## Background
While there is extensive research on remote code execution vulnerabilities, remote memory exhaustion vulnerabilities in critical infrastructure services remain dangerously understudied—posing hidden internet-scale threats. These flaws allow unauthenticated attackers to remotely deplete system memory, crashing essential services with minimal effort. This systemic blind spot threatens the resilience of the internet at scale.
In this blog, we examine a denial-of-service (DoS) vulnerability pattern in UDP-based remote services, using Windows Deployment Service (WDS) as a case study. WDS, widely adopted in enterprise environments, demonstrates how such flaws can be exploited to devastating effect. We will demonstrate an remote DoS in WDS, which attacker can crash your WDS network without anthentication (preauth) or user interaction (0-click).
## Windows Deployment Service
Windows Deployment Services (WDS) is a Microsoft server role that enables network-based deployment of Windows operating systems (e.g., Windows 10/11, Windows Server) across multiple computers without physical media. Here’s a overview of it:
PXE Boot: Client machines boot via Preboot Execution Environment (PXE) to request an OS image from the WDS server over the network.
Image Transfer: The server delivers boot images (Windows PE-based) and install images (WIM format) using TFTP and multicast protocols for efficient distribution.
Automated Setup: Supports unattended installations via answer files, reducing manual intervention
WDS is critical for IT administrators managing corporate networks, data centers, or educational institutions requiring streamlined, secure OS deployments
For more about the Windows Deployment Service, you can visit: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)
## The UDP Trick - Remote DoS on Windows Deployment Service
Windows Deployment Service exposes a simple FTP service for remote user to download some resource.
Every time a user sends a packet to the FTP service through port 69, the service will create a `CTftpSession` object to manage the session.
As you can see in the following code snippet from the function in wdstftp.dll `wdstftp!CClientContext::OnConnectionRequest`
```
[...]
status = CClientContext::FindSession(...);
if (status) { // not found
/*
create a new session
insert the session into the EndpointSessionMapEntry
*/
}else{ // find a session
CTftpSession::AdditionalConnectionRequest(...);
}
```
when the `CTftpSession` has been created, it will be inserted into the `EndpointSessionMapEntry` .
The `CClientContext::FindSession` function determines whether a session exists based on the client's IP address and client port number.
The core issue is that `EndpointSessionMapEntry` imposes no limit on the number of sessions. Consequently, an attacker can forge fake client IP addresses and port numbers, repeatedly creating new sessions until system resources are exhausted.
In our test environment—a Windows machine with 8GB of RAM—we triggered this vulnerability by continuously sending malicious UDP packets. Once memory usage reached 15GB, the system crashed, resulting in a denial-of-service (DoS). This process took 7 minutes, though multithreading could significantly accelerate the attack.
The underlying vulnerability Pattern: Since UDP servers cannot verify packet sources, attackers can spoof UDP packets with randomized IPs and ports, forcing the server to allocate excessive session objects in memory. By enumerating possible source IPs and ports, an attacker can exhaust system resources, leading to a DoS of the target OS system.
## Pseudocode of POC
To prevent abuse, there is just pseudocode of the POC, it cannot be compiled or run to do the real attack. But it will show the idea that how simple the attack is.
、、、
int fake_send(const char *dst_ip, int dst_port, char *data, int data_len){
char* src_ip = malloc(0x100);
for (unsigned int i=0x4000000;i<0xffffffff;i++){
memset(src_ip,0,0x10);
int_to_ip(i,src_ip);
printf("src_ip:%s\n",src_ip);
for (int port=0x4000;port<0xe000;port++){
udp_send(src_ip, port, dst_ip, dst_port, data, data_len);
}
}
}
、、、
Attacker Machine : Ubuntu 22.04
Victim Machine : Latest Windows Server Insider Preview
* Download Latest Windows Server Insider Preview: https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver
* Configure Windows Deployment Service
* Official Guide: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj648426(v=ws.11)
* Video: https://www.youtube.com/watch?v=I3bVdO9dHhE&ab_channel=TechStory
* If you find that the WDS service is listening on port 69, it means the configuration is successful.
* compile `poc.c` : `gcc -o poc poc.c`
* `sudo ./poc {dst_ip}`
* Use System Informer to check the memory usage of Windows Deployment Service and you will find that it keeps increasing and the victim machine becomes unresponsive after about 7 minutes.
## Timeline
Feb 08, 2025 Reported this case to Microsoft (case: 94963)
Mar 04, 2025 Bug confirmed by Microsoft
Mar 08, 2025 Microsoft modified the bounty rule on Preauth DOS
April 23, 2025 Microsoft considerd this bug is moderate and doesn't meet the bar for security service
April 23, 2025 Tell Microsoft we consider this is an important DoS bug without anthentication (preauth) or user interaction (0-click)
May 02, 2025 No reponse from Microsoft, blog published
## Discuss
In this blog, we highlight that remote memory exhaustion-based DoS attacks are severely understudied—yet they pose a significant threat to internet infrastructure. We examine a vulnerability pattern in UDP-based services, where attackers can trigger remote DoS by exhausting system memory.
We demonstrate this issue with a real-world example in Windows Deployment Service (WDS), where an unauthenticated attacker can crash the system remotely—without any user interaction. Exploiting this flaw allows for rapid system disruption, as the system collapses under memory exhaustion. We will share more remote preauth DoS cases on some conference latter this years.
Although Microsoft now classifies this bug doesnot meet their bar under its updated bounty rules in Mar 08 2025. We consider it remains a important DoS vulnerability in their SDL bar and we feel really bad when communicate with Microsft on this case. In fact, Attacker can easily crash an entire PXE network in your cooperation, paralyzing enterprise deployment systems remotely, without anthentication (preauth) or user interaction (0-click).
And there is currently no good way to mitigate this issue unless Microsoft takes their responsibility and releases a patch. To save your PXE network from this threat, do not use Windows Deployment Service.