What You May Not Know about the SMB2 0Day

What you may already heard/known today about the SMBv2 0day:

• Remote code execution is released.
• The workaround from Microsoft.
• Why only Windows Vista, 2003, 2008 are vulnerable (including Window 7 RC), but not XP/2000.

Here's a list of follow up that you may not know yet:

• More than 10 version of the exploit is available here (C, PERL, Python, Ruby, win32)
• Port of the BSOD code to Metasploit (instead of RCE).
• Winsock edition is here.
• SMBv2 vulnerability scanner (class B, C) in Python.

In additional, rumor says:

• Could be the same old vulnerability back in 2007.
• Why Windows 7 RTM is not vulnerable:

"We found this issue independently through our fuzzing processes and implemented the fix into Windows 7 RTM (release to manufacturer) and Windows Server 2008 R2," the spokesperson says. "We're working to develop a security update for Windows Vista, Windows Server 2008 and Windows 7 RC."

Windows Media Player Network Sharing Service

In Windows 7, there is a service called "Windows Media Player Network Sharing Service" (WMPNetworkSvc or "C:\Program Files\Windows Media Player\wmpnetwk.exe").

This process starts even you set it to manual. This service opens up TCP port 10243. If you scan it with NMAP, you will get "Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)".

I recommend to set it as "Disabled" to reduce the attack surface on any Windows 7 platform.

Excellent Guide on AES

An excellent guide on Advanced Encryption Standard (AES) from Jeff Moser.

You can download a copy of the excellent article in PDF or PPT format if you like it so much (like me)!

Enhancement to Split-Tunnel VPN

Remember the Split-Tunnel VPN?

In case you need a script to manually add some static routes to your corporate network. Here's one:

@echo off

for /f "tokens=3" %%x in ('route print ^| find "10.0.0.0"') do @set INPUT=%%x

route add 172.16.0.0 mask 255.128.0.0 %INPUT% metric 1

route add 192.168.0.0 mask 255.255.0.0 %INPUT% metric 1

Have fun!

This is assuming your VPN login subnet is 10.0.0.0/8 and you wish to add 2 static routes: 172.16.0.0/12 and 192.168.0.0/16.

Is Weakness a Vulnerability?

No, according to Microsoft.

BitLocker Drive Encryption is full disk encryption solution introduced by Microsoft since Vista (Ultimate and Enterprise edition) and with the enhancement in Windows 7. A lot of people do notice that full disk encryption isn't the panacea for data loss prevention.

Thus, in Windows 7, Microsoft takes it to the next level to protect your data - even on removable drive.

BitLocker-to-Go is a new feature available in Windows 7 (Ultimate and Enterprise edition only). It extends BitLocker data protection to USB storage devices, enabling them to be restricted with a passphrase. In addition to having control over passphrase length and complexity, IT administrators can set a policy that requires users to apply BitLocker protection to all removable drives before being able to write to them.

Does BitLocker in Windows 7 seems perfect? No, not yet.

Based on testing, first you need to have TPM before you can use BitLocker. In Windows 7, BitLocker allows you to protect the hard disk and removable drive (USB connection). But it still miss out the floppy drive and CD-R/CD-RW/DVD-R/DVD-RW.

This isn't a vulnerability. It is a design.