Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Microsoft Windows SMB Response Denial of Service Clarifications

Get this blog as an RSS Feed
A PoC was published recently on Full-Disclosure, completely hanging an up-to-date Windows 7 or Windows Server 2008 R2 system when an SMB connection is established to a malicious server.
13:00 CET on the 18th November 2009
Entry written by Alin Rad Pop.

A PoC was published recently on Full-Disclosure, completely hanging an up-to-date Windows 7 or Windows Server 2008 R2 system when an SMB connection is established to a malicious server.

At first glance, and if trusting the reported cause of the vulnerability, the PoC seems to send a full SMB packet in which the size is four bytes smaller than expected.

Upon a more careful inspection, seemingly due to an error in the Python script, it was noticed to send only four bytes to an affected system, containing only the NetBIOS header, which defines the size of the following SMB packet.

The vulnerability is actually triggered when insufficient SMB data is received in an outgoing SMB connection. If the connection is terminated by the remote side before all expected data is received, the kernel continuously attempts to receive the remainder of the SMB packet via asynchronous TCP receive requests, which return immediately, leading to an infinite loop in kernel space. This consumes all available CPU resources and effectively hangs the system.

Another unexpected behaviour is that even if the Python code used in the PoC is corrected to send the full SMB response as intended, the system still hangs. This is caused by the presence of non-zero bytes at the end of the specially crafted packet, which are interpreted as the size of a following SMB packet. Multiple SMB packets are detected to be present because the size of the initial packet is four bytes smaller than the whole packet length.

Other parties have incorrectly titled this vulnerability as being related to the "KeAccumulateTicks()" function, being mislead by an assertion failure thrown only if the system is running under a kernel debugger.

Full vulnerability details are included in our recently performed Binary Analysis for this vulnerability, now freely available on the BA samples page.

It's surprising that a vulnerability, which can be triggered by only four bytes of almost random data, has slipped into the Windows 7 SMB parsing functionality. Fortunately, the impact is only a Denial of Service.

Stay secure,

Alin Rad Pop,
Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Microsoft Windows SMB Response Denial of Service Clarifications
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer