It's a new year, and we're still finding Windows systems missing the MS17-010 patch in virtually every client network we perform an attack surface validation (i.e., penetration test).
Unfortunately, malware authors have been able to exploit these systems using high-profile worms such as WannaCry and NotPetya. Many security teams and penetration testing firms have had their hands tied, unwilling to use potentially unsafe versions of the exploits on client networks. Without substantive proof of potential damage to an organization, many management and IT teams have dangerously ignored applying the patches for these vulnerabilities.
This post will discuss RiskSense's research on MS17-010 last year, a new exploit module we added to Metasploit this week (including our reasoning behind doing so), and additional mitigations and systems hardening that can be implemented outside of just applying the MS17-010 patch.
MS17-010 Background Information
MS17-010 is a Microsoft Security Bulletin from March 2017, describing several remote code execution vulnerabilities present on virtually every version of Windows. An unknown entity called the Shadow Brokers released a treasure trove of exploits a month later, in April 2017, allegedly stolen from the Equation Group (Office of Tailored Access Operations), an elite hacking unit at the National Security Agency (NSA).
You may have heard of some of these exploits, such as EternalBlue, which was used in the infamous WannaCry ransomware campaign last May. Dozens of malware worms using these exploits have been seen in the wild and are still extremely active, such as Adylkuzz, EternalRocks, NotPetya, Bad Rabbit, and WannaMine.
Several weeks before WannaCry, RiskSense warned that it was only a matter of time before these exploits became weaponized, which was reported in leading news outlets such as ThreatPost and Bloomberg. Unfortunately, many organizations were still caught unaware.
MS17-010 Missing Patch Scanner
Shortly after the MS17-010 patch was issued (and before the exploits were dumped and the severity of the vulnerabilities was fully known), RiskSense released a Metasploit module for system administrators to audit systems missing the patch.
MS17-010 DoublePulsar Backdoor
All of the Eternal exploits in the Shadow Brokers dumps install a multi-architecture Windows kernel backdoor called DoublePulsar.
One week after the dumps, Zach Harding, Dylan Davis, and I had fully reverse engineered DoublePulsar, detailing the operations of the initial SMB backdoor so that antivirus companies and IDS rule authors could create detection and mitigation measures.
Unfortunately, most antivirus vendors did not write detection or prevention routines for DoublePulsar before the first round of worms hit a few weeks later.
MS17-010 EternalBlue Exploit
EternalBlue is possibly the most potent exploit, as it only requires anonymous access to a share, such as the commonly used IPC$. Other exploits require a share as well as a named pipe.
RiskSense analysts immediately began reverse engineering EternalBlue, as we considered it the most potent exploit. A Metasploit module trimming the exploit down to its barebones parts was released two days after WannaCry. It evaded IDS signatures, so that better ones could be built.
The Metasploit module can be found at exploit/windows/smb/ms17_010_eternalblue.
The original EternalBlue module from the Shadow Brokers dumps was only designed to target older Windows systems such as Windows XP and Windows 7. Dylan Davis and I wrote an EternalBlue white paper demonstrating it was possible to port the exploit to Windows 10. This was lab code that was later destroyed and never released, although many antivirus companies did inquire about the proof-of-concept.
MS17-010 Metasploit PSExec Port of ZZZ_Exploit
In order to aid white-hats and penetration testers in demonstrating the risks associated with MS17-010 to their customers, RiskSense recently added an exploit module to Metasploit that can target every version of Windows, from Server 2000 through Server 2016, and all the home/workstation versions of Windows in between.
A few months after the original dumps, a researcher from Thailand named Worawit Wang released zzz_exploit, which uses the same vulnerabilities exploited in the EternalRomance, EternalSynergy, and EternalChampion exploits.
However, the ultimate payload of his exploit is slightly different. Whereas the original exploits cause an anonymous SMB login to begin executing arbitrary code via convoluted buffer overwrite mechanisms, Worawit used the overwrites to instead cause the SMB session to become an Administrator session.
RiskSense essentially ported this publicly known exploit almost 1:1 to Metasploit, and the Rapid7 Metasploit maintainers tested it against every major version of Windows.
The Metasploit modules can be found at exploit/windows/smb/ms17_010_psexec and auxiliary/admin/smb/ms17_010_command.
A crash was discovered when the original exploit targets Windows XP SP0 and SP1, as Windows TOKEN structures were changed in Windows XP SP2, which is what the original exploit was tested against.
RiskSense fixed the TOKEN offsets for the Metasploit module and pushed a fix to Worawit Wang's repository. In addition, RiskSense slightly trimmed the network traffic and inserted randomness to the exploit, which could aid IDS writers in writing tighter rules.
Once an attacker has an Administrator session over SMB, they can bind DCERPC over the SMB transport and execute commands via the Service Manager, a technique called PSExec, originally developed many years ago by Mark Russinovich for the SysInternals Suite.
MS17-010 Additional Mitigations
The most proper fix for MS17-010 is, of course, applying the necessary updates to Windows. After WannaCry, Microsoft backported patches to Windows XP; however, Windows 2000 will remain eternally vulnerable.
In addition, it is also recommended to completely disable SMBv1, a legacy protocol. Most enterprise networks will continue to operate without a hiccup using SMBv2 and SMBv3. Home users and machines not joined to a domain should enable the Windows Firewall to block SMB ports entirely.
Finally, system administrators should review settings for the following Group Policies, to restrict permissions for anonymous logins: