DoS vulnerability in the SMB client of Windows 7 and Server 2008 R2
A flaw in the implementation of the SMB clients in Windows 7 and Windows Server 2008 R2 can be exploited to crash entire systems remotely. Clients can fall victim to an attack simply by contacting a specially crafted SMB server. Flawed server responses containing insufficient NetBIOS headers can trigger an infinite loop in the SMB client and result in Windows becoming unresponsive. So far, however, the flaw has not been found capable of compromising a system.
To fall victim to a successful DoS attack, users don't necessarily need to manually contact a malicious server themselves. A connection can, for instance, be initiated when Internet Explorer processes a HTML page with a suitable link. Attacks are not confined to LANs if a firewall or packet filter allows SMB packets to pass.
Laurent Gaffié, who discovered the DoS vulnerability, has written a Python server exploit to demonstrate the problem. When tested by the The H's associates at heise Security, a Windows 7 machine froze abruptly after calling the server and could only be restarted after having its mains plug pulled.
Laurent Gaffié said that Microsoft's Security Development Lifecycle should have exposed the flaw. While no patch has yet been made available, Gaffié only informed Microsoft on the 8th of November and Microsoft has confirmed the hole. Gaffié has not offered a workaround to protect systems from such DoS attacks. A partial workaround to at least avoid receiving response packets from specially crafted SMB servers via the internet could be to instruct the firewall to block the SMB ports, 139 and 445.
Incidentally, the problem's revision history contains a strange entry. According to the blog post, Microsoft's Security Response Center tried to convince Gaffié that a "multi-vendor IPv6 bug" shouldn't appear in a security bulletin. Whether this means that other products could also be affected remains unclear. We have asked Gaffié about this, but have not had a reply.
As recently as October, Microsoft had to close a critical hole in the SMBv2 protocol implementation of Windows Vista and Server 2008 R2. It later turned out that the vendor had already known about this flaw for quite some time and (secretly) managed to fix it in the final version of Windows 7.
- Windows 7/Server 2008R2 Remote Kernel Crash, blog post by Laurent Gaffié.
- Microsoft has known of the SMB2 hole for some time, a report from The H.