SMBLoris

Windows Denial of Service Vulnerability


Disclaimer: This advisory is not affiliated with Microsoft Corporation.

What is SMBLoris?

SMBLoris is a remote and uncredentialed denial of service attack against Microsoft® Windows® operating systems, caused by a 20+ year old vulnerability in the Server Message Block (SMB) network protocol implementation.

What versions of Windows are affected?

The vulnerability is in all modern versions of Windows, at least from Windows 2000 through Windows 10. Systems are still vulnerable even if all versions of SMB (1, 2, and 3) are disabled.

What is the threat?

It is computationally inexpensive for an attacker to cause large memory allocations and enormous amounts of wasted CPU cycles, rendering vulnerable machines completely unusable, making business-critical services (such as web and mail servers) unavailable, and even causing the entire operating system to crash.

ScenarioSocketsAttack CostMemory Impact
Baseline14 bytes128 KiB
Single IPv465,535256 KiB8 GiB
Single IPv665,535256 KiB8 GiB
Dual IPv4 / IPv6131,070512 KiB16 GiB
10 IPs655,5352.5 MiB80 GiB

Is there a CVE?

SMBLoris has not (yet?) been assigned a CVE. Some similar vulnerabilities include:

Is there a patch?

Not at this time.

What ports are affected?

Generally, SMB runs on port 445. The NetBIOS service on port 139 is probably also exploitable.

Is Samba affected?

Samba, an alternative to SMB for other operating systems, is also vulnerable in a default install but has a workaround.

Set: max smbd processes = 1000 in smb.conf (usually found in /etc/samba).

Thanks to @marcan42 for testing and fix information.

Can this lead to remote code execution?

No.

What is the CVSS score?

CVSS v2 Vector
(AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:W/RC:C)

CVSS v3 Vector
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:W/RC:C)

How easy is it to exploit?

A proof-of-concept requires rudimentary network programming knowledge to create, and even a basic implementation could take down the majority of Windows machines in the wild.

Highly effective exploits with better sustainability can be crafted by more advanced attackers.

What are the mitigations?

Either block the SMB service with the Windows firewall or an inline device, or throttle the amount of connections a single IP can have open at any given time with the service.

Why the name SMBLoris?

The attack has similarities to Slowloris denial of service attacks that target web servers. Loris attacks occur when a single machine is able to open many connections to a server, maliciously using up extensive resources with minimal attack cost.

While Slowloris temporarily takes down a web server, SMBLoris can completely take down the entire operating system.

What are the technical details?

The NetBIOS Session Service (NBSS) header is the initial TCP data transmitted to start an SMB session, and is processed before any authentication mechanism is ever established. It occupies 4 bytes of memory.

struct NBSS_HEADER
{
    char  MessageType  : 8;
    char  Flags        : 7;
    int   Length       : 17;
};

Windows immediately commits in memory a number of bytes determined by the attacker-controlled Length field, which is 217 for a max of 131,072 bytes (128 KiB). This memory is in the "non-paged pool" (physical RAM) which cannot be swapped out to disk, making the denial of service even more effective. CPU and memory resources are effectively lost for as long as the connection is sustained.

SMBLoris works over IPv4 and IPv6, and acquiring multiple IPs on a LAN can amplify the attack. The amount of machines required to perform a distributed denial of service (DDoS) attack against more powerful servers is also significantly reduced.

What is the disclosure timeline?

Who discovered SMBLoris?

SMBLoris was discovered by @zerosum0x0 and @JennaMagius. The attack vector was conceived during analysis of the EternalBlue exploit.

 


Microsoft and Windows are registered trademarks of Microsoft Corporation.
This advisory is not affiliated with Microsoft Corporation.

Page updated 2017-11-14 05:21 UTC.