Win2008 Blue Screen Leak _ server Other

Source: Internet
Author: User
Tags domain name server
At the beginning of September, on the major security sites, a WindowsOperating system Blue screen Vulnerability message, this vulnerability appears like a stone, broken nearly half a year to WindowsThere was no silence of major loopholes.

The blue screen vulnerability threatens the server operating system Windows Server 2008, which means that if the Windows server 2008 blue screen will cause the server to stop serving ... At present, the vulnerability of the use of code is also limited to a small scope, but the vulnerability attack tool has been developed, now for everyone to uncover the blue screen loopholes in the use of the process.

Problem: Windows Server 2008 Blue Screen Vulnerability

Hazard: Server appears blue screen stop service

  Crisis: The server's blue screen dull pain

I was an Ann day laboratory seedlings Rain, I said below is a blue screen loophole. The official name of the blue Screen vulnerability is the SMB V2 vulnerability, which has not been patched until the deadline (expected to be patched in the second week of October). What is the harm of blue screen vulnerabilities? Is it harmful to our ordinary netizens? Blue Screen vulnerability is a major threat to the use of Windows Server 2008 servers, the Vista system also has a certain impact. But now the hackers have become pragmatic and will not be interested in the market share of the embarrassing Vista system.

Using Windows Server 2008 as the server operating system is the mail server, Web server, data server, domain name server, and so on. Once the server is blue screen, the administrator will probably not know the first time-because many servers do not have a dedicated monitor, the server will stop service for a period of time.

If the Web server stops serving, all Web sites on the server are inaccessible; If the mail server stops the service, the message cannot be sent to the server, and if the data servers stop serving, it may cause a system crash of data support, such as online games, network banking, etc. if the domain name server stops serving, " The broken net Door "may be staged again."

In 2007, Microsoft released a new generation of server operating system Windows Server 2008, which replaces Windows Server 2003, which supports multi-core processors, Features such as 64-bit technology, virtualization, and optimized power management have attracted many enterprise users to replace the server operating system with the system.

According to data from Gartner, a market research institute, the share ofWindows Servers has grown to 66.8% of servers shipped globally in 2007, where Windows Server 2008 accounted for the mainstream. In the 2008 ~2009,Windows Server 2008 was one of Microsoft's flagship products, and its share showed an upward trend. According to the data above, about one-fifth of the world's servers are using Windows Server 2008.

  Rationale: SMB Overflow

The reason for the blue screen vulnerability is that a driver file named Srv2.sys does not correctly handle malformed data structure requests. If a hacker maliciously constructs a malformed data message sent to a server that has Windows Server 2008 installed, it triggers the Cross-border memory reference behavior, allowing the hacker to execute arbitrary malicious code (Figure 1).

Note: SMB (Server message block, also known as Common Internet File System) is a software program-level network transport protocol developed by Microsoft, which is primarily to enable machines on a network to share computer files, printers, Resources such as serial ports and communications. It also provides authenticated interprocess communication functions. It is primarily used on machines with Microsoft Windows , and such machines are called Microsoft Windows Network. SMB v2 is the latest upgraded version of the SMB protocol.

To make a figurative analogy, like a bridge checkpoint, inspectors estimate whether a truck can pass the bridge based on the tonnage of the truck, and the fact that the hacker can get an overloaded truck to pass through the checkpoint with the same mark as the qualified tonnage. Since no real weighing was done, inspectors were only identified by the tonnage, which eventually led to overloaded trucks endangering the bridge's safety and causing the bridge to wreck its vehicle.

  Simulation: Test blue Screen vulnerability

Step 1: Prepare the test program for the blue Screen Vulnerability (this program is specially designed by the Antian lab, but because it is too harmful to provide a download), and then search the network, download a port scanner, this test we chose the L-scanport port scanner.

Step 2: Open the L-scanport port scanner (Figure 2), enter the network paragraph you want to scan in the IP address column, such as "192.168.1.1" as the starting segment, "192.168.255.255" as the end segment. Then in the software interface to find a "port list" item, check the "445" port, click the "Go" button scan.

  

If you have Windows Server 2008 on port 445, it means the hacker can launch a blue screen attack. In the test, we prepared a server with Windows Server 2008 and opened the SMB sharing protocol, after scanning the server IP address, ready to launch the attack test.

Step 3: In the attacker's computer, we open the "command prompt", put the test program in the C-packing directory, and then in the C:\> root directory, enter the attack command: SMBv2.exe [attacked server IP address] (Figure 3).

  

We ran to the attack test server at the fastest speed and saw the following scene (Figure 4).

  

  Precautions: No patches to prevent this

Since there is no patch for this vulnerability, we have a temporary solution where the administrator has to manually shut down the 139 and 445 ports on the firewall, which masks all unsolicited inbound traffic from the Internet, but after stopping the protocol, It means that users will no longer be able to use documents and printers that are shared within the network.

  Depth analysis

Most security researchers do not believe that the vulnerability can only achieve a blue screen effect, as far as we know, this Microsoft official once thought that it is impossible to implement the vulnerability of other attacks, become the remote code to implement the high-risk vulnerabilities. Security researchers have found that new means can be used to execute malicious code that hackers have developed, such as backdoor, Trojan, and ultimately to control the entire server.

If a hacker can implement a control file-sharing server, it means that the hacker steals it in the windows server The enterprise data in the 2008 server will be a breeze. The severity of the event is beyond the imagination of many security organizations, and at this point, perhaps the world's hackers are frantically analyzing the vulnerability, followed by the likely use of the vulnerability launched by the server worm attack storm ...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.