A 20-year history of the SMB vulnerability: a Raspberry PI will be able to DoS a large Server, Microsoft would not fix this vulnerability-vulnerability warning-the black bar safety net

2017-08-03T00:00:00
ID MYHACK58:62201788330
Type myhack58
Reporter 佚名
Modified 2017-08-03T00:00:00

Description

The vast majority of DoS attacks, in General, are the target system receives a large number of service requests, ultimately resulting in a denial of service state. In fact, with the development of Technology, If you want to make the current system“denial of service”, is in need of massive request with the so-called flooding attacks in order to do this you need to use a distributed denial of service, which is DDoS attack. But shortly before the end of the DEF CON conference, security researchers in the Windows SMB service find a vulnerability, exploit the vulnerability, even if it is a normal performance of the computer, you can have massive computing resources of the server to launch DoS attacks. Recently, RiskSense security researchers found a 20-year-old Windows SMB vulnerability, which they called SMBloris, during the recent DEF CON hacker conference, presented their findings. This vulnerability can allow an attacker to easily go through 20 lines of Python code and a Raspberry PI to the remote to make the windows Server to crash. ! But Microsoft said they would not fix this vulnerability, because all you have to do is just mask off the connection to the Internet a port. Only those who pass SMBv1 Port to connect to the Internet the machine will only be used by attackers SMBloris attack, that is why Microsoft think it's just a configuration problem. This vulnerability affects the SMB Protocol of each version and since windows 2000 every windows version. RiskSense senior security researcher Sean Dillon said, it may be greater than theoperating systemappears also to be early. With a colleague Zach Harding joint research Dillon also referred to the attack as SMBloris because it is associated with in 2009, Robert Hansen developed Slowloris. These two attacks can make a powerful server to crash or freeze, but for Slowloris to say, it attacks the target does not like SMBloris that isweb server. ! “With Slowloris similar, it needs to establish multiple connections to the server, but these connections The cost for an attacker is very low, so a machine will be able to perform the attack,”Dillon said. Dillon is the first analysis of the eternal blue of the researchers, WannaCry propagation and ExPetr wiper such malicious software are the use of the NSA SMB vulnerability, and it is in the analysis of the eternal blue of the process, Dillon found this SMBv1 vulnerability. ! DIllon explains,“in the study of the eternal blue of the time that we observed in the windows kernel used on the non-paged pool memory allocation mode, non-paged pool must be stored in physical RAM and cannot be swapped out, this is the system the most valuable memory pool, but we still figured out how to exhausted the memory pool approach, even with 128GB of strong memory of the server, we can also use a Raspberry PI to put it down.“ Dillon said,“this question is at the 6 beginning of May to the Microsoft report, as EternalBlue analysis has been completed. Microsoft told the researchers, Two interior security panel finds that this vulnerability is a middle-of problem, will not be moved into the security sector, may never be repaired. On Saturday the DEF CON conversation 60 days ago, we went to the Microsoft submitted a report, in this conversation 45 days ago, we received Microsoft's response.” Microsoft spokesman said,“this case did not give the belt to a serious impact, we also do not intend to use security update to solve this problem, the business user if you are concerned about, it is recommended that they refrain from SMBv1 Port to access the Internet.” “They say this is a medium problem, because although it requires establishing many connections to the server, but these operations can use one machine to complete, while the Raspberry PI can make the most powerful of the server paralyzed,”Dillon said. The vulnerability is the use of the SMB packet handling and memory allocation. Dillon and Harding said they found a use of the system distribution way to destroy the server. This attack can be similarDDoSsuch attacks is amplified. Dillon explained that if a machine can be completed to DoS attacks that windows Server paralysis, then, why withDDoS. you also no longer need to use the broiler. ! Dillon said that the attack can be assigned Server all the available memory, not even a blue screen, Windows operating systemby a long-memory list to search for Unallocated memory, while this will make theOScrashes, the CPU usage will reach the peak. “Server crash is very serious when you can completely freeze the system,”Dillon said,“But when all the nonpaged pool memory is allocated over time, there will be many integrity issues, such as some disk permission issues even occur because the memory is exhausted and unable to carry out the logging problems. We encountered a problem: we have completely depleted the system memory and cause the system to be frozen; and does not display the blue screen is because of the need to display the blue screen of resources is not enough, the system will freeze, and never be repaired.“ Dillon said, shortly before the black hat conference, he and Harding shared some about this attack is more of the technical details and demonstrate the attack. “Such an attack is still very simple, I believe most people can figure out what happened,”Dillon said. NBSS is the NetBIOS session service Protocol, each connection will be allocated 128 KB of memory, the connection is closed to release the memory. When there is no activity execution time, the connection will be in 30 seconds after shut down.

[1] [2] next