My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

ETERNALBLUE: Windows SMBv1 Exploit (Patched)

Published: 2017-04-14. Last Updated: 2017-04-15 12:17:15 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Microsoft released a blog post outlining which patches address which vulnerability exploited by various "Shadowbroker" exploits. According to the table released by Microsoft, "ETERNALBLUE" was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as "not used in exploits". Microsofts acknowledgement page does not list a source for the vulnerability disclosure. 

We decided to keep our "Infocon" at Green in light fo the availability of a patch.

To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445. 

A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978.

-----

Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises an exploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name "ETERNALBLUE". 

Right now, I haven't been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters. 

In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is 10.128.0.243.

After repeated attempts, the Windows 7 host crashed.

pcap: https://isc.sans.edu/diaryimages/eternalblue.pcap

 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
9 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Will the ISC be increasing the Threat Level due to all of the released zero-days? This is really big.
We are considering raising the threat level tomorrow morning. Just discussing this internally.
fyi it is front-page news today:

The Register
https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/

Slashdot
https://it.slashdot.org/story/17/04/14/2017200/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet

Ars:
https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/


Eternalblue and Eternalchampion are in the data dumps too.. and they are forked like crazy
hxxps://github.com/misterch0c/shadowbroker/tree/master/windows/specials

current fork count is at 350+ copies and multiplying by the minute.

edit: and that's without counting the forks of the secondary forks.
/edit
edit2: or forks of separate uploads of the same file tree
/edit2
you think maybe all these (possibly known to MS) exploits are the reason they dumped windows 10 for free on everyone?
if they really wanted to dump it free MS would have included existing Windows XP/Vista (OEM/VL) licenses into the allowed free upgrade path. As it is now... *shrug*

Because of the 2007-2015 (-ish) economic crisis a lot of public IT systems are still stuck in the XP era and the beancounters see no reason to dump funds into license upgrades since the systems can still be powered on and sort-of run.
Im just saying, I resisted the upgrade until the very last minute, and even still i bought a hard copy of windows 8 pro so i could always go back if i wanted after the deadline day, and let me tell you. almost every day and every update i did i had to stop microsoft from automatically downloading the windows x install or i was reminded all the time about it. it was forced on everyone for a reason. i am beginning to think (as i was then) that there was serious hole in the security of the software, and instead of just coming out and admitting that to the world and fixing it (guessing the couldnt fix it) they decide to give a free upgrade. it made sense to me then and it is making more sense to me now.
[quote=comment#39318]you think maybe all these (possibly known to MS) exploits are the reason they dumped windows 10 for free on everyone?[/quote]

No, otherwise they would have fixed it before last month. They may have been getting paid by the feds to not patch certain things, though. Wouldn't it get interesting if a Snowden or ShadowBrokers dump reveals that to be true and that a material amount of some tech company's profits are in fact coming from the feds to implement and not patch vulnerabilities? In effect the taxpayers who are the investors in the tech industry are paying twice, once to buy the stock and once to create their profits through their tax payments.

I think it was Cryptome that had a doc a few years ago that was a court filing that accidentally revealed that a federal government agency was paying a company for certain activities and the filing revealed that the company was supposed to report the income a certain way and that the IRS was not to audit it to keep from revealing the true source of the income. It's really not much different than the feds telling police agencies that they were not to reveal the true source of intelligence about criminal activities, such as Stingrays, and that they had to develop parallel evidence in order to hide the true source.
Related to this, for "EternalChampion", MSRC's page points to CVE-2017-0146 & CVE-2017-0147 as solution. However, when you browse to the links (MS Security Center pages) it says: Microsoft has not identified any mitigating factors for this vulnerability. Microsoft has not identified any workarounds for this vulnerability? But those CVE's are listed under MS17-010. If they're covered, why isn't MS17-010 listed there?!
SMB is also accessible over 139/tcp. Can an attacker exploit a server that is open on 139/tcp to the internet even if 445/tcp is closed ?

Diary Archives