Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool, raising the likelihood for remote in-the-wild code execution attacks.
The exploit, created and released by Harmony Security’s Stephen Fewer, provides a clear roadmap for hackers to plant malware or open backdoors on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server.
The release of the public exploit puts Microsoft under serious pressure to complete its patch-testing process and release a fix to head off in-the-wild attacks.
According to Microsoft’s Johnathan Ness, the company’s security response team has already completed more than 10,000 separate test cases in their regression testing and are currently doing “stress testing, 3rd-party application testing, and fuzzing.”
Microsoft’s next scheduled Patch Day is more than two weeks away — on October 13, 2009 — which means the company is now under pressure to issue an emergency, out-of-cycle fix for vulnerable Windows users.
The flaw, which was originally released on September 8 as a simple denial-of-service issue, does not affect the RTM version of Windows 7
On September 17, a team of exploit writers from Immunity created a remote exploit that’s been fitted into Immunity’s Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2.
Until Microsoft issues a patch, vulnerable Windows users should immediately implement the one-click “fix-it” workaround that’s available. The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.
Here are direct links:
To revert the workaround, and re-enable SMBv2, you can:
Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.
MORE ON THIS STORY FROM THREATPOST: