Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The SMBLost exploit is publicly available and well known. An attacker must obtain authentication credentials or bypass authentication with a secondary exploit, then deliver a specially-designed packet for this attack. A successful exploit can result in a system crash or possibly remote code execution (RCE), which could ultimately give the remote attacker complete control of a device.
Kill Chain
Risk Score
88
SMBLost is an integer underflow vulnerability in Microsoft Server Message Block 1.0 (SMBv1). After obtaining user credentials, or bypassing authentication altogether with a secondary exploit, the attacker sends a specially-designed request that includes the NT_TRANSACT_IOCTL command (function number 0xa0) and the FSCTL_SIS_COPYFILE sub-command (FSCTL/IOCTL function number 0X90100). The FSCTL_SIS_COPYFILE command contains parameters for copying a file through a single-instance-store (SIS) link. The command also includes the name and length of the destination file. To exploit the vulnerability, the attacker sets the DestinationFileName to one byte and then sets the DestinationFileNameLength parameter to a value of 1. The SMB protocol does not reject the invalid DestinationFileNameLength, but incorrectly sets the destination file name length to MAXINT and attempts to copy MAXINT bytes of the destination file name into the destination buffer. The most likely result of this exploit is a system crash, but a skilled attacker can manipulate the destination file name to enable RCE.
