Slashdot Mirror
Exploit Derived From EternalSynergy Upgraded To Target Newer Windows Versions (bleepingcomputer.com)
An anonymous reader writes: "Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system," reports Bleeping Computer. "ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections. The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements. Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method 'should never crash a target,' the expert says. 'Chance should be nearly 0%,' Wang adds." Combining his exploit with the original ETERNALSYNERGY exploit would allow a hacker to target all Windows versions except Windows 10. This is about 75% of all Windows PCs. The exploit code is available for download from Wang's GitHub or ExploitDB. Sheila A. Berta, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.
Don't attribute to malice what can be attributed to incompetence.
Windows is and has always been a pile of excrement especially when it comes to security.
Custom electronics and digital signage for your business: www.evcircuits.com
The original exploit worked up to Windows 8. The "security researcher" updated it to work with newer Windows versions, but not Windows 10, apparently. So he updated it to work against Windows 8.1, and maybe Windows Server 2016 if it somehow works there but not on Windows 10.
My ass, posting it to the open public makes you nothing more than a script kiddie.
No more so than linux. But noone has cared about exploiting it because theres just not many consumers running it.
Makes me glad I took the somewhat drastic step of disabling SMBv1 on my network. As an added bonus, this makes it so Windows XP and Server 2003 are useless :).
Life has many choices. Eternity has two. What's yours?
Yes. Once most of the Internet runs on Linux there is going to be real trouble!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
More than just that. You should never trust your internal network either. All these companies that got hit by this TURNED OFF THE WINDOWS FIREWALL (or, at a minimum opened the ports for SMB). This means they trusted their internal network and some stupid admin at the company wanted to be able to use the c$ or admin$ share to access the machines. For this, they enabled SMB on the computers to get through the firewall. A default, out of box install has this blocked. We have it blocked at the enterprise where I work too - because we didn't want to get an exploit that came through and cost us tons of money and then have to tell management that it wouldn't have happened if we left the damn out of box security settings alone. That type of thing gets people fired. I'm sure the WannaCry and the like (which also use SMB exploits) were banging on our machines like crazy but the firewall just drops the packets. If people purposely configured Linux insecurely it would get remotely attacked too - and people here would call the admins idiots. These admins were idiots too.
Yeah, the main line of thinking would be, "WOW! Microsoft pushed Windows 10 so hard to get people protected from all this shit!"
Then you realize Microsoft didn't have patches and didn't know about this shit until the storm came.
Never attribute to brilliance what can be attributed to dumb luck.
Support my political activism on Patreon.
I feel like they could've won over a fairly large handful of people by increasing the flexibility of the UI configuration... e.g. win10 internals with win7 GUI. I'd be nearer the threshold of 'deal with it' if their start menu/taskbar menus were actually responsive. When I right-click on a taskbar item, i want a damned menu, not 2-10 seconds of waiting, followed by a flyout transition, just after having right-clicked again because I thought it wasn't working, followed by more of the same...
There is no XUL, only WebExtensions...
WHY WHY WHY would anyone target Windows when all of the INTERESTING data is on LINUX servers?
WHO CARES about your recipes and your photos and your music.
ALL of the data worth stealing is on LINUX, on SERVERS at places like Amazon and ebay and YOUR BANK. The info on MILLIONS of people can be had if you can break into ONE server!
So WHY do they go after Windows, even though the pickings are slim? Because it's EASY.
Well in some cases, the researchers contacted the companies themselves about the exploits. And the companies didn't do anything about them and sometimes didn't even acknowledge them. So the researcher can wait but the exploit might be found by someone else. Or they can publish the exploit. In this case, this researcher is talking about modifying an already leaked exploit, ETERNALSYNERGY.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Microsoft has been compartmentalizing and hardening Windows for over a decade now. This is the result of hard work rather than blind luck.
I have complaints about their direction sometimes, but they do have some excellent developers who do amazing work---when they're not under orders to build user-hostile functionality.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
They weren't specifically-aware of these exploits though. That's the point: that these don't work on Windows 10 isn't the storm from which Microsoft tried to save us; it's just another storm nobody predicted, and nobody predicted one this bad. "We told you to switch to Windows 10! You should have listened! Look what happened!" isn't much of a valid argument because Microsoft's decision to push for Windows 10 wasn't based on "what happened", or any prediction thereof.
Attribution to incompetence doesn't fit here, because the outcome is sheer brilliance. It's not that MS was brilliant in driving people onto Windows 10 by every means expedient; it's that they did, and, by some happenings of coincidence, this happened. Attribution goes to blind luck.
As for exploit mitigation, yeah, they've actually been doing a good job of that. In this case, it doesn't help; SMB1 is disabled by default on Windows 10, else it would be vulnerable still.
Support my political activism on Patreon.
Kernel bugs generally don't get exploit protection; and CVE scores don't account for exploit mitigation prevention. If your little proxy server is vulnerable to a buffer overflow from a long domain name, then it's RCE. Never mind that RCE is physically-impossible because, once you guess your way past ASLR and perform a return-to-libc to change memory protections, it turns out the OS won't allow memory that's ever been writable to become executable, thus preventing a bit from being set which is plugged into a physical AND gate that controls the write pin for the ITLB and ICache; your program is vulnerable, end of story. Your OS can catch it and stop the exploit, but your program is still broken in that way.
Support my political activism on Patreon.
A broken clock is right once a day.
*twice.*
Why UNIX?
A stopped clock.
And it might be right only once or three times when daylight saving starts or ends.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
You don't seem to understand. That router your Windows box is talking to the internet through ... Linux. The systems hosting your Azure instances? Linux. The wireless APs everone is using? Linux. The list goes on, and on, and on. If attractivenes of target was the issue then Linux exploits would FAR outweigh Windows ones.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun