logo

EternalBlue: A Security Reference Code for MS17-010

4 Pages977 Words221 Views
   

Added on  2019-09-20

About This Document

Contents Executive Summary 1 Technical Description 1 Vulnerability Description 1 Attack Vector 1 Exploitation Scenario 1 Mitigation 2 Remediation 2 References 2 Executive Summary EternalBlue is the name that has been given to a vulnerability present in Microsoft’s Windows Operating systems. As mentioned previously, Eternalblue exploit takes full advantage of the SMB vulnerability that has already been addressed by Microsoft in their security bulletin MS17-010 that spreads across internal network and gets connected by the Port TCP 445 of systems that have not been patched yet

EternalBlue: A Security Reference Code for MS17-010

   Added on 2019-09-20

ShareRelated Documents
ContentsExecutive Summary...................................................................................................................1Technical Description................................................................................................................1Vulnerability Description.......................................................................................................1Attack Vector..........................................................................................................................1Exploitation Scenario.............................................................................................................1Mitigation...............................................................................................................................2Remediation............................................................................................................................2References..................................................................................................................................2Executive SummaryEternalBlue is the name that has been given to a vulnerability present in Microsoft’s Windows Operating systems. The company has given a security reference code known as MS17-010 and has also issues a security update in response to the vulnerability on March 14, 2017. The patch was issued before the WannaCry ransomware which was based on the same vulnerability got out and has spread across the world. Those who had applied the patch wouldhave been protected but those who had not were exposed to the dangers of the vulnerability. Microsoft has named the security vulnerability as Critical.Technical DescriptionVulnerability DescriptionOn April 14, 2017, an internet group known as the Shadow Brokwers group released a framework known as FUZZBUNCh which is an exploitation of the Windows toolkit. This toolkit was written by another group know nas the Equation Group that is known to be amongone of the most sophisticated attackers and has been diet to the United States National Security Agency or NSA. The framework that has been included in this vulnerability is known as ETERNALBLUE. EternalBle is a remote kernel exploit that began with targeting the SMB service or Server Message Block service typically being used in systems prior to Windows 8 such as Windows 7 and Windows XP among others. This is because these
EternalBlue: A Security Reference Code for MS17-010_1
versions of Windows operating system contains something known as interprocess communication share or IPC$ that if executed allows to create a null session. This in turn means that connection that would be initiated would be an anonymous connection via a null session by default. The vulnerability exists because Null session allows one to send a variety of commands to the system. Attack VectorAll the cases that has been analysed for this vulnerability showcase a same behaviour. This behaviour is that the malicious code first gets executed on a target computer via remote sessions through the Eternalblue exploit combined together with a modification of DoublePulsar backdoor. With the help of this, the WannaCry manages to successfully inject code in the LSASS process of the operating system. As mentioned previously, Eternalblue exploit takes full advantage of the SMB vulnerability that has already been addressed by Microsoft in their security bulletin MS17-010 that spreads across internal network and gets connected by the Port TCP 445 of systems that have not been patched yet. Exploitation ScenarioAfter the SMB handshake, the ransomware gets connected to the IPC$ share on the target’s host. Once this is done, it sends out an NT Trans request that contains a huge payload size and is made up of a sequence of NOPs. This basically makes the SMB server exploitable so that the full advantage of vulnerability can be had. The NT Trans request then leads to several secondary Trans2 requests in order to accommodate large size. They request the data that is essentially the encrypted payload and the shellcode which allows for full-fledged malware attack on the remotesystem.Once the vulnerability has been triggered, the payload that contains a stager of the malware is offloaded to the remote system. This payload launches the ‘mssecsvc’ service from lsass process and this service then further scans the entire local network in hope of finding more machines that have SMB ports exposed. The service then make use of the previously mentioned vulnerability in order to gain access to other remote machines and delivering the payload effectively completing thecycle.
EternalBlue: A Security Reference Code for MS17-010_2

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
CVE-2017-0144 Vulnerability
|4
|666
|199

Computer Security Assignment Solved
|10
|2742
|144

Computer Security - (Assignment)
|15
|2875
|18

Ransomware Attacks: WannaCry and NotPetya
|10
|1871
|366

Assignment On Risk Mitigation and Security Plan
|14
|2958
|38

This vulnerability allows the attackers
|21
|1135
|15