New SMB bug: How to crash Windows system with a 'link of death'

Security researcher publishes exploit code after Microsoft drags feet on fix


US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar.

"Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure," the security organization said. "By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys."

The vulnerability was initially rated 10 out of 10 in terms of severity, but has since been downgraded to 7.8. To make use of the vulnerability, an attacker would have to get the Windows system to connect to a malicious SMB share.

This can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server and getting the mark to visit the site using Internet Explorer, for example. The result is a blue-screen-of-death system crash out of nowhere for the poor user.

Security researcher Laurent Gaffié in an email told The Register that the bug involves a null-pointer dereference. He said that both Microsoft and he consider it a potential means to conduct a remote denial of service attack, but not a means to execute code remotely.

He said the bug can be used to make a target reboot either locally, via Netbios or LLMNR poisoning, or remotely via a UNC link.

"It's important to note that this trivial bug should have been caught immediately by [Microsoft's] SDLC process, but surprisingly it was not," Gaffié said. "This mean that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems."

Gaffié said he submitted the bug to Microsoft on September 25, 2016, and that Microsoft had a patch ready for its December patch cycle. The company pushed the fix back to February, he explained, because it made more sense to them to released several SMB fixes at once rather than a single one in December.

As other security researchers have done, Gaffié said he decided to release the bug a week before the patch because this isn't the first time Microsoft has sat on vulnerabilities he's reported, enough though he's doing work to help the company for free.

"When they sit on a bug like this one, they're not helping their users but doing marketing damage control, and opportunistic patch release," he said. "This attitude is wrong for their users, and for the security community at large."

Gaffié has released a proof-of-concept exploit through GitHub. ®

Similar topics


Other stories you might like

  • WSL2 on Windows Server 2022 hits Windows Update
    Devs who like a Linux flavor to their server code get a gift from Redmond

    Microsoft has made it official. Windows Subsystem for Linux 2 distributions are now supported on Windows Server 2022.

    The technology emerged in preview form last month and represented somewhat of an about-face from the Windows giant, whose employees had previously complained that while the tech was handy for desktop users, sticking it on a server might mean it gets used for things for which it wasn't intended.

    (And Windows Server absolutely had to have the bloated user interface of its desktop stablemate as well, right?)

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022