New SMB bug: How to crash Windows system with a 'link of death'

US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar.

"Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure," the security organization said. "By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys."

The vulnerability was initially rated 10 out of 10 in terms of severity, but has since been downgraded to 7.8. To make use of the vulnerability, an attacker would have to get the Windows system to connect to a malicious SMB share.

This can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server and getting the mark to visit the site using Internet Explorer, for example. The result is a blue-screen-of-death system crash out of nowhere for the poor user.

Security researcher Laurent Gaffié in an email told The Register that the bug involves a null-pointer dereference. He said that both Microsoft and he consider it a potential means to conduct a remote denial of service attack, but not a means to execute code remotely.

He said the bug can be used to make a target reboot either locally, via Netbios or LLMNR poisoning, or remotely via a UNC link.

"It's important to note that this trivial bug should have been caught immediately by [Microsoft's] SDLC process, but surprisingly it was not," Gaffié said. "This mean that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems."

Gaffié said he submitted the bug to Microsoft on September 25, 2016, and that Microsoft had a patch ready for its December patch cycle. The company pushed the fix back to February, he explained, because it made more sense to them to released several SMB fixes at once rather than a single one in December.

As other security researchers have done, Gaffié said he decided to release the bug a week before the patch because this isn't the first time Microsoft has sat on vulnerabilities he's reported, enough though he's doing work to help the company for free.

"When they sit on a bug like this one, they're not helping their users but doing marketing damage control, and opportunistic patch release," he said. "This attitude is wrong for their users, and for the security community at large."

Gaffié has released a proof-of-concept exploit through GitHub. ®