Latest Windows SMB flaw (SMBLoris) compromises all versions of Windows from Windows 2000 to Windows 10. A big week for phishing - Copyfish Chrome Extension compromised by phishing, Whitehouse execs phiished by “prankster”, Germany reports sophisticated spearphishing, Nissan expired domain allows attackers to collect live telemetry data from cars.
1. SMBLoris – latest SMB (internet protocol) flaw in Windows remains unpatched
SMBLoris effects all versions of the SMB protocol going back to Windows 2000. This SMB vulnerability is executed when SMBLoris opens an SMB connection and requests a buffer of 128kb (maximum size allowed). Alone 128kb isn’t much, but since a single attacking address can request 65,535 connections, (one for each source port), it can buffer 8GB of memory. Multiply this by a few source addresses and memory will be filled quite quickly. These requests allocate memory in physical RAM without allowing it to be paged in swap space. This puts the CPU in a loop where it is scanning for additional free memory without cycles to do anything else. The system will completely freeze without blue screening as it doesn’t even have the time to produce one.
The flaw was privately reported to Microsoft in early June, but the company considered it to be of moderate impact and does not consider it to be a security breach. In addition, it would probably not even be fixed. Instead Microsoft recommends blocking access from the internet to SMBv1.
Two researchers Sean Dillon and Zach Harding discovered the exploit while researching EternalBlue. The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. The research team demonstrated how they could take down a 128GB server using only a Raspberry Pi in under 30 seconds.
Attackers were able to connect to the IoT device, compromise one of these sensors and move to other vulnerable areas of the casino’s network and send out data.
SMBLoris Attack Demonstration:
SMBLoris Denial of Service Code (in C):