Vulnerability Report of Windows Operating Systems

Added on - 20 Sep 2019

  • 4

    Pages

  • 977

    Words

  • 96

    Views

  • 0

    Downloads

Trusted by +2 million users,
1000+ happy students everyday
Showing pages 1 to 2 of 4 pages
ContentsExecutive Summary...................................................................................................................1Technical Description................................................................................................................1Vulnerability Description.......................................................................................................1Attack Vector..........................................................................................................................1Exploitation Scenario.............................................................................................................1Mitigation...............................................................................................................................2Remediation............................................................................................................................2References..................................................................................................................................2Executive SummaryEternalBlue is the name that has been given to a vulnerability present in Microsoft’sWindows Operating systems. The company has given a security reference code known asMS17-010 and has also issues a security update in response to the vulnerability on March 14,2017. The patch was issued before the WannaCry ransomware which was based on the samevulnerability got out and has spread across the world. Those who had applied the patch wouldhave been protected but those who had not were exposed to the dangers of the vulnerability.Microsoft has named the security vulnerability as Critical.Technical DescriptionVulnerability DescriptionOn April 14, 2017, an internet group known as the Shadow Brokwers group released aframework known as FUZZBUNCh which is an exploitation of the Windows toolkit. Thistoolkit was written by another group know nas the Equation Group that is known to be amongone of the most sophisticated attackers and has been diet to the United States NationalSecurity Agency or NSA. The framework that has been included in this vulnerability isknown as ETERNALBLUE. EternalBle is a remote kernel exploit that began with targetingthe SMB service or Server Message Block service typically being used in systems prior toWindows 8 such as Windows 7 and Windows XP among others. This is because these
versions of Windows operating system contains something known as interprocesscommunication share or IPC$ that if executed allows to create a null session. This in turnmeans that connection that would be initiated would be an anonymous connection via a nullsession by default. The vulnerability exists because Null session allows one to send a varietyof commands to the system.Attack VectorAll the cases that has been analysed for this vulnerability showcase a same behaviour. Thisbehaviour is that the malicious code first gets executed on a target computer via remotesessions through the Eternalblue exploit combined together with a modification ofDoublePulsar backdoor. With the help of this, the WannaCry manages to successfully injectcode in the LSASS process of the operating system. As mentioned previously, Eternalblueexploit takes full advantage of the SMB vulnerability that has already been addressed byMicrosoft in their security bulletin MS17-010 that spreads across internal network and getsconnected by the Port TCP 445 of systems that have not been patched yet.Exploitation ScenarioAfter the SMB handshake, the ransomware gets connected to the IPC$ share on thetarget’s host.Once this is done, it sends out an NT Trans request that contains a huge payload sizeand is made up of a sequence of NOPs. This basically makes the SMB serverexploitable so that the full advantage of vulnerability can be had.The NT Trans request then leads to several secondary Trans2 requests in order toaccommodate large size. They request the data that is essentially the encryptedpayload and the shellcode which allows for full-fledged malware attack on the remotesystem.Once the vulnerability has been triggered, the payload that contains a stager of themalware is offloaded to the remote system. This payload launches the ‘mssecsvc’service from lsass process and this service then further scans the entire local networkin hope of finding more machines that have SMB ports exposed.The service then make use of the previously mentioned vulnerability in order to gainaccess to other remote machines and delivering the payload effectively completing thecycle.
desklib-logo
You’re reading a preview
Preview Documents

To View Complete Document

Click the button to download
Subscribe to our plans

Download This Document