Scribd
Upload
4 views

Adv net sec 1 Assignment 1

The document discusses the EternalBlue exploit developed by the NSA, which targets a vulnerability in the SMBv1 protocol, specifically CVE-2017-0144. It outlines the risks associated with this vulnerability, its exploitation methods, and the impact of ransomware attacks like WannaCry and NotPetya. Recommendations for mitigation and prevention strategies are also provided, including patch management and disabling SMBv1.

Uploaded by

Mohsin Raja
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Adv net sec 1 Assignment 1

The document discusses the EternalBlue exploit developed by the NSA, which targets a vulnerability in the SMBv1 protocol, specifically CVE-2017-0144. It outlines the risks associated with this vulnerability, its exploitation methods, and the impact of ransomware attacks like WannaCry and NotPetya. Recommendations for mitigation and prevention strategies are also provided, including patch management and disabling SMBv1.

Uploaded by

Mohsin Raja
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

ABSTRACT

It is an exploit developed by the U.S. National


Security Agency (NSA). This exploit uses a
security vulnerability present in the first version of
the SMB protocol (SMBv1
Student id: 800698715
MOHSEN ALI Assignment 1

ITNET302A_118
Mohsen Ali | Student id: 800698715

Table of Contents
Introduction ..................................................................................................................... 3
Vulnerability .................................................................................................................... 3
CVE-2017-0144......................................................................................................................... 3
Recommendations ......................................................................................................................... 4
Modules related to CVE-2017-0144........................................................................................... 4
Vulnerability Types .................................................................................................................. 4
EternalBlue ...................................................................................................................... 5
SMB Protocols .................................................................................................................. 5
EternalBlue Bugs ...................................................................................................................... 5
Wrong Casting Bug ......................................................................................................................... 5
Wrong Parsing Function Bug .......................................................................................................... 6
Non-paged Pool Allocation Bug...................................................................................................... 6
EternalBlue Mechanism ........................................................................................................... 8
EtrenalBlue Exploit Chain ......................................................................................................... 8
EtrenalBlue Exploitation........................................................................................................... 9
Risk Assessment..................................................................................................................... 13
Mitigation Steps ........................................................................................................................... 13
Impacts of compromise .......................................................................................................... 15
EtrenalBlue remediation and prevention ........................................................................ 15
Prevention ............................................................................................................................. 15
Immediate Remediation......................................................................................................... 15
Future Prevention Policies...................................................................................................... 15
References ..................................................................................................................... 17

Page 2 of 18
Mohsen Ali | Student id: 800698715

Introduction
The EternalBlue was leaked by "The Shadow Brokers" assemble on April 14, 2017, in their
fifth release, "Lost in Translation." The release included numerous exploitation devices like
EternalBlue that depend on different vulnerabilities in the Windows execution of SMB
convention.
EternalBlue works on all Windows prior to Windows 8. These adaptations contain an
interprocess correspondence share (IPC$) that permits an invalid session. This implies the
association is built up by means of mysterious login and invalid session is permitted as a
matter of course. Invalid session enables the customer to send diverse directions to the
server.
The NSA made a structure (much like Metasploit) named Fuzz Bunch. The motivation behind
this system is to arrange, for instance, set casualty ip, and on server execute different
commands.
Microsoft released patches for the vulnerabilities in the leak, under the MS17-010
(Microsoft Security Bulletin).
CVE-2017-0144 is the CVE ID in MS17-010 that is identified with EternalBlue

Vulnerability
CVE-2017-0144
This is windows remote control vulnerability also known as Windows SMB Remote Code
Execution Vulnerability. This vulnerability exits in the way that the Microsoft server message
block server handles certain request after this whoever has exploited successfully can gain
access and execute codes on victim machine. This vulnerability is exploits’ through
EtrenalBlue as they are used in WannaCry/WannaCrypt/WNCRY and NotPetya ransomware.
CVE-2017-0144 is high risk vulnerability as compared to others. This attack can do some
serious security threats so we should take immediate action to stop and preventing further
damage. All this windows OS were affected by this

• Microsoft Windows Vista x64 Edition Service Pack 2 0


• Microsoft Windows Vista Service Pack 2 0
• Microsoft Windows Server 2012 R2 0
• Microsoft Windows Server 2012 0
• Microsoft Windows Server 2008 R2 for x64-based Systems SP1
• Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
• Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Windows Server 2008 for Itanium-based Systems SP2
• Microsoft Windows Server 2008 for 32-bit Systems SP2
• Microsoft Windows RT 8.1
• Microsoft Windows 8.1 for x64-based Systems 0
• Microsoft Windows 8.1 for 32-bit Systems 0
• Microsoft Windows 7 for x64-based Systems SP1
• Microsoft Windows 7 for 32-bit Systems SP1
• Microsoft Windows 10 Version 1607 for x64-based Systems 0
• Microsoft Windows 10 Version 1607 for 32-bit Systems 0
• Microsoft Windows 10 version 1511 for x64-based Systems 0

Page 3 of 18
Mohsen Ali | Student id: 800698715

• Microsoft Windows 10 version 1511 for 32-bit Systems 0


• Microsoft Windows 10 for x64-based Systems 0
• Microsoft Windows 10 for 32-bit Systems 0

Recommendations
• Always Run NON-Administrative software as an unprivileged user with less rights

• Send NIDS to screen organize movement for indications of suspicious or atypical


action. This may help recognize malicious activities that a bad guy may take after
effectively misusing vulnerabilities in applications. Audit every material log
consistently.

• Avoid using client applications

• Memory-protecting scheme

Modules related to CVE-2017-0144

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption


MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
MS17-010 SMB RCE Detection

Vulnerability Types
CVVS Score 9.3
Confidentiality Impact Complete (There is add up to data exposure, bringing about all framework
documents being uncovered.)
Integrity Impact Complete (There is a compromised of system integrity. There is a total loss of
system protection, bringing about the whole system being compromised.)

Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can
make sources completely unavailable.)
Access Complexity Medium (Some preconditions must be satisfied to exploit. Some conditions are
specialized).
Authentication No Authentication is required to exploit.
Gained Access No
Vulnerability Type(s) Executable Code

Page 4 of 18
Mohsen Ali | Student id: 800698715

EternalBlue

The EternalBlue expolits targets a vulnerability via port 445 of SMB protocol. Bad guys will
search for SMB ports if they found any they will staright away launch exploit after founding
it vulnerable they will try to run payload. This was really effective distrbution of
WannaCryptor.D ransomware (also known and wannacry) across networks.

Security experts say implementing these five essential WannaCry mitigations that will help
minimizing threat
1. Installing MS17-010
2. Installing emergency Windows patch.
3. Updating your Antivirus-Malware software
4. Disabling SMBv1
5. Blocking SMBv1
6. Shut down

SMB Protocols
SMB also known as CIFS Common Internet File System used as an application layer protocol
for sharing and accessing files, printing. Also provide authentication for inter process
communications.

EternalBlue Bugs

Wrong Casting Bug


By the help of windows SMB implementation it converts File Extending Attributes (FEA)
from Os2 structure which leads to buffer overflow in kernel pool (non-paged)

Page 5 of 18
Mohsen Ali | Student id: 800698715

Os2 structure

after converting to FEA

Wrong Parsing Function Bug


Transmitting file over SMB protocol
• SMB_COM_TRANSACTION2
• SMB_COM_TRANSACT
If data is send by any of those exceeds the max buffer size during setup session or either
total data send is bigger than transmitted data then that transaction will uses SECONADRY
sub-command

Non-paged Pool Allocation Bug


In kernel, non-paged pool specified size of chunk is allocated by this bug.
SMB_COM_SESSION_SETUP_ANDX is used to configured SMB session.
LM

Page 6 of 18
Mohsen Ali | Student id: 800698715

NTLMv2

Request is splited in 2 sections in both scenario


• SMB_PARAMETERS
• SMB_DATA

Page 7 of 18
Mohsen Ali | Student id: 800698715

EternalBlue Mechanism

EtrenalBlue Exploit Chain

Page 8 of 18
Mohsen Ali | Student id: 800698715

EtrenalBlue Exploitation

Page 9 of 18
Mohsen Ali | Student id: 800698715

Page 10 of 18
Mohsen Ali | Student id: 800698715

Page 11 of 18
Mohsen Ali | Student id: 800698715

Page 12 of 18
Mohsen Ali | Student id: 800698715

Risk Assessment
Mitigation Steps
• Management of patches
• Segmentation of network
• Only supported OS system
• Manage Backups
• Applying Firewalls at host level

Page 13 of 18
Mohsen Ali | Student id: 800698715

Page 14 of 18
Mohsen Ali | Student id: 800698715

Impacts of compromise

EtrenalBlue remediation and prevention

Prevention
MS17-010 vulnerability can be exploited in different ways in both Petya and WannaCry.
Usually spread by emails during WannaCry but also maybe spread through updating
software. However, by installing Microsoft patch is known as best way for preventing
EtrenalBlue exploit because that will help stop exploiting SMP protocols if someone tries to
do so. On other hand where source is doubted avoid opening attachments and avoid
clicking unknown email senders.

Immediate Remediation
Blocking 445 Port immediately and installing security update for windows SMB server
4013389 as a patch. However, we must block outbound RDP from DMZ to protect our
environment. We must use secure remote access software like cisco webex for SSL
connection, Kaseya for TLS connection and Remote Desktop Gateway uses HTTP
connections reason for using these software is because these software cannot be
compromised easily by phishing and brute force attacks.

Future Prevention Policies

• Disabling SMBv1 Protocols


• Backup of Data

Page 15 of 18
Mohsen Ali | Student id: 800698715

• Controlling Access
• Controlling Application
• Guidance for users
• Applying ACLs
• Blocking RDP session
• Limit administrator RDP accounts
• Updated Anti-Virus Signatures
• Securing all Files
• Filtering Port 445

Page 16 of 18
Mohsen Ali | Student id: 800698715

References
Check Point Research. (2018). EternalBlue - Everything There Is To Know - Check Point
Research. [online] Available at: https://research.checkpoint.com/eternalblue-everything-
know/ [Accessed 6 Sep. 2018].

Symantec.com. (2018). OS Attack: Microsoft Windows SMB RCE CVE-2017-0144: Attack


Signature - Symantec Corp.. [online] Available at:
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30010
[Accessed 6 Sep. 2018].

Symantec.com. (2018). Microsoft Windows SMB Server CVE-2017-0144 Remote Code


Execution Vulnerability | Symantec. [online] Available at:
https://www.symantec.com/security-center/vulnerabilities/writeup/96704 [Accessed 9 Sep.
2018].

Nvd.nist.gov. (2018). NVD - CVE-2017-0144. [online] Available at:


https://nvd.nist.gov/vuln/detail/CVE-2017-0144 [Accessed 8 Sep. 2018].

Rapid7.com. (2018). CVE-2017-0144 Microsoft CVE-2017-0144: Windows SMB Remote Code


Execution Vulnerability | Rapid7. [online] Available at:
https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-0144 [Accessed 9 Sep. 2018].

Cvedetails.com. (2018). CVE-2017-0144 : The SMBv1 server in Microsoft Windows Vista SP2;
Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows. [online]
Available at: https://www.cvedetails.com/cve/cve-2017-0144#metasploit [Accessed 11 Sep.
2018].

Staff, T. (2018). The WannaCry Ransomware Pandemic: Implications for the Vulnerability
Equities Process.. [online] The CyberWire. Available at:
https://thecyberwire.com/articles/the-wannacry-ransomware-pandemic-implications-for-
vulnerability-equities-process.html [Accessed 11 Sep. 2018].

Kubovič, O. and Kubovič, O. (2018). EternalBlue exploit still a major threat since
WannaCryptor outbreak. [online] WeLiveSecurity. Available at:
https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploit-
wannacryptor/ [Accessed 12 Sep. 2018].

Research), W. (2018). MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV


Driver - TrendLabs Security Intelligence Blog. [online] Blog.trendmicro.com. Available at:
https://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/
[Accessed 12 Sep. 2018].

ComputerWeekly.com. (2018). WannaCry’s EternalBlue exploit still a threat. [online]


Available at: https://www.computerweekly.com/news/252440964/WannaCrys-EternalBlue-
exploit-still-a-threat [Accessed 18 Sep. 2018].

Page 17 of 18
Mohsen Ali | Student id: 800698715

Research, W. (2018). Analysis of the Shadow Brokers release and mitigation with Windows
10 virtualization-based security. [online] Cloudblogs.microsoft.com. Available at:
https://cloudblogs.microsoft.com/microsoftsecure/2017/06/16/analysis-of-the-shadow-
brokers-release-and-mitigation-with-windows-10-virtualization-based-security/ [Accessed
17 Sep. 2018].

White, C. (2018). Wannacry Ransomware & Mitigation Steps. [online] risk3sixty LLC.
Available at: https://www.risk3sixty.com/2017/05/13/alert-wannacry-ransomware/
[Accessed 18 Sep. 2018].

Burgess, M. (2018). Everything you need to know about EternalBlue – the NSA exploit linked
to Petya. [online] Wired.co.uk. Available at: https://www.wired.co.uk/article/what-is-
eternal-blue-exploit-vulnerability-patch [Accessed 19 Sep. 2018].

Page 18 of 18

You might also like