The duo presented their findings, which include four new Windows DoS vulnerabilities and one zero-click distributed denial-of-service (DDoS) flaw.
The discovered flaws, all of which are categorized as “uncontrolled resource consumption,” include:
The research demonstrates how attackers can crash any Windows endpoint or server, including critical Domain Controllers (DCs), and even weaponize public DCs to create a massive DDoS botnet.
“We present “Win-DoS Epidemic” – DoS tools exploiting four new Win-DoS and one Win-DDoS zero-click vulns! Crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS. The epidemic has begun” Researchers said.
Domain Controllers are the backbone of most organizational networks, handling authentication and centralizing user and resource management.
A successful DoS attack against a DC can paralyze an entire organization, making it impossible for users to log in, access resources, or perform daily operations.
The researchers’ work builds on their previous discovery, the LdapNightmare vulnerability (CVE-2024-49113), which was the first public DoS exploit for a Windows DC. The new findings expand this threat significantly, moving beyond just LDAP to abuse other core Windows services.
The most alarming discovery is a novel DDoS technique, which the researchers have named Win-DDoS. This attack leverages a flaw in the Windows LDAP client’s referral process.
In a normal operation, an LDAP referral directs a client to a different server to fulfill a request. Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a way to make the DCs relentlessly repeat this redirection.
This behavior allows an attacker to harness the immense power of tens of thousands of public DCs worldwide, turning them into a massive, free, and untraceable DDoS botnet.
The attack requires no special infrastructure and leaves no forensic trail, as the malicious activity originates from the compromised DCs, not the attacker’s machine.
This technique represents a significant shift in DDoS attacks, as it allows for high-bandwidth, high-volume attacks without the typical costs or risks associated with setting up and maintaining a botnet.
In addition to the DDoS botnet, the researchers focused on the Remote Procedure Call (RPC) protocol, which is a fundamental component of Windows for inter-process communication.
RPC servers are ubiquitous in the Windows environment and often have wide attack surfaces, especially those that don’t require authentication.
The SafeBreach team found that by abusing security gaps in RPC bindings, they could repeatedly hit the same RPC server from a single system, effectively bypassing standard concurrency limits.
This method allowed them to discover three new zero-click, unauthenticated DoS vulnerabilities that can crash any Windows system—servers and endpoints alike.
They also found another DoS flaw that can be exploited by any authenticated user on the network.
These vulnerabilities break common assumptions that internal systems are safe from abuse without a full compromise, demonstrating that even a minimal presence on a network can be used to cause widespread operational failure.
The researchers have released a set of tools, collectively called “Win-DoS Epidemic,” that exploit these five new vulnerabilities. The tools can be used to crash any unpatched Windows endpoint or server remotely, or to orchestrate a Win-DDoS botnet using public DCs.
These findings underscore the critical need for organizations to reassess their threat models and security postures, particularly regarding internal systems and services like DCs.
Microsoft has since released patches for the LdapNightmare vulnerability, but the new discoveries highlight the ongoing need for vigilance and continuous security validation.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post New ‘Win-DoS’ Zero-Click Vulnerabilities Turns Windows Server/Endpoint, Domain Controllers Into DDoS Botnet appeared first on Cyber Security News.
A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have…
A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have…
Security researchers at Calif, a Palo Alto-based cybersecurity firm, have used techniques derived from an…
A sprawling supply chain attack has put software developers worldwide on high alert after hackers…
Enterprise email infrastructure remains one of the most critical and vulnerable targets for cybercriminals. A…
The cybercrime underworld is turning open-source supply chain attacks into a twisted competition. After months…
This website uses cookies.