Windows SMB Zero Day to Be Disclosed During DEF CON

Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON.

LAS VEGAS—A 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday during a talk at DEF CON.

Microsoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.

The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. It was likely introduced into the operating system much earlier, said Sean Dillon, senior security researcher at RiskSense. Dillon, who conducted his research with colleague Zach Harding, called the attack SMBloris because it is comparable to Slowloris, a 2009 attack developed by Robert Hansen. Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.

“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,” Dillon said.

Dillon was among the first researchers to analyze EternalBlue, the leaked NSA SMB exploit that was used to spread the WannaCry ransomware attack and ExPetr wiper malware. It was during that analysis that Dillon uncovered this issue.

“While working on EternalBlue, we observed a pattern in the way memory allocations were done on the non-paged pool of the Windows kernel. The non-paged pool is memory that has to be reserved in physical RAM; it can’t be swapped out,” Dillon explained. “That’s the most precious pool of memory on the system. We figured out how to exhaust that pool, even on servers that are very beefy, even 128 GB of memory. We can take that down with a Raspberry Pi.”

The issue was privately reported to Microsoft in early June as the EternalBlue analysis was completed, Dillon said. Microsoft told the researchers that two internal security teams concluded the vulnerability was a moderate issue and would not be moved into the security branch, and likely never fixed. Saturday’s DEF CON talk will be 60 days after the initial report was sent to Microsoft and 45 days after Microsoft’s response was relayed.

“The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

“The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server,” Dillon said.

The vulnerability lies in the way SMB packets are processed and memory is allocated. Dillon and Harding said they found a way to take advantage of that allocation system to crash a server.

“It will amplify already existing attacks like DDoS attacks,” Dillon said. “Why DDoS when you can DoS from a single machine. You don’t need a botnet to take down a Windows server.”

The attack is able to allocate all memory a server has available, to the point where it won’t even blue screen, Dillon said. The operating system crashes as it looks through long memory lists looking for unallocated memory, causing the CPU to spike.

“You get critical services to crash and you can completely freeze the system,” Dillon said. “There are also lots of integrity issues because when you have all the non-paged pool memory allocated already, certain disk rights, even logging can’t take place because there’s no memory. One of the problems we’ve run into is that we’ve completely exhausted the system and cause it to freeze; one of the reasons it doesn’t blue-screen is because it doesn’t have enough resources needed to blue-screen. It will freeze and never come back.”

Dillon said he and Harding will share some additional technical details during their talk and will demo the attack.

“It’s such a simple attack really; I think a lot of the people there will be able to catch on to what’s happening,” Dillon said.

As for a fix, Dillon believes it wouldn’t be a simple task for Microsoft.

“I think that’s the problem is that it’s not the easiest fix; it’s the way they’ve done SMB memory allocation for over 20 years. So everything relies on the fact the client says ‘I have a buffer that I’m sending that’s this big.’ The server reserves that much memory so it can handle it,” Dillon said. “What we did we say I have a huge buffer and never send the buffer. There’s still a lot of components that rely on the fact that buffer is already allocated and the size is already known.”

Dillon said a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.

Ironically, the only reason Dillon and Harding found the bug was because this critical information used in the pool grooming for EternalBlue.

“You have to have those allocations happen,” Dillon said. “So actually, if this behavior was not the way it was, the pool grooming in EternalBlue would not be the same and the exploit might not work at all.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.