Exploit for Windows DoS zero-day published, patch out on Tuesday?

A zero-day bug affecting Windows 10, 8.1, Windows Server 2012 and 2016 can be exploited to crash a vulnerable system and possibly even to compromise it.

The bug

It is a memory corruption bug in the handling of SMB traffic that could be easily exploited by forcing a Windows system to connect to a malicious SMB share. Tricking a user to connect to such a server should be an easy feat if clever social engineering is employed.

The vulnerability was discovered by a researcher that goes by PythonResponder on Twitter, and who published proof-of-exploit code for it on GitHub on Wednesday.

The researcher says that he shared knowledge of the flaw with Microsoft, and claims that “they had a patch ready 3 months ago but decided to push it back.” Supposedly, the patch will be released next Tuesday.

The exploit works

The PoC exploit has been tested by SANS ISC CTO Johannes Ullrich, and works on a fully patched Windows 10.

“To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers,” he noted, and added that “it isn’t clear if this is exploitable beyond a denial of service.”

Until a patch is released, administrators can prevent it from being exploited by blocking outbound SMB connections (TCP ports 139 and 445, UDP ports 137 and 138) from the local network to the WAN, as advised by CERT/CC.

They should be aware, though, that this step will also prevent users from accessing shared files, data, or devices.