Multiple Platform remote CPU load issue in Samba 1.x and 2.x

J. Robert von Behren jrvb at cs.berkeley.edu
Wed Jun 14 13:42:02 GMT 2000 

Hey all - 

I've repeated the test on my box, in addition to tracing through the
code.  Here is what happens:

  1) netcat (or nc) on the attacker machine makes a connection to port
139 on the victim
  2) smbd on the victim forks another process to handle the new
connection
  3) the child smbd processes goes into its normal processing loop
  4) the child correctly identifies the all-zero's message as bogus, and
sends back an error message to the "client" program (nc in this case)

The problem is quite simple: smbd allows an infinite number of bogus
requests to be sent to it.  Responding to these bogus requests requires
string manipulation, memory copying, and network reads/writes.  In the
case of "nc localhost 139 < /dev/zero", the server has to push a lot
more bytes and do a lot more computation to generate the errors then the
attacker has to do to generate zeros.  Hence, the server load spirals
out of control, while the attacker is relatively idle.  I think this is
pretty cut and dry.

The open question is what the appropriate fix should be.  My thought is
to simply track the number of bogus requests sent to the server, and
kill the connection when too many of them have been seen.

-Rob


sxdirect at securexpert.com wrote:
> 
> Michael,
> 
>         Here's what I get (on both sides of the connection) on a RH 6.2 attack
> box (my pentium laptop) and an RH 6.2 target running smbd 2.0.6:
> 
> Attacker:
> [orestes at hiro orestes]$ nc 192.168.31.3 139 < /dev/zero
> 
> Target:
>   1:49am  up 17 days, 14:26,  1 user,  load average: 0.34, 0.08, 0.02
> 50 processes: 48 sleeping, 2 running, 0 zombie, 0 stopped
> CPU states: 37.5% user, 62.5% system,  0.0% nice,  0.0% idle
> Mem:    62964K av,   44024K used,   18940K free,   12172K shrd,    3956K buff
> Swap:  530104K av,    9492K used,  520612K free                   26716K cached
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT  LIB %CPU %MEM   TIME COMMAND
> 15704 root      19   0   748  696   576 R       0 99.1  1.1   0:24 smbd
> 15703 telnet     1   0   860  860   668 R       0  0.7  1.3   0:00 top
> [with the rest cut out here]
> 
>         What would be causing us to get such different results?
> 
>         Note: We have also seen this on a Samba 1.x on a FreeBSD box; it is
> definitely not a linux-specific issue.
> 
>                 Regards,
> 
>                         Mike Murray
>                         FSCInternet / SecureXpert Labs

More information about the samba-technical mailing list