Exploit Derived From EternalSynergy Upgraded To Target Newer Windows Versions

An anonymous reader writes: "Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system," reports Bleeping Computer. "ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections. The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements. Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method 'should never crash a target,' the expert says. 'Chance should be nearly 0%,' Wang adds." Combining his exploit with the original ETERNALSYNERGY exploit would allow a hacker to target all Windows versions except Windows 10. This is about 75% of all Windows PCs. The exploit code is available for download from Wang's GitHub or ExploitDB. Sheila A. Berta, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.

Conspiracy Theory

[Topwiz]

I wonder if Microsoft is actually behind all these leaks in order to push people towards Windows 10.

Re: Conspiracy Theory

[guruevi]

Don't attribute to malice what can be attributed to incompetence.

Windows is and has always been a pile of excrement especially when it comes to security.

Re:Conspiracy Theory

Yeah it makes sense. Have a vulnerability that can exploit Server 2016 but not Windows 10. That should move those pesky server guys to Windows 10!

Re:Conspiracy Theory

[Neuronwelder]

You are right. They probably don't care. Too bad they can't come out with a good version so people WANT to go to the newer version voluntarily. :(

Re: Conspiracy Theory

No more so than linux. But noone has cared about exploiting it because theres just not many consumers running it.

Re: Conspiracy Theory

Considering every device and OS has been shredded without exception, you can be the first to write an OS that has 0 vulnerabilities.

Go on, we'll wait.

(Remembering b that any device that has been jailbroken could have had malware using thatbsame exploit)

Re: Conspiracy Theory

Don't attribute to malice what can be attributed to incompetence.

Don't attribute to malice what can be attributed to even more malice.

There, FTFY.

Re: Conspiracy Theory

> No more so than linux.

This just shows your utter ignorance. Next you'll tellining us that evolution is "just an hypothesis" or that pi equals 3.

Re: Conspiracy Theory

[Zero__Kelvin]

Yes. Once most of the Internet runs on Linux there is going to be real trouble!

Re: Conspiracy Theory

[bluefoxlucid]

Yeah, the main line of thinking would be, "WOW! Microsoft pushed Windows 10 so hard to get people protected from all this shit!"

Then you realize Microsoft didn't have patches and didn't know about this shit until the storm came.

Never attribute to brilliance what can be attributed to dumb luck.

Re: Conspiracy Theory

Linux web servers are locked down and hardened such that only the applications prove vulnerable (I. E. WordPress, etc). The same is true of windows server and frankly with windows 10 in general for user desktops. I think GP was talking in reference to the latter.

Re:Conspiracy Theory

[thegreatbob]

I feel like they could've won over a fairly large handful of people by increasing the flexibility of the UI configuration... e.g. win10 internals with win7 GUI. I'd be nearer the threshold of 'deal with it' if their start menu/taskbar menus were actually responsive. When I right-click on a taskbar item, i want a damned menu, not 2-10 seconds of waiting, followed by a flyout transition, just after having right-clicked again because I thought it wasn't working, followed by more of the same...

Re: Conspiracy Theory

You're theory sounds okay until you stop and think for a moment. Linux is run on big hardware by some of the largest companies in the world. The data on some of those machines is priceless, making them juicy targets for exploitation. Well worth the effort to develop hacks for. But Linux is strong. Not perfect but certainly stronger than Windows.

Re: Conspiracy Theory

[EndlessNameless]

Microsoft has been compartmentalizing and hardening Windows for over a decade now. This is the result of hard work rather than blind luck.

I have complaints about their direction sometimes, but they do have some excellent developers who do amazing work---when they're not under orders to build user-hostile functionality.

Re: Conspiracy Theory

Microsoft has been compartmentalizing and hardening Windows for over a decade now. This is the result of hard work rather than blind luck.

A broken clock is right once a day. No doubt there's been a lot of hard work put in to try to protect against such attacks, but given that there's over 50 Windows 10 bugs with a CVE score of 9.3, the fact that this vulnerabilities doesn't work yet* is blind luck.

* I say yet precisely because most of the various mitigations have turned into fully-bypassable with high, if not 100%, probability for most vulnerabilities. So, maybe Windows 10 will be lucky on this one.

Re: Conspiracy Theory

[bluefoxlucid]

They weren't specifically-aware of these exploits though. That's the point: that these don't work on Windows 10 isn't the storm from which Microsoft tried to save us; it's just another storm nobody predicted, and nobody predicted one this bad. "We told you to switch to Windows 10! You should have listened! Look what happened!" isn't much of a valid argument because Microsoft's decision to push for Windows 10 wasn't based on "what happened", or any prediction thereof.

Attribution to incompetence doesn't fit here, because the outcome is sheer brilliance. It's not that MS was brilliant in driving people onto Windows 10 by every means expedient; it's that they did, and, by some happenings of coincidence, this happened. Attribution goes to blind luck.

As for exploit mitigation, yeah, they've actually been doing a good job of that. In this case, it doesn't help; SMB1 is disabled by default on Windows 10, else it would be vulnerable still.

Re: Conspiracy Theory

[bluefoxlucid]

Kernel bugs generally don't get exploit protection; and CVE scores don't account for exploit mitigation prevention. If your little proxy server is vulnerable to a buffer overflow from a long domain name, then it's RCE. Never mind that RCE is physically-impossible because, once you guess your way past ASLR and perform a return-to-libc to change memory protections, it turns out the OS won't allow memory that's ever been writable to become executable, thus preventing a bit from being set which is plugged into a physical AND gate that controls the write pin for the ITLB and ICache; your program is vulnerable, end of story. Your OS can catch it and stop the exploit, but your program is still broken in that way.

Re: Conspiracy Theory

[eneville]

A broken clock is right once a day.

*twice.*

Re: Conspiracy Theory

"Microsoft has been compartmentalizing and hardening Windows for over a decade now." Yeah, and it took a similar amount of time to design and build the Titanic, but that only had a few major flaws by comparison to Windows' hundreds and thousands.

Re: Conspiracy Theory

[Hognoxious]

A stopped clock.

And it might be right only once or three times when daylight saving starts or ends.

Re: Conspiracy Theory

Linux, like Windows, are only as strong as the people who install, config, and admin the servers.
"Not perfect but certainly stronger than Windows"
Quantify "stronger". And compare "apples to apples" while you are quantifying. And if you want to be honest please do a quick search on Linux vulnerabilities and see how many kernel exploits the search returns. Most of the serious exploits are in code that is up to 9 years old which sort of puts a dink in the "many eyes" theory.

And hackers have a fertile hunting ground on the Android ecosystem. People are using their smart phones to do things they used to do from their PC's. It's an ecosystem where people mindlessly download any app that catches their eye and gladly give the downloaded app every permission it says it needs to install. Desktop exploits will look like a mild flu compared to the Android black plague. The mobile phone and accompanying computing industry have made the same mistake that was made at the beginning of the PC age. They have prioritized getting their hardware and software wares to market and pushed security to a distant second place. But billions of people didn't walk around with a PC in their pocket with an open network connection at all times and transmitting all the data packs over an easily hijacked RF signal. Plus every time you turn on your location, for those that do not share their location all the time, you can be tracked ever where you go.

Re: Conspiracy Theory

No more so than linux. But noone has cared about exploiting it because theres just not many consumers running it.

The above statement demonstrates the fundamental ignorance about security, because the goal is never to have 100% secure system (it would be impractical), but to have adequate security to deter attackers. For example, a bank has to spend much more on security than a regular individual to secure her/his property. A bank cannot say that it has good security if it is up to the level what an average Joe has. Similarly, if you have a larger market share, you have to invest a proportionally larger sum of money in security. Microsoft did a poor job in this respect, especially in the past. Now they are plenty Linux servers working online 24/7 and they are rarely hacked. It means that Linux systems have adequate security for their mission and Windows systems don't.

Re: Conspiracy Theory

[Zero__Kelvin]

You don't seem to understand. That router your Windows box is talking to the internet through ... Linux. The systems hosting your Azure instances? Linux. The wireless APs everone is using? Linux. The list goes on, and on, and on. If attractivenes of target was the issue then Linux exploits would FAR outweigh Windows ones.

Re: Conspiracy Theory

this "bugs" are known form around march/april 2016, microsoft have "knowledge" dated from septemeber same year, patches are from february/march this year
you have no idea what you are talking about

So he updated it to work with Windows 8.1?

[devjoe]

The original exploit worked up to Windows 8. The "security researcher" updated it to work with newer Windows versions, but not Windows 10, apparently. So he updated it to work against Windows 8.1, and maybe Windows Server 2016 if it somehow works there but not on Windows 10.

External SMB

Maybe I missed something, but who still publishes SMB externally. When I read 'externally' I see it as meaning publically accessible; not as external from the machine to the internal network; etc.

Meh

Re:External SMB

More than just that. You should never trust your internal network either. All these companies that got hit by this TURNED OFF THE WINDOWS FIREWALL (or, at a minimum opened the ports for SMB). This means they trusted their internal network and some stupid admin at the company wanted to be able to use the c$ or admin$ share to access the machines. For this, they enabled SMB on the computers to get through the firewall. A default, out of box install has this blocked. We have it blocked at the enterprise where I work too - because we didn't want to get an exploit that came through and cost us tons of money and then have to tell management that it wouldn't have happened if we left the damn out of box security settings alone. That type of thing gets people fired. I'm sure the WannaCry and the like (which also use SMB exploits) were banging on our machines like crazy but the firewall just drops the packets. If people purposely configured Linux insecurely it would get remotely attacked too - and people here would call the admins idiots. These admins were idiots too.

Re:External SMB

Where have you been for the past 2 months. Haven;t you heard of WannaCry or NotPetya. Lots of dumbasses expose SMB services online

Re:External SMB

What you said, plus people have laptops that they bring to work. And those laptops are also their children's plaything after supper.
Plus, work-at-home through a vpn places workers home computers on the internal network, and by worker's computer I mean the home worker and his children.
There is no difference between external and internal networks in these days.

"security researcher"..

[Fly+Swatter]

My ass, posting it to the open public makes you nothing more than a script kiddie.

Re:"security researcher"..

[Junta]

While you may feel the guy acted irresponsibly and deserves some sort of insulting moniker, script kiddie isn't a good fit.

A script kiddie can't write exploits or generally understand the things they are using. They don't post exploits because they aren't that capable, they just know where to go to download and then clumsily apply the work of others.

Re:"security researcher"..

[Fly+Swatter]

It was intended as an insult. But thanks for explaining it for the younger crowd, I guess.

Re: "security researcher"..

[Zero__Kelvin]

So you are telling us you are part of "the younger crowd"?

Re:"security researcher"..

[bluefoxlucid]

Security by obscurity is not security. We can now use his published exploit to prime our IDS and IPS. There's no way he could get this to every IDS vendor in the world; he'd have to identify them all, and even I can't do that.

Re: "security researcher"..

The Russian bot crowd needs some cultural context for the next wave of bizarre anti-American posts! Those whiny conspiracies aren't going to write themselves!

Just disable SMBv1

[JourneymanMereel]

Makes me glad I took the somewhat drastic step of disabling SMBv1 on my network. As an added bonus, this makes it so Windows XP and Server 2003 are useless :).

Re:Just disable SMBv1

[mspohr]

Your patch is a temporary fix.
The real fix would be to dump Windows.

Re:Just disable SMBv1

[EndlessNameless]

The Windows bashing is just stupid. It oversimplifies the problem and whitewashes Linux security issues.

Samba has a recent arbitrary code vulnerability.

NFS had some arbitrary remote code vulnerabilities too (although not recently).

The real fix is: layers of security, intrusion detection, and auditing---with trained, vigilant personnel to monitor it all. There is no single solution for security.

Re:Just disable SMBv1

[mspohr]

I can understand why those who still use Windows are defensive but any objective view of the issue of security would have to conclude that Windows continues to be a security nightmare with new vulnerabilities being developed and exploited every month.
"Stupidity is doing the same thing over and over and expecting a different result."

Re:Just disable SMBv1

When it comes to security and free vs. proprietary software, here's the most important thing to remember:

It is ILLEGAL to fix bugs in proprietary software, no matter how much active exploits are hurting you.

Re: Just disable SMBv1

[F.Ultra]

True, but to be honest that Samba exploit required the user to already have write access to the share. Still bad, but not as bad as this SMBv1 exploit.

Re:Just disable SMBv1

[EndlessNameless]

continues to be a security nightmare with new vulnerabilities being developed and exploited every month.

This is true of every piece of software. Making this out to be a Windows-specific problem is just ignorant. It applies to applications like IIS and Apache, too, not just operating systems.

Now, is Windows worse than the average Linux distro when considering both vulnerability count and severity? I would answer yes, but the gap is much smaller than the Win 9x/XP days.

Are the requirements to secure and monitor the infrastructure drastically different for Windows vs Linux hosts? No, not really.

In either case, you should have a secured master image which is customized as needed during deployment. No one should be running SMBv1 anymore, but it is enabled by default, so Microsoft owns that problem.

Re:Just disable SMBv1

[EndlessNameless]

It is ILLEGAL to fix bugs in proprietary software, no matter how much active exploits are hurting you.

This is largely irrelevant at the enterprise level.

Very few enterprises have the expertise in-house to fix kernel bugs or contribute to Apache/Samba/etc. In both cases, they are beholden to their vendors. The same applies to home users.

There is only really a very small niche of people who can introduce custom fixes for zero-day exploits.

The vast majority of internet hosts will see better security from having dedicated firewall, IDS, and auditing personnel vs retaining a kernel hacker. Even having a competent sysadmin would be enough in most cases, as most of the Windows malware is the result of poor configuration. Granted, these are default settings so Microsoft shares some of the blame---but a decent admin should understand what he is building/deploying.

can someone explain why?

why do these researchers publish these exploits so anyone can view and use the code? you would think these researchers wouldn't want people using this code to create viruses/exploits etc... but what do i know. why would they do this?

Re:can someone explain why?

[UnknowingFool]

Well in some cases, the researchers contacted the companies themselves about the exploits. And the companies didn't do anything about them and sometimes didn't even acknowledge them. So the researcher can wait but the exploit might be found by someone else. Or they can publish the exploit. In this case, this researcher is talking about modifying an already leaked exploit, ETERNALSYNERGY.

Lesson here is?

Disable Windows www smb and never give a client admin/root over a system unless it is on an intranet not the friggin' internet. How the hell Microsoft managed to screw up client communication kernel security for so many years and still manage to essentially control the pc industry is beyond belief. Also it is a bullshit exercise to think that the people who exploit holes in windows are any smarter than the people who write software, the reason why Microsoft managed to write a POS kernel with an obvious hole for so many years is that almost certainly the smb security whole was placed there deliberately.

I just wonder what wonderful extra orifice they have put in 10 for the NSA to drive a truck through. Either way, when it comes to security the consumer gets it up the end when you cannot see the code that you are using without reversing it first the way the "security experts" did to create Samba. This so called "hole" has been know almost as long as windows has existed, anyone with half a brain shuts off smb on windows. If there is a similar hole in the new kernel then it will take some serious cracking and fracking to find the same way we managed to create Samba in the first place, the hunt begins anew!

Re:You know what else has been upgraded?

http://maddox.xmission.com/clu... mor clu trn 5 u

linux IS the prime target

WHY WHY WHY would anyone target Windows when all of the INTERESTING data is on LINUX servers?

WHO CARES about your recipes and your photos and your music.

ALL of the data worth stealing is on LINUX, on SERVERS at places like Amazon and ebay and YOUR BANK. The info on MILLIONS of people can be had if you can break into ONE server!

So WHY do they go after Windows, even though the pickings are slim? Because it's EASY.

Re:Protect vs. SMB1 attacks easily

services you don't NEED as a single PC user only

why not just get a commodore 64 or even pencil and paper!

windows turns your computer into a not-computer, with no networking

get a REAL operating system and you can actually USE the network hardware

Re: Protect vs. SMB1 attacks easily

Doesn't my hosts file protect me from these vulnerabilities? I was told those fix everything and make my computer invincible!

how is this usefull

so, can this be used to jailbreak windows so that it can send a copy of itself over the network onto a new virgin os-less computer?
(i can see m$ engineers with hair on fire scrambling for sure and the boss getting a big nose of nitroglycerin via inhaler).

Re:Ah, Hillary Clinton's mentor's FAIL tactics!

No, we've always laughed at you.

Unidentifiable "ne'er-do-wells" may, but...

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

APK is kinda right. I've tried his hosts file generating software. It works by bmo

APK your posts on this and the hosts file posts, and more, have never been in error and/or bad advice by BlueStrat

* My code's recommended & hosted by Malwarebytes' hpHosts!

APK

P.S.=> See subject: Registered users quoted above don't (I've dozens more - want to see 'em? Ask & "ye shall receive" to you public dismay) & neither does highly esteemed Malwarebytes (you've done better?)... apk

Protect vs. SMB1 issues easily

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(THIS HAS BEEN PATCHED but you can protect this way too & it works...)

Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk