SMBLoris Exploit

SMBLoris Exploit


A flaw in the way SMB handles memory allocation, which can be exploited with an attack coined SMBLoris, was disclosed at DefCon this past weekend. SMBLoris is exploitable through the use of a single, low bandwidth machine opening several low cost SMB connections to a server that does not limit the number of connections from a single IP. If exploited, SMBLoris allows this single machine to take down a server through forced memory allocation.

Threat Intelligence

As of this time, we are not aware of this vulnerability being exploited in the wild. However, proof-of-concept code is available and is likely to be used by malicious attackers.

Systems Affected

  • Versions 1, 2, and 3 of the SMB protocol (Both IPv4 and IPv6 are affected)
  • All Windows versions back to Windows 2000.

Patches

Microsoft has said that it has no plans to patch the vulnerability.

Recommendations

We recommend the following actions be taken:

  • Limit the number of active connections from a single IP to SMB connected ports.
  • Ensure SMB is not accessible from the internet if possible.

Technical Summary

SMBLoris is an attack that abuses how memory is allocated to handle NBSS (NetBIOS Session Service) headers used in SMB connections. The first 3 bytes of an SMB connection are used for a NBSS header, since the last 17 bits of the NBSS header are a length field, the attacker can instruct the server to allocate up to 128 kilobytes per connection. By opening multiple simultaneous connections, the attacker can force the server to allocate up to 8GB of memory. If both IPv4 & IPv6 are used simultaneously, this increases to 16GB. Once the available allocations are taken, when new connection requests come in the computer freezes into an unrecoverable state. In the demonstration given by the researchers in their DEFCON presentation, a Windows Server with 8GB of memory became unresponsive within a few seconds of the attack.

References