SMBloris – Zero-Day SMB Vulnerability
There has been a new Zero-Day vulnerability found during research into the EternalBlue exploit released by the Shadow Brokers Team. It was discovered that SMBv1 handles allocation of the non-paged pool memory in a way that could be exploited. SMB allocation works by allowing the client to tell the server the size of the buffer it plans to send, the server will then reserve this size buffer within the memory.
The SMBloris exploit works by sending a request for a large buffer size but never sending the content, leaving the memory reserved. With enough of these connections being made, the memory pool will quickly fill up denying memory to other resources until a stage is reached where the memory is totally exhausted. At this point, the server will crash to the point that the device is not even capable of displaying a blue screen of death (BSoD) error. This is because there aren’t enough resources left to generate the error page so the server will simply freeze and be unable to recover.
Affected Platforms:
Microsoft Windows SMBv1
Recomended Actions:
Restrict access to TCP/445 from untrusted networks.
Disable SMBv1.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.