The blue screen vulnerability threatens the server operating system Windows Server 2008, which means that if the Windows Server 2008 blue screen will cause the server to stop serving … … Currently, the vulnerability exploit code is limited to a small range, but the vulnerability attack tool It has been developed, and now it is for everyone to reveal the use of blue screen vulnerability.
Problem: Windows Server 2008 Blue Screen Vulnerability
Hazard: Server Blue Screen Stopping Service
Crisis: Server Blue Screen Hidden
I am Antiy Lab The seedlings are raining, and what I am going to tell you is the blue screen vulnerability. The official name of the blue screen vulnerability is the SMB v2 vulnerability, which has not been patched until the deadline (it is expected to be patched in the second week of October). How big is the harm of the blue screen vulnerability? Is it harmful to our ordinary netizens? The main threat of the blue screen vulnerability is the use of Windows Server 2008 server, which also has a certain impact on the Vista system. But now hackers have become pragmatic and will not be interested in Vista's market share.
Using Windows Server 2008 as the server operating system is a mail server, a web server, a data server, a domain name server, and the like. Once the server is blue, the administrator will probably not know for the first time —— because many servers are not equipped with dedicated monitors, the server will stop serving for a while.
If the web server is out of service, all the websites on the server cannot be accessed; if the mail server is out of service, the mail cannot be sent in transit; if the data server is out of service, it may result in data support. The system crashes, such as online games, online banking, etc.; if the domain name server is out of service, & ldquo; broken network gates & rdquo; may be staged again.
In 2007, Microsoft released Windows Server 2008, a next-generation server operating system that replaces Windows Server 2003. The system supports multi-core processors with 64-bit technology, virtualization, and optimized power management. Many enterprise users have replaced the server operating system with this system.
According to data provided by market research firm Gartner, the share of Windows servers has increased to 66.8% in servers shipped globally in 2007, with Windows Server 2008 accounting for the mainstream. From 2008 to 2009, Windows Server 2008 became one of Microsoft's flagship products, and its share is on the rise. Based on the above data, about one-fifth of the world's servers use Windows Server 2008.
Principle: SMB Overflow
The reason for the blue screen vulnerability this time is that a driver file named SRV2.SYS cannot handle malformed data structure requests correctly. If a hacker maliciously constructs a malicious malformed data message and sends it to a server with Windows Server 2008 installed, then the out-of-bounds memory reference behavior is triggered, allowing the hacker to execute arbitrary malicious code (Figure 1).
Note: SMB (Server Message Block, also known as Common Internet File System) is a software program-level network transmission protocol developed by Microsoft. Its main function is to share machines on a network. Resources such as computer files, printers, serial ports, and communications. It also provides certified interprocess communication capabilities. It is mainly used on machines with Microsoft Windows, which is called Microsoft Windows Network. SMB v2 is the latest upgrade to the SMB protocol.
To make an image metaphor, this is like a bridge checkpoint. The inspectors only estimate whether the truck can pass the bridge based on the tonnage marked on the truck. In fact, the hacker can make an overload. The truck is also marked with a qualified tonnage through the checkpoint. Since there is no real weighing, the inspectors only identify by means of the tonnage, which eventually leads to the overload of the truck endangering the safety of the bridge, resulting in the death of the bridge.
Simulation: Measured Blue Screen Vulnerabilities
Step 1: Prepare the Blue Screen Vulnerability Test Procedure (This program is specially made by Antiy Labs, but because it is too harmful, it cannot be downloaded), then Search and download a port scanner in the network. The L-ScanPort port scanner was selected for this test.
Step 2: Open the L-ScanPort port scanner (Figure 2), enter the network segment you want to scan in the IP address field, for example, “192.168.1.1” as the starting segment, “192.168” .255.255” as the end segment. Then find the “Port List” in the software interface, check the “<quo;445” port, click the “GO” button to scan.
If there are 445 ports open Windows Server 2008, then it means that hackers can launch a blue screen attack. During the test, we prepared a server with Windows Server 2008 and started the SMB sharing protocol. After scanning the IP address of the server, we were ready to launch an attack test.
Step 3: On the computer playing the attacking party, we open the “Command Prompt”, place the test program in the root directory of the C drive, and then enter the attack in the C:\\> root directory. Command: SMBv2.exe [attacked server IP address] (Figure 3).
We ran to the attacked test server as quickly as possible and saw the following scene (Figure 4).
Prevention: There is no such patch anti
Because of this vulnerability is currently no patch, so we give a temporary solution, the administrator must manually close the port 139 and port 445 on the firewall This method can block all unsolicited inbound traffic from the Internet, but stopping the protocol means that users will no longer be able to use the documents and printers shared within the network.
In-Depth Analysis
Most security researchers don't believe that the vulnerability can only achieve a blue screen effect. As far as we know, this Microsoft official once thought that it is impossible to implement other attacks. High-risk vulnerabilities in remote code execution can be implemented. Some security researchers have found that the new method can be used to execute malicious code developed by hackers, such as backdoors and Trojans, and finally achieve the purpose of controlling the entire server.
If hackers can control the file sharing server, it means that hackers stealing corporate data stored on Windows Server 2008 servers will be easy. The severity of the incident is beyond the imagination of many security organizations. At this time, perhaps global hackers are frantically analyzing the vulnerability, followed by a server worm attack storm … … Br>
For how to create a Windows Server 2008 virtual machine, you can refer to the previous article (clic
Everyone must remember the system restore function of Windows XP, but it can only resto
In Windows Server 2008 system environment, we sometimes see the recycle bin icon on the system deskt
You have implemented IPsec to protect communications within your corporate LAN. Although you have ca
Clearing the fault, Windows 2003 is more cordial
In-depth analysis of Win2003 automatic upgrade patch
Create a secure server with the Win2003 SP1 wizard feature
NAT server setup application example
Win2000 Blue Screen Failure Troubleshooting
Win 2000/XP installation driver compatibility issues
Win2003 is stronger than Linux
Setting up local policy application for Win 2003
Solving the problem that Windows Server 2008 R2 cannot connect to the wireless network
How to fight, how to hit the number
What should I do if the typing on the XP computer keyboard is slow?
Tips for not letting the Win10 system automatically update drivers
Is the Win10 Technology Preview system suitable for me?
Win8 start screen interface display Start#ZHS how to do?
What should I do if the Win8.1 system is often stuck after the update?
Win10 upgrade 10041 prompt error how to do