Batu69 Posted August 1, 2017 Share Posted August 1, 2017 'SlowLoris' vuln could see a mouse of a machine take down an elephant of a server Updated A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old Windows bug was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the ones exploited by the NSA's leaked EternalBlue tool. After the talk was given, infosec researcher Jenna Magius described the SMB cockup in detail on Twitter: it's essentially a remote denial-of-service. Bear in mind it only works from afar if the target machine has SMB exposed to the internet, and for that reason, Microsoft doesn't see it as demanding an immediate patch. The security weakness, dubbed SMBLoris, is a memory-handling bug: it can be exploited to force a vulnerable server on the internet or local network to allocate 128KiB of non-paged physical memory, which can't be swapped out, for every connection to the service. You do this by sending three bytes to the SMB service with the 17-bit NBSS length field set to the max. The kernel keeps the connection open for 30 seconds and then gives up. So for 30 seconds, 128KiB of memory is tied up for every connection attempted. You then fire off a connection request for every TCP port possible – up to 65,535 – and thus potentially chew through up to 8GiB of non-paged RAM for half a minute. This will hamper the performance of the machine as the kernel is forced to scour the system for any free memory as more allocations arrive. If a miscreant launches this attack on IPv4 and IPv6, that memory burden rises to 16GiB, and if an attack comes from just two IPs, they can fill 32GiB, and so on. Eventually, the target can't allocate memory, and needs a manual reboot if it becomes unresponsive. The name SMBLoris is a reference to the 2009 Slowloris bug. In response to Microsoft saying it didn't intend to issue a security fix for the problem, Dillon said: “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. ® Updated to add According to Microsoft's SMB supremo Ned Pyle, SMBLoris affects all versions of SMB – not v1 as first thought – because it all happens so early on in the connection. Best thing to do is firewall off ports 445 and 139 from the public, and rate limit access to the service locally if you're paranoid about internal attacks. Article source Link to comment Share on other sites More sharing options...
steven36 Posted August 1, 2017 Share Posted August 1, 2017 LOL Microsoft and there excuses not to fix leaks i never leave these ports open no way i dont even port forward using my vpn never had too yet. Link to comment Share on other sites More sharing options...
Bausch Posted August 1, 2017 Share Posted August 1, 2017 Maybe, true, on the consumer's part, the service should be firewalled "anyway" as MS puts it. And the problem should also be fixed on their part, first and foremost. Maybe if they have done their job, as they should have, this would not have become an exploit in the first place. Way to go MS, blame your users, for your own mistakes. Link to comment Share on other sites More sharing options...
steven36 Posted August 1, 2017 Share Posted August 1, 2017 1 hour ago, Bausch said: Way to go MS, blame your users, for your own mistakes. They always do just like when they removed the start menu from windows 8.1 they blamed it on the users they said they collected telemetry and seen most everyone was pinning shortcuts too the task bar so they removed it and still they not figured out how too put it back right in over 4 years . It's just like them blacklisting hardware that's not there fault it's you're fault for not buying new hardware or it's the vendors fault for not supporting there flagship OS lol . And if you do buy new hardware and try too use a legacy OS it's still you're fault you're blacklisted because you should use there flagship OS witch is the only one supported with new hardware . Link to comment Share on other sites More sharing options...
brain_death Posted August 1, 2017 Share Posted August 1, 2017 Only a dumbass has these ports open anyhow... Link to comment Share on other sites More sharing options...
steven36 Posted August 1, 2017 Share Posted August 1, 2017 1 hour ago, brain_death said: Only a dumbass has these ports open anyhow... Petya ransomware utilized ports 137, 138, 139 and 445 and Wantacry utilized ports 445, 135, 138, 139 ...More conman for Windows server too have these ports open than home users with just Windows and once the virus gets through the ports it infects every PC on the network with ransomware . Most 3rd party firewalls and Nat Router Firewalls block these ports anyway by default. http://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted August 2, 2017 Administrator Share Posted August 2, 2017 I wonder if UPnP being enabled causes any risk for this particularly vulnerability. I know, I know, UPnP should not be enabled, but many routers have it enabled by default and I wonder if SMB uses it when required to do so. Link to comment Share on other sites More sharing options...
MIKLO Posted August 2, 2017 Share Posted August 2, 2017 You know I get it that geeks know the ways of computers, but I take exception calling someone an idiot because they don't have a certain port closed. The fact is many computer users just don't know any better or that its necessary to open or close a port or any other things that must be done to have a "safe" computer. Over the years I have met many very smart people that just don't know anything about computer security, or for that matter even how to get the best from their machine. I think back to the days of the VHS recorders that everyone had, but a simple thing like setting the correct time evaded them, that's why the majority of VHS machine had 12:00 blinking forever. Now to call these people idiots is just not fair or correct, I am very comfortable with computers due to the fact I used them for so many years at work, starting with DOS, 3.1 and so forth. I am the only one in my family that is comfortable with them, all the men except me have very good mechanical abilities, from aircraft mechanics to building homes. Sadly I cant even hammer a nail but I know computers pretty good, the thing is nobody knows everything but most know at least one thing very good. Think the next time before you call an unknown person an idiot and remember when your car breaks or so many other things its necessary for you to take the product to some so called idiot because you can not fix it. MIKLO Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.