security researchers at RiskSense have identified a 20-year-old Windows SMB vulnerability they called SMBloris , they presented their findings at the recent DEF CON hacker conference.
It can remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.
The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000.
Like most DoS attacks, the target system is overwhelmed by multiple service requests rendering it unavailable. Most modern systems require coordination of a massive number of attacking systems to overwhelm the target, referred to as a Distributed Denial of Service (DDoS) attack.
It is called the attack SMBloris because it is comparable to Slowloris, a 2009 attack developed by Robert Hansen. Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.
“Similar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,” Dillon,senior security researcher at RiskSense said.
Microsoft has announced that the SMBv1 bug described at DEF CON won’t be patched because it could be fixed simply blocking connections coming from the Internet.
“The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. explained RiskSense researchers Sean Dillon.
Attackers can trigger the SMBloris only if the target machine has SMBv1 exposed to the Internet, that’s why Microsoft argued that it is just a configuration issue.
NBSS is the NetBIOS Session Service protocol, every connection to it allocates 128 KB of memory that is freed when the connection is closed. The connection is closed after 30 seconds if no activity is performed.
With 65535 TCP ports available the attackers can fill up more than 8 GB, powering DDoS attack on both IPv4 and IPv6 it is possible to reach 16 GB. The volume could be doubled (32 GB) using two IPs, they can fill 32 GB.
The attack triggers the memory saturation for NBSS and it is necessary to reboot the server in order to restore a normal operation.