SMBloris is in the town and Microsoft won’t provide a patch for it!

SMBLorisSMB is having a very hard time lately. NSA’s exploit under codename Eternalblue/Double pulsar, Wannacry Ransomware, Uiwix Ransomware, Adylkuzz and others were all taking advantage of the SMB exploit. The new exploit for SMB was released at this DEFCON25 by security researchers zerosum0x0 and JennaMagius as a zero day. This security vulnerability is named as SMBLoris which is named after the Apache Web server bug exploited by Slowloris in 2009. Both SMBloris and Slowloris attacks can use a single machine to crash or freeze a much more powerful server, however Slowloris unlike SMBloris targets webservers. As of now, Microsoft has refused to update any patch for this specific vulnerability saying that it was just a moderate issue and also would likely never be fixed. This bug allows an attacker to remotely crash Windows server with only about 20 lines of Python code and a portable system such as Raspberry Pi.

What exactly is the bug?

The vulnerability exists in the way SMB packets are processed and system allocates the memory for the process. SMBloris is basically a memory-handling bug which if exploited forces a server hosted on the Internet or on the local network to remotely allocate 128KiB of non-paged physical memory that has to be reserved and can’t be swapped out for every connection to the service. An attacker executes this attack by sending three bytes to the SMB service with the 17-bit NetBIOS Session Service (NBSS) length field set to the maximum. The kernel keeps the connection open for 30 seconds and then gives up. So for every 30 seconds, 128KiB of memory is tied up for every connection attempted.

Although, the well known TCP port for NBSS traffic is 139 an attacker now execute a connection request for every single TCP port which are possible i.e. up to 65,535 ports and thus potentially consume up to 8GiB of non-paged RAM for half a minute which would then directly hamper the performance of the machine since the kernel is forced to clean the system for any free memory as more allocations arrive. Now, if an attacker launches this attack on IPv4 and IPv6, the memory burden rises to 16GiB, and if an attack then comes from just two IP addresses, it can fill up to 32GiB and so on. Eventually, the target system/server would not be able to allocate memory and hence would freeze and would need a manual reboot. It would not even crash or show up the blue screen of death (BSOD) since it would have no resource left to show up the blue screen, therefore it will freeze and would never return back from the frozen state until rebooted forcefully.

Which versions of Windows are affected?

The vulnerability exists in all modern versions of Windows. It exists in at least from Windows 2000 through Windows 10. No matter if all versions of SMB are disabled, all systems are still vulnerable.

Is Samba affected?

Samba is a free software which is re-implementation and an alternative to SMB for other operating systems. It is also vulnerable in a default installation however, it has a workaround.

Workaround: Setup ‘max smbd processes = 1000’ in smb.conf (normally found under /etc/samba).

What could go wrong?

Cyber criminals in the black market working to provide DDOSaaS (Distributed Denial of Service-as-a-Service) could benefit from this zero-day. Since they would not even need a botnet or any such large scale resources. All they would require is about 20 lines of python code and a portable system to execute the code. However, no such devastating incident has been recorded or discovered yet.

Recommendation: For now, we highly recommend you to disable ports 445 and 139 in the Internet facing systems. If you are having a thought about using it on your internal LAN, make sure that your business critical systems have these two ports disabled.

The video below is a small working Proof of Concept (POC) for the exploit showing high memory usage in the windows system after successful exploitation.


Leave a Reply

Your email address will not be published. Required fields are marked *