Win7 remote DoS publicly disclosed

Laurent Gaffié disclosed on Nov. 11 on his blog a proof of concept written in Python. This occured just the morrow after the Black Tuesday, and seems the author does not follow responsible disclosure, and decided to publicly disclosed the code, as he disagreed with Microsoft’s answer (they wanted to delay the patch in a service pack rather than a Black Tuesday patch).

This piece of code (see Figure 1) has been verified to successfully remotely crash Microsoft Windows 7 and Windows 2008-R2. It is caused by sending a specially crafted NetBIOS header wrongly specifying the SMB (Server Message Block) packet size. No error messages dialog box nor evidence of the bug is recorded in the event logs, the computer just freezes.

Figure 1: code extract
Moreover, the issue occurs in pre-authentication stage so no credential is needed.

To trigger this issue, the victim must be trapped to open a Windows share, so just a link of type file://ip/something on an HTML page could do the trick. As of writing, no CVE number has been associated to this issue, however thanks to our IPS decoder signature, Fortinet customers are proactively protected with ¨NBSS.Invalid.Fragment¨ detection.