DEF CON Talk Will Expose The Latest SMB Vulnerability SMBLoris

Pierluigi Paganini July 27, 2017

Security researchers at RiskSense have identified a 20-year-old Windows SMB vulnerability they are calling SMBloris, a DEF CON Talk Will Expose it.

Server Message Block (SMB) has been a foundational piece of Microsoft Windows’ networking all the way back to the LAN Manager days, facilitating “shared access to files, printers and serial ports.” It is so common that a free software implementation called Samba was developed long ago to allow UNIX-like systems to share network resources with Windows systems. It is a rare company that doesn’t have SMB packets running on the network.

Over the years SMB has gone through many versions to add features and improve performance. It has also had its share of vulnerabilities on all of the platforms it has been implemented, with many, many patches along the way. No matter how many times it is patched or upgraded, it seems that there is always another vulnerability to be uncovered. Many times a vulnerability that was patched in an earlier version is rediscovered years later. In 2015, security researchers at Cylance discovered a new attack vector for an 18-year-old SMB vulnerability. The new method dubbed Redirect to SMB, “impacted products from Microsoft, Apple, Abode, Symantec, Box, Oracle, and more.” In 2014, the Guardians of Peace used an SMB worm exploit to hack Sony Pictures. And an SMB exploit called ETERNALBLUE was part of the cache of NSA tools released by Shadow Brokers in 2017. This exploit was eventually wrapped up and released on the World as the initial exploit point for WannaCry ransomware. Many of these vulnerabilities existed in the SMB code for many years until they were publicly exploited.
In a seeming case of deja vu, security researchers at RiskSense have identified a 20-year-old Windows SMB vulnerability they are calling SMBloris (a nod to the Slowloris DoS attack.)
SMBLoris Windows RCE vulnerability
 The exploit is a Denial of Service (DoS) attack affecting “every version of the SMB protocol and every Windows version dating back to Windows 2000.” Like most DoS attacks, the target system is overwhelmed by multiple service requests rendering it unavailable. Most modern systems require coordination of a massive number of attacking systems to overwhelm the target, referred to as a Distributed Denial of Service (DDoS) attack. However, the flaws discovered in the Windows SMB service are easily exploited by a single, low-powered computer.
According to researcher Sean Dillon, “While working on EternalBlue, we observed a pattern in the way memory allocations were done on the non-paged pool of the Windows kernel. The non-paged pool is memory that has to be reserved in physical RAM; it can’t be swapped out. That’s the most precious pool of memory on the system. We figured out how to exhaust that pool, even on servers that are very beefy, even 128 GB of memory. We can take that down with a Raspberry Pi.”
Dillon and his research partner Zach Harding followed a responsible disclosure process and privately notified the SMBloris flaw to Microsoft of the vulnerability in early June. Mid June Microsoft replied with their assessment that the vulnerability presented only a “moderate risk”, and would not be moved into the security branch which means it is unlikely to ever be fixed.
Speaking to Threatpost, a Microsoft spokesperson did suggest, “For enterprise customers who may be concerned, we recommend they consider blocking access from the Internet to SMBv1.”
 Given the long history of vulnerabilities in SMB, I hope that everyone is already blocking SMB at their firewalls! Given rumors that a single, low-powered computer is able to exploit the SMB vulnerability for a successful DoS attack, it is not unreasonable to anticipate an attack launched against internal servers from internal clients. Perhaps a properly crafted email attachment that is executed on a desktop?
Dillon and Harding are expected to release full details of the vulnerability at a DEF CON talk on Saturday. With more details, you will be able to assess for yourself whether the risk is “moderate” or something you need to encourage Microsoft to address.
About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.



[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SMBLoris, SMB)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment