What You May Not Know about the SMB2 0Day

What you may already heard/known today about the SMBv2 0day:

• Remote code execution is released.
• The workaround from Microsoft.
• Why only Windows Vista, 2003, 2008 are vulnerable (including Window 7 RC), but not XP/2000.

Here's a list of follow up that you may not know yet:

• More than 10 version of the exploit is available here (C, PERL, Python, Ruby, win32)
• Port of the BSOD code to Metasploit (instead of RCE).
• Winsock edition is here.
• SMBv2 vulnerability scanner (class B, C) in Python.

In additional, rumor says:

• Could be the same old vulnerability back in 2007.
• Why Windows 7 RTM is not vulnerable:

"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2," the spokesperson says. "We're working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC."

Windows Media Player Network Sharing Service

In Windows 7, there is a service called "Windows Media Player Network Sharing Service" (WMPNetworkSvc or "C:\Program Files\Windows Media Player\wmpnetwk.exe").

This process starts even you set it to manual. This service opens up TCP port 10243. If you scan it with NMAP, you will get "Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)".

I recommend to set it as "Disabled" to reduce the attack surface on any Windows 7 platform.

Excellent Guide on AES

An excellent guide on Advanced Encryption Standard (AES) from Jeff Moser.

You can download a copy of the excellent article in PDF or PPT format if you like it so much (like me)!

Enhancement to Split-Tunnel VPN

Remember the Split-Tunnel VPN?

In case you need a script to manually add some static routes to your corporate network. Here's one:

@echo off

for /f "tokens=3" %%x in ('route print ^| find "10.0.0.0"') do @set INPUT=%%x

route add 172.16.0.0 mask 255.128.0.0 %INPUT% metric 1

route add 192.168.0.0 mask 255.255.0.0 %INPUT% metric 1

Have fun!

This is assuming your VPN login subnet is 10.0.0.0/8 and you wish to add 2 static routes: 172.16.0.0/12 and 192.168.0.0/16.

Is Weakness a Vulnerability?

No, according to Microsoft.

BitLocker Drive Encryption is full disk encryption solution introduced by Microsoft since Vista (Ultimate and Enterprise edition) and with the enhancement in Windows 7. A lot of people do notice that full disk encryption isn't the panacea for data loss prevention.

Thus, in Windows 7, Microsoft takes it to the next level to protect your data - even on removable drive.

BitLocker-to-Go is a new feature available in Windows 7 (Ultimate and Enterprise edition only). It extends BitLocker data protection to USB storage devices, enabling them to be restricted with a passphrase. In addition to having control over passphrase length and complexity, IT administrators can set a policy that requires users to apply BitLocker protection to all removable drives before being able to write to them.

Does BitLocker in Windows 7 seems perfect? No, not yet.

Based on testing, first you need to have TPM before you can use BitLocker. In Windows 7, BitLocker allows you to protect the hard disk and removable drive (USB connection). But it still miss out the floppy drive and CD-R/CD-RW/DVD-R/DVD-RW.

This isn't a vulnerability. It is a design.

"The requested operation requires elevation."

Ever since Vista introduces UAC (User Account Control), it becomes an issue whenever you need to execute command and script at command prompt.

Here's the message you get and it means you hit UAC when you execute command.

"The requested operation requires elevation."

You have 3 options:

• Turn off UAC (bad idea).
• From "Start" menu, follow "All Programs", "Accessories"; right-click "Command Prompt", select "Run as administrator".
• Use the shortcut below:

Goto “Start” and enter “cmd” into the search field.

Do not just hit enter. Hold CTRL + Shift and hit Enter!

This works on Windows 7 too!

Split-Tunnel VPN

A lot of time, we work-from-home (WFH). To work, we need to setup a VPN tunnel back to office network, to read email for instance. Once the VPN connected, you loss all the direct connections to Internet: to download torrent, skype, IM, etc.

This technique is called "split-tunneling VPN". It allows you to connect to office network via VPN and Internet directly. Split-tunneling configures the VPN connection so that only traffic headed to computers on the office network is sent through the VPN connection; other traffic goes out through your home router.

Follow these steps to set up a VPN connection in Windows XP/Vista/7 that uses split tunneling:

• Setup your VPN connection using the instruction from your corporate standard.
• Right-click the VPN connection and select "Properties."
• Select the "Networking" tab.
• Highlight "Internet Protocol Version 4 (TCP/IP v4)."
• Click "Properties"
• Click "Advanced"
• Uncheck the "Use default gateway on remote network" box. (This is turned on by default)
• Click "OK" few times to close the windows you opened.

From that point forward, only traffic destined for your corporate network will be sent through the VPN. All other traffic will use the local network.

Note: If your corporate network contain other internal subnets, you will need to add static routes for that manually.

Update: see the enhancement example.

IBM ThinkPad BIOS Password Recovery

This is a short article to show you how to recover your old password at IBM ThinkPad supervisor password. IBM claimed their TP BIOS passwords are impossible to break. Here is an easy and cheap way to break it. The stuff you need costs about $5 and a spare PC with a serial port.

>>>> Hacking IBM Thinkpad Bios Password

Mastering The Metasploit Framework

Offensive Security launches a free online Metasploit Framework training. It definitely worth checking it out. Enjoy!

SMB2 BSOD 0Day

The vulnerability was discovered by Laurent Gaffié. Here's the short description about the vulnerability:

SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it’s used to identify the SMB dialect that will be used for futher communication.

Based on testing, Vista/2003/2008/Windows 7 (RC) are vulnerable to this exploit. However, Windows 2000/XP/Windows 7 (RTM) are NOT affected by this exploit.

References:

• SMB2 Negotiate Protocol Request Remote BSOD (python exploit code)
• SANS: SMB2 BSOD 0Day
• SANS:SMB2 Remote Exploit released.

Windows 7 RTM

Today, I upgrade my laptop from Windows XP to Windows 7 RTM (Ultimate x64 bit). This is my logon screen.