network, but really? Do I have to go there in the context of the vulnerability discussed here, I am not even full-time network administrator for f* sake! If I was I wouldn't be asking stupid questions, like the one above.

        5. Tom 7

          Re: Just a quick check

          Not sure why I would want to run a malicious server....

          I have a feeling that my Android phone can serve files to windows machines. And iphones too?

    2. phuzz Silver badge

      Re: Just a quick check

      SMB will indeed work via the internet, although the only time I've ever seen it used is: \\live.sysinternals.com\tools

      which is a share containing the up to date versions of the sysinternal toolkit (it's not that speedy though).

  4. Anonymous Coward
    Terminator

    Yet more Microsoft Innovation ®

    "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible"

    "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection" ref

    1. Kiwi
      Linux

      Re: Yet more Microsoft Innovation ®

      "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible"

      That must be that AC we used to see here so often, who no matter how bad MS was would always defend them and would say stuff like ".DOC virus infecting millions of users in 2016 isn't at all bad, Unix is worse coz in the 1970's Unix had some pretty nasty bugs too!" or somesuch..

      "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection" ref

      Ah, good ol Dan Goodin. Haven't seen his byline around here in a while and was kinda wondering where he was :) As to using Edge/IE-any-version or Win-any for protection? When a nasty .DOC can still compromise the OS? I got your security right there -->

    2. Anonymous Coward
      Anonymous Coward

      Re: Yet more Microsoft Innovation ®

      "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible"

      Sounds like a Microsoft contraction... they are going to proactively update impacted devices, just as soon as someone tells them about it.

  5. Kiwi
    Linux

    Win 10, a complete re-write from scratch!

    Including a full rewrite of the Win95 shutdown bug!

    Ok, I've spent some time googling and cannot find a reference to it (surprisingly "windows 95 ie shutdown bug" brings up a ton of links! But from what I recall, there was a but that a specific code in a web page would cause 95 to either shutdown or reboot (or maybe bluescreen?) if the page was visited using IE.

    Which somehow made today's story sound kinda familiar...

    1. Tom 7

      Re: Win 10, a complete re-write from scratch!

      If Win10 is a complete rewrite fro scratch can we expect things like .NET to fully run on ARM?I have a hunch not!

    2. patrickstar

      Re: Win 10, a complete re-write from scratch!

      The bug that comes to mind is the "file:///con/con" one. And that was very 9x specific as it had to do with DOS pseudo-device handling, probably somewhere deep inside VMM32.VXD or DOS itself.

      By the way, Win10 isn't a complete rewrite and noone at MS has ever claimed it is... No idea what the origins of this myth is, but it pops up on Reg forums (and nowhere else!) from time to time. Usually about Win7 though.

      1. Kiwi
        Linux

        Re: Win 10, a complete re-write from scratch!

        By the way, Win10 isn't a complete rewrite and noone at MS has ever claimed it is... No idea what the origins of this myth is, but it pops up on Reg forums (and nowhere else!) from time to time. Usually about Win7 though.

        I would swear that I had seen some madvertising or other text from MS themselves claiming this (or at least someone from MS quoted as such in an interview or something), but I cannot find it so could be quite wrong on that. It would make more sense that 8 was supposed to be a rewrite.

        I stand corrected, and will not spread the myth that Win10 was claimed to be a rewrite until I see something from MS claiming as such.

        I personally don't think any OS should be "rewritten from scratch", but rather that code should be improved, new features maybe added (even if you save a pile of them up as a "new release"). As code gets re-visited it (generally) gets tightened, improved in speed, size and security. Re-writing from scratch opens up all sorts of avenues for new bugs to be generated.

        Win7 continued and improved, with a couple of new UI options (could've then given them 8x/10 as bolt-on UI's, though maybe the UI is too tied into the core OS in Windows for that?), some tighter code, improved libraries where needed while keeping the base API's the same... I wouldn't be singing MS's praises, but I'd certainly have a lot less hatespeak directed at them! :)

        (Would still love the functionality, speed, security and flexibility that Linux gives me, but another 10 years of development on 7 and maybe it would've nearly gotten there :) )

    3. Anonymous Coward
      Anonymous Coward

      Re: Win 10, a complete re-write from scratch!

      @Kiwi: "I've spent some time googling and cannot find a reference to it"

      'On Aug. 27, 2004 .. Mr. Allchin had announced .. that they would "reset" Longhorn using a clean base of code that had been developed for a version of Windows on corporate server computers.'

      The problem with Windows is that it has been deliberatly written in spaghetti style to prevent others easily cloning it. In the process Microsoft created the Frankenstein of Operating Systems.

      1. patrickstar

        Re: Win 10, a complete re-write from scratch!

        The quote might be referring to MinWin (a refactoring effort, basically) or something similar originally, before going through various journalist filters... I have never seen any official communication claiming a rewrite - quite the opposite in fact: https://channel9.msdn.com/shows/Going+Deep/Arun-Kishan-Farewell-to-the-Windows-Kernel-Dispatcher-Lock/

        The server versions basically just differ in what software ships with it, by the way. The kernel is identical and the userland fundamentals are the same, though with Server Core release you don't get a GUI by default.

        As to supposed intentional spaghetti style - I have read quite a bit of Windows source code and certainly never seen any sign of that. It's overall pretty darn decent and well-organized, with peaks and lows. The kernel for example is veeery well-organized and neat, to the point where it's almost uncomfortable to read.

  6. Anonymous Coward
    Anonymous Coward

    Excuses here, please

    Just a template for the inevitable "but <any other OS> has far more vulnerabilities than Windows because I'm trying to con you with alternative statistics" posts.

    Because someone will try.

    1. Anonymous Coward
      Anonymous Coward

      Re: Excuses here, please

      No need, we all agreed the number of vulnerabilities wasn't important. It was when the count came out last year and Linux won with loads more than any other OS, remember?

  7. Anonymous Coward
    Anonymous Coward

    BSOD

    "The result is a blue-screen-of-death system crash out of nowhere for the poor user."

    So how will users differentiate this from normal Windows performance?

    "Windows NT crashed.

    I am the Blue Screen of Death.

    No one hears your screams."

  8. JeffyPoooh
    Pint

    "...an invisible image..."

    "...embedding in a webpage an invisible image with a source URL to an evil file server..."

    Why would it have to invisible?

    I'm about to click on a Submit button, which is visible...

  9. Anonymous Coward
    Childcatcher

    It works

    $ sudo python2 Win10.py

    From: ('10.200.14.130', 52057)

    [*]Negotiating SMBv2.

    [*]Negotiate Protocol SMBv2 packet sent.

    [*]Session challenge SMBv2 packet sent.

    From: ('10.200.14.130', 52058)

    [*]Negotiate Protocol SMBv2 packet sent.

    [*]Session challenge SMBv2 packet sent.

    [*]Triggering Bug; Tree Connect SMBv2 packet sent.

    Disconnected from ('10.200.14.130', 52058)

    BSOD on Windows 2012 R2 server VM in my attic. Worked across a routed pair of subnets. I simply started the little python app and typed \\my_laptop_ip into Explorer.

    1. Anonymous Coward
      Anonymous Coward

      Re: It works

      All cool, but how would you exploit it on a remote target that has at least bothered with outbound/inbound firewalls and automated windows updates?

      1. Anonymous Coward
        Pirate

        Re: It works

        "All cool, but how would you exploit it "

        That was a fully patched machine that died. I gather the fix is due this patch Tuesday.

        I predict life for sysadmins in places like schools and colleges will get interesting for a while. Not to mention what a disgruntled employee might get up to. I hope your kids are on a separate VLAN as well ...

        Now how many here, let alone "out there", have proper egress default deny rules on their WAN links.

  10. John Smith 19 Gold badge
    IT Angle

    Shouldn't most protocols be implemented by state machines?

    IOW most of the code gets written by a tool.

    So a missing option would appear as an item not ticked off the list of states.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shouldn't most protocols be implemented by state machines?

      Err ... when you say "most of the code gets written by a tool" .....

  11. Anonymous Coward
    Anonymous Coward

    It can't steal data, it won't work over the internet (for most people). Why isn't this just a security researcher blowing his own horn? Oh right, because it's Microsoft, any excuse will do, got it.

    1. Anonymous Coward
      Anonymous Coward

      It's been a while for the rabble to have something to sling mud at, let them have their hour.

      I've not had a windows machine crash on me for a long old time not including dying hardware components or nvidia drivers. Or an odd problem with one of my mother boards where the ssd vanishes.

      1. Hans 1
        Joke

        >I've not had a windows machine crash on me for a long old time not including dying hardware components or nvidia drivers. Or an odd problem with one of my mother boards where the ssd vanishes.

        Why AC ? With so many miracles you must be a prophet, if you have proof, that is ...

        1. hplasm
          Windows

          Why..?

          "Why AC ? With so many miracles you must be a prophet, if you have proof, that is ..."

          It's slurprshill-copypasta. What a sad life, being so.

    2. Anonymous Coward
      Anonymous Coward

      "it won't work over the internet "

      It can work over the internet for most people. Very few people bother with a default deny egress rule, well they probably do have one implied but it will have an allow all outbound in front of it *sigh*

      \\w.x.y.z and \\host.example.co.uk will all find the other end across routers.

  12. Erlang Lacod

    And the level of damage this will cause is ... ? Sounds more like a practical joke than an exploit really.

  13. Anonymous Coward
    Anonymous Coward

    Its just another bsod among many on windows 10...

  14. doomicle

    3 years later, and this just started happening on my Win10 PC

    This is still not fixed? Recently I've been accessing samba shares from my Unraid NAS, and blam... Windows screen goes blank, and computer instantly goes to bios boot screen...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like