Microsoft Windows SMB Response Denial of Service Clarifications

By Alin Rad Pop

A PoC was published recently on Full-Disclosure, completely hanging an up-to-date Windows 7 or Windows Server 2008 R2 system when an SMB connection is established to a malicious server.

At first glance, and if trusting the reported cause of the vulnerability, the PoC seems to send a full SMB packet in which the size is four bytes smaller than expected.

Upon a more careful inspection, seemingly due to an error in the Python script, it was noticed to send only four bytes to an affected system, containing only the NetBIOS header, which defines the size of the following SMB packet.

The vulnerability is actually triggered when insufficient SMB data is received in an outgoing SMB connection. If the connection is terminated by the remote side before all expected data is received, the kernel continuously attempts to receive the remainder of the SMB packet via asynchronous TCP receive requests, which return immediately, leading to an infinite loop in kernel space. This consumes all available CPU resources and effectively hangs the system.

Another unexpected behaviour is that even if the Python code used in the PoC is corrected to send the full SMB response as intended, the system still hangs. This is caused by the presence of non-zero bytes at the end of the specially crafted packet, which are interpreted as the size of a following SMB packet. Multiple SMB packets are detected to be present because the size of the initial packet is four bytes smaller than the whole packet length.

Other parties have incorrectly titled this vulnerability as being related to the "KeAccumulateTicks()" function, being mislead by an assertion failure thrown only if the system is running under a kernel debugger.

Full vulnerability details are included in our recently performed Binary Analysis for this vulnerability, now freely available on the BA samples page.

It's surprising that a vulnerability, which can be triggered by only four bytes of almost random data, has slipped into the Windows 7 SMB parsing functionality. Fortunately, the impact is only a Denial of Service.

Stay secure,

Alin Rad Pop,
Security Specialist