Windows SMB Zero Day to Be Disclosed During DEF CON

Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON.

LAS VEGAS—A 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday during a talk at DEF CON.

Microsoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.

The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. It was likely introduced into the operating system much earlier, said Sean Dillon, senior security researcher at RiskSense. Dillon, who conducted his research with colleague Zach Harding, called the attack SMBloris because it is comparable to Slowloris, a 2009 attack developed by Robert Hansen. Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.

“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,” Dillon said.

Dillon was among the first researchers to analyze EternalBlue, the leaked NSA SMB exploit that was used to spread the WannaCry ransomware attack and ExPetr wiper malware. It was during that analysis that Dillon uncovered this issue.

“While working on EternalBlue, we observed a pattern in the way memory allocations were done on the non-paged pool of the Windows kernel. The non-paged pool is memory that has to be reserved in physical RAM; it can’t be swapped out,” Dillon explained. “That’s the most precious pool of memory on the system. We figured out how to exhaust that pool, even on servers that are very beefy, even 128 GB of memory. We can take that down with a Raspberry Pi.”

The issue was privately reported to Microsoft in early June as the EternalBlue analysis was completed, Dillon said. Microsoft told the researchers that two internal security teams concluded the vulnerability was a moderate issue and would not be moved into the security branch, and likely never fixed. Saturday’s DEF CON talk will be 60 days after the initial report was sent to Microsoft and 45 days after Microsoft’s response was relayed.

“The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

“The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server,” Dillon said.

The vulnerability lies in the way SMB packets are processed and memory is allocated. Dillon and Harding said they found a way to take advantage of that allocation system to crash a server.

“It will amplify already existing attacks like DDoS attacks,” Dillon said. “Why DDoS when you can DoS from a single machine. You don’t need a botnet to take down a Windows server.”

The attack is able to allocate all memory a server has available, to the point where it won’t even blue screen, Dillon said. The operating system crashes as it looks through long memory lists looking for unallocated memory, causing the CPU to spike.

“You get critical services to crash and you can completely freeze the system,” Dillon said. “There are also lots of integrity issues because when you have all the non-paged pool memory allocated already, certain disk rights, even logging can’t take place because there’s no memory. One of the problems we’ve run into is that we’ve completely exhausted the system and cause it to freeze; one of the reasons it doesn’t blue-screen is because it doesn’t have enough resources needed to blue-screen. It will freeze and never come back.”

Dillon said he and Harding will share some additional technical details during their talk and will demo the attack.

“It’s such a simple attack really; I think a lot of the people there will be able to catch on to what’s happening,” Dillon said.

As for a fix, Dillon believes it wouldn’t be a simple task for Microsoft.

“I think that’s the problem is that it’s not the easiest fix; it’s the way they’ve done SMB memory allocation for over 20 years. So everything relies on the fact the client says ‘I have a buffer that I’m sending that’s this big.’ The server reserves that much memory so it can handle it,” Dillon said. “What we did we say I have a huge buffer and never send the buffer. There’s still a lot of components that rely on the fact that buffer is already allocated and the size is already known.”

Dillon said a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.

Ironically, the only reason Dillon and Harding found the bug was because this critical information used in the pool grooming for EternalBlue.

“You have to have those allocations happen,” Dillon said. “So actually, if this behavior was not the way it was, the pool grooming in EternalBlue would not be the same and the exploit might not work at all.”

Suggested articles

Discussion

  • Pete on

    Besides anomaly/spike in traffic to SMB port 445, what else would we see during an SMBloris attack? Any other indicators, etc.?
  • Russ on

    Does this affect only SMBv1 (which is deprecated) or are SMBv2 and SMBv3 also vulnerable? To disable SMBv1, see Microsoft Knowledge Base article 2696547. Odd that Microsoft would recommend blocking SMBv1 from the Internet (which should already be done), but not disabling SMBv1 on your internal networks.
    • Carsten on

      Reason probably being that a lot of more fun happens when you disable SMBv1 on your local network that you didn't expect. Like Printer, Scanner or NAS devices not working as expected anymore up to domain authentication failing.
    • Jon Fox on

      Not MSFT's fault on the internal side - blame all the folks here (that so many businesses depend on , some of which "for security") https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/
  • Charlie on

    Where is the code? I want to try this against a few Linux servers running Samba.
    • John on

      This was my question as well. Are samba shares on Linux machines vulnerable as well? My understanding is that this is a fundamental issue with the protocol, but perhaps the kernel memory allocation would behave differently.
      • Jon Fox on

        You can process limit in the smb.conf max smbd processes = 1000

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.