SMBDie: Crashing Windows Servers with Ease
In this article, we will look at Windows based Security tools, and in this article, we will look at how to easily crash a Windows server in about 5 seconds. What is SMBDie? SMBDie is a tool (proof of concept) that was created to exploit a problem with the Windows operating system and when activated, will crash and Blue Screen the server immediately. We will get into all the details, but for the most part, this article will explain the following:
- What is SMB
- What is the attack (and why it works)
- How to use the tool
- How to protect your systems
So, lets look at all the specifics now. The operating systems that are vulnerable are:
- Microsoft Windows XP Professional
- Microsoft Windows XP 64-Bit Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server4.0, Terminal Server Edition
- Microsoft Windows NT Workstation 4.0
Also, the tests I ran were on both .NET server beta and RC1. They also crashed. .NET server must have NetBIOS enabled to be affected as well. All the above systems went down like paper houses when the tool ran. This article is a more informative version of the MS02-045: Unchecked Buffer in Network Share Provider May Lead to Denial-of-Service security bulletin. This article also looks at using the tool.
SMB: Server Message Block
SMB (Server Message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources and servers make SMB responses in what described as a client server, request-response protocol. The problem is that is it a massive attack... this is a denial of service attack. If system administrators have turned off anonymous access, it would not be possible for a non-authenticated user to exploit this vulnerability. However, turning off anonymous access does not prevent authenticated users from this attack. In addition, an administrator can block access to SMB on TCP ports 445 and 139 at the network perimeter. This would block access from un-trusted networks. However, legitimate users could be blocked in a 'file and print' networking environment. Administrators could also shut down the lanman server service. However, in a 'file and print' networking environment this may not be a viable solution because it would block legitimate users from using file and print services on a particular server where the lanman service had been stopped.
By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system. The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible to execute arbitrary code.
To run the attack you can do the following:
1. Download the tool from a 'trusted' site. Remember, downloading these tools may cause you serious heartburn if you install a Trojan! Be careful. You can download the SMBDie tool here: http://packetstorm.linuxsecurity.com/filedesc/SMBdie.zip.html
2. Next, you need to run it so you can run the attack. Be careful, if you are running AntiVirus software (and actually update it), then the tool will be quarantined immediately. Make sure you run this (like I do) on test systems so you can learn to use them and protect against them. If you run it on your main machine, disable AntiVirus Auto protect.
3. Open the tool as seen below. Enter the IP address / NetBIOS name and run the KILL button. Look over at your server (mine was a .NET test server although it flagged it as XP) and blammo - its toast.
4. If you fix the problem, you wont be able to connect:
As mentioned earlier, there are services you can turn off, but if don't want to, and then you can apply a patch. The patch eliminates the vulnerability by checking for correct inputs before responding to SMB requests, thereby eliminating the vulnerability.
Download locations for this patch:
Microsoft Windows NT 4.0:
Microsoft Windows NT 4.0 Terminal Server Edition:
Microsoft Windows 2000:
Microsoft Windows XP:
Microsoft Windows XP 64 bit Edition:
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"