Computer/Windows/Office/ Discussion Blog

July 14, 2017

Windows blue screen reasons

Filed under: computer knowledge — admin @ 6:27 pm
Using Windows Server 2008 as the server operating system is mail server, web server, data server, domain name server and so on. Once the server blue screen, administrators will probably not know for the first time – because many servers do not have dedicated monitors, and the server will stop serving for a period of time.
If the web server is out of service, all sites on the server can access the mail server; if it is to stop the service, cannot send mail transfer; if it is a data server to stop the service, may cause the system to crash data support, such as net swims, such as online banking system; if the domain name server to stop the service. “Broken network door” possible again.
Safety Encyclopedia
SMB (Server Message Block, also called Common Internet File System) is a network protocol software program developed by Microsoft, the main function is to make a machine on the network sharing computer files, printers, serial port communication and other resources. It also provides authentication of inter process communication functions. It is mainly used on machines equipped with Microsoft Windows. Such machines are called Microsoft Windows Network. SMB V2 is the latest upgrade of the SMB protocol.
In 2007, Microsoft released Windows Server 2003 to replace a new generation of server operating system Windows Server 2008, the system supports multiple processors, with 64-bit technology, virtualization and optimization of power management function, has attracted many business users the server operating system to replace the system.
According to data provided by the market research firm Gartner shows that in 2007 global delivery server, Windows server share has increased to 66.8%, of which Windows Server 2008 accounted for the mainstream. In 2008 ~2009, Windows Server 2008 became one of Microsoft’s flagship products, and its share showed an upward trend. According to the above data, about 1/5 of the servers in the world use the operating system Windows Server 2008.
Rationale: SMB overflow
The cause of the blue screen vulnerability was a drive file called SRV2.SYS that could not correctly handle malformed data structure requests. If a malicious hacker to construct a malicious malformed data message to the installation of Windows Server 2008 server, then it will trigger the cross-border memory reference behavior, malicious code can allow hackers to execute arbitrary (Figure 1).
As a metaphor, it is like a bridge checkpoint, inspection personnel only according to the label on the truck tonnage to estimate the truck can pass through the bridge, and the fact that the hacker can make an overloaded truck on the same label qualified tonnage through checkpoints. Since no real weighing was done, the inspectors identified only by marking the tonnage, which eventually led to overloading of the truck endangering the safety of the bridge and causing the bridge to be destroyed.
Analog: measured blue screen vulnerability
Step 1: test program ready blue holes (the program specially designed by antiy labs but due to too much damage, not available for download), then search and download a port scanner in the network, the test we choose is L-ScanPort port scanner (software download address: http://www.shudoo.com/bzsoft).
Step 2: open the L-ScanPort port scanner (Figure 2) and enter the desired network segment in the IP address column, such as “192.168.1.1” as the starting paragraph, and “192.168.255.255” as the end segment. Then find the port list in the software interface, tick the “445” port, and click the “GO” button to scan.
If there is a 445 port Windows Server 2008, then it means hackers can launch a blue screen attack. In the test, we prepared a server with Windows Server 2008 and opened the SMB sharing protocol. After scanning the server’s IP address, we were ready to launch an attack test.
Step 3: the attacker playing computer, we open the command prompt and the test program on the root directory of C, and then in the C: \> root directory, enter the command: SMBv2.exe attack attack [server IP address] (Figure 3). We ran as fast as we could to the attack test server, and saw the following scene (Figure 4).
Precaution: there is no patch
Due to the vulnerability no patch, so we give a temporary solution, the administrator must manually shut down 139 and 445 ports in the firewall, this method can be shielded from the Internet all unsolicited inbound traffic, but stopped after the agreement, also means that the user will no longer be able to use normal network share files and printers.
Depth analysis
Most researchers do not believe that the vulnerability can only achieve a blue screen effect, as far as we know, the Microsoft official once thought impossible other attacks into high-risk vulnerabilities, can realize remote code execution vulnerability. Security researchers found that through the new means, you can use the vulnerability to execute malicious code hackers, such as back door, Trojan horse, and ultimately achieve the purpose of controlling the entire server.
If a hacker can realize the control file sharing server, which means hackers to steal enterprise data stored in Windows Server 2008 server in the breeze. The magnitude of the event is beyond the imagination of many security organizations, and perhaps hackers around the world are frantically analyzing the vulnerability, which is likely to be the server worm that exploits the vulnerability

Using Windows Server 2008 as the server operating system is mail server, web server, data server, domain name server and so on. Once the server blue screen, administrators will probably not know for the first time – because many servers do not have dedicated monitors, and the server will stop serving for a period of time.

If the web server is out of service, all sites on the server can access the mail server; if it is to stop the service, cannot send mail transfer; if it is a data server to stop the service, may cause the system to crash data support, such as net swims, such as online banking system; if the domain name server to stop the service. “Broken network door” possible again.

Safety Encyclopedia

SMB (Server Message Block, also called Common Internet File System) is a network protocol software program developed by Microsoft, the main function is to make a machine on the network sharing computer files, printers, serial port communication and other resources. It also provides authentication of inter process communication functions. It is mainly used on machines equipped with Microsoft Windows. Such machines are called Microsoft Windows Network. SMB V2 is the latest upgrade of the SMB protocol.

In 2007, Microsoft released Windows Server 2003 to replace a new generation of server operating system Windows Server 2008, the system supports multiple processors, with 64-bit technology, virtualization and optimization of power management function, has attracted many business users the server operating system to replace the system.

According to data provided by the market research firm Gartner shows that in 2007 global delivery server, Windows server share has increased to 66.8%, of which Windows Server 2008 accounted for the mainstream. In 2008 ~2009, Windows Server 2008 became one of Microsoft’s flagship products, and its share showed an upward trend. According to the above data, about 1/5 of the servers in the world use the operating system Windows Server 2008.

Rationale: SMB overflow

The cause of the blue screen vulnerability was a drive file called SRV2.SYS that could not correctly handle malformed data structure requests. If a malicious hacker to construct a malicious malformed data message to the installation of Windows Server 2008 server, then it will trigger the cross-border memory reference behavior, malicious code can allow hackers to execute arbitrary (Figure 1).

As a metaphor, it is like a bridge checkpoint, inspection personnel only according to the label on the truck tonnage to estimate the truck can pass through the bridge, and the fact that the hacker can make an overloaded truck on the same label qualified tonnage through checkpoints. Since no real weighing was done, the inspectors identified only by marking the tonnage, which eventually led to overloading of the truck endangering the safety of the bridge and causing the bridge to be destroyed.

Analog: measured blue screen vulnerability

Step 1: test program ready blue holes (the program specially designed by antiy labs but due to too much damage, not available for download), then search and download a port scanner in the network, the test we choose is L-ScanPort port scanner (software download address: http://www.shudoo.com/bzsoft).

Step 2: open the L-ScanPort port scanner (Figure 2) and enter the desired network segment in the IP address column, such as “192.168.1.1” as the starting paragraph, and “192.168.255.255” as the end segment. Then find the port list in the software interface, tick the “445” port, and click the “GO” button to scan.

If there is a 445 port Windows Server 2008, then it means hackers can launch a blue screen attack. In the test, we prepared a server with Windows Server 2008 and opened the SMB sharing protocol. After scanning the server’s IP address, we were ready to launch an attack test.

Step 3: the attacker playing computer, we open the command prompt and the test program on the root directory of C, and then in the C: \> root directory, enter the command: SMBv2.exe attack attack [server IP address] (Figure 3). We ran as fast as we could to the attack test server, and saw the following scene (Figure 4).

Precaution: there is no patch

Due to the vulnerability no patch, so we give a temporary solution, the administrator must manually shut down 139 and 445 ports in the firewall, this method can be shielded from the Internet all unsolicited inbound traffic, but stopped after the agreement, also means that the user will no longer be able to use normal network share files and printers.

Depth analysis

Most researchers do not believe that the vulnerability can only achieve a blue screen effect, as far as we know, the Microsoft official once thought impossible other attacks into high-risk vulnerabilities, can realize remote code execution vulnerability. Security researchers found that through the new means, you can use the vulnerability to execute malicious code hackers, such as back door, Trojan horse, and ultimately achieve the purpose of controlling the entire server.

If a hacker can realize the control file sharing server, which means hackers to steal enterprise data stored in Windows Server 2008 server in the breeze. The magnitude of the event is beyond the imagination of many security organizations, and perhaps hackers around the world are frantically analyzing the vulnerability, which is likely to be the server worm that exploits the vulnerability

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress