Multiple Platform remote CPU load issue in Samba 1.x and 2.x

sxdirect at sxdirect at
Tue Jun 13 21:16:12 GMT 2000

        There appears to be an issue in the linux implementation of the
Samba protocol that allows remote network users to drive the CPU utilization to
100% in an extremely short amount of time, at little cost to the attacker's
machine.  While this does NOT cause an immediate lockup of the machine, it does
cause excessive CPU resource utilization on the target machine.  It does not,
however, cause an increase in the amount of RAM utilized by the machine.
        By connecting to port 139 on the machine and sending it binary zeros
(i.e. netcat target.machine 25 < /dev/zero), the machine will remain in a
resource consuming loop, and drive the CPU load to somewhere between 90-100%
(while keeping the load on the target machine relatively low). This was
performed on a LAN, in our tests.  Over a port-forwarded SSH loop between DSL
machines (getting a maximum performance of about 100 kbps), the machine was
driven to a utilisation of 49% consistently, with negligible load on the
attacking machine.   This suggests that a distributed attack quite possible with
a relatively small number of connections; a large number of connections could
allow one to keep the remote machine's load extremely high for arbitrarily long
periods of time.

        Please note that no further discloure of this information will be made
until we have had a chance to discuss future action with a representative from
the Samba team.


                        The SecureXpert Team

        Richard Reiner
        Max Degtyar
        Mike Murray
                at FSCInternet / SecureXpert Labs               

More information about the samba-technical mailing list