SMB denial of service vulnerability in the web application on the use-vulnerability warning-the black bar safety net

CVE-2017-0016 SMB 0 day vulnerability can lead to Windows System denial of service, the present article is mainly to explain the vulnerability in a web application use.
2017 2 2 June, security researchers announced a exists in Microsoft Windows SMB in the 0 day Vulnerability, CVE－2017-0016, the affected system versions with Windows 8.1, Windows 10, Windows Server 2012 R2 and Windows Server 2016. When the client visits a malicious SMB service end, the attacker can cause the refusal of service, denial of service, DoS to. The researchers also released a PoC to exploit this security issue.
In order to exploit this vulnerability, the affected terminal must access a malicious SMB server, the use of a threshold challenging. However, the SecureWorks researchers confirmed the 2015 release of“redirect to the SMB attack”to successfully use this SMB 0 day.
Chain attacks to take advantage of the SMB zero－day
The text after the description to how through a combination of SMB redirection vulnerability and SMB 0 day vulnerabilities to attack windows System.
1. The attacker is in their own control systems to run the PoC as shown in Figure 1, the attacker control of the system of the present embodiment to run the PoC（Win10.py and listening on TCP port 445
! [](/Article/UploadPic/2017-3/201736185324810. png? www. myhack58. com)
Figure A the attacker control of the system running SMB 0 day exploit code source: SecureWorks）
2. The attacker in another one system is set up and running a web service.
3. The attacker will be listed in Figure 2“redirect-smb.php”PHP file in the public directory. This PHP file use the SMB redirection vulnerability.
! [](/Article/UploadPic/2017-3/201736185324370. png? www. myhack58. com)
Figure 2 into the public directory of the php files source: SecureWorks）
4. Use the victim’s Windows 10 system on the Internet Explorer to visit the attacker’sthe Web server, and a victim to click with“redirect-smb.php”file corresponding to the link（see Figure 3）
! [](/Article/UploadPic/2017-3/201736185324650. png? www. myhack58. com)
Figure 3 victims click on the php malicious links source: SecureWorks）
5. Click this link to the victim’s system to redirect to the attacker’s SMB server and launch DoS attacks（see Figure 4）
! [](/Article/UploadPic/2017-3/201736185324330. png? www. myhack58. com)
Figure 4 sending SMB DoS exploit code to the victim system source: SecureWorks）
6. After a period of time, the victims are the Windows 10 system crashes, blue screen BSOD, as shown in Figure 5, and automatically restart.
! [](/Article/UploadPic/2017-3/201736185324809. png? www. myhack58. com)
Figure 5 implementation of the SMB use the code after the victim system shows the blue screen source: SecureWorks）
Associated with the attack method
SecureWorks researchers have discovered that the other may be associated with“redirection to SMB”vulnerability as an effective attack method. Figure 6 shows a section through the hyperlink introduced in the form of SMB DoS exploit code to the HTML code, Figure 7 shows by the introduction of the image in the form of links SMB DoS exploit code to the HTML code.
! [](/Article/UploadPic/2017-3/201736185325350. png? www. myhack58. com)
Figure 6 hyperlinks to the SMB Dos exploit code source: SecureWorks）
! [](/Article/UploadPic/2017-3/201736185325702. png? www. myhack58. com)
Figure 7 introduction of the image connected to the SMB Dos exploit code source: SecureWorks）
SecureWorks researchers in mainstream Web browsers on the test these attack methods, Table 1 lists the results. Internet Explorer and Edge are available. Firefox and Google Chrome can not use, because by default disable UNC path.
! [](/Article/UploadPic/2017-3/201736185325150. png? www. myhack58. com)
Table 1 web browser version, and the affected situation
By web application attacks
SecureWorks researchers also found that these methods of attack may also be associated with web application vulnerabilities combined with an attack.
For example, Figure 8 shows the PHP code using an unvalidated redirection vulnerability to show Dos exploit code, shown in Figure 9 to attack link.
! [](/Article/UploadPic/2017-3/201736185325498. png? www. myhack58. com)
Figure 8 PHP example display the Dos use source: SecureWorks）
! [](/Article/UploadPic/2017-3/201736185325828. png? www. myhack58. com)
Figure 9 attack links examples source: SecureWorks）
By accessing the link, SMB redirection vulnerabilities is to perform shown in Figure 10
! [](/Article/UploadPic/2017-3/201736185325551. png? www. myhack58. com)
Figure 10 victims click the link, source: SecureWorks）
Shown in Figure 11 for the browser to issue the HTTP request, shown in Figure 12 for the server to return the HTTP response, the response contains a redirect to the SMB
! [](/Article/UploadPic/2017-3/201736185325707. png? www. myhack58. com)

[1] [2] next