Eternal blue Vulnerability

kandelrc 1,098 views 22 slides Nov 05, 2019
Slide 1
Slide 1 of 22
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22

About This Presentation

This is the presentation prepared my Post Grad students, Macquarie University.

Size: 923.47 KB
Language: en
Added: Nov 05, 2019
Slides: 22 pages

Slide Content

ETERNAL BLUE Romance Kandel Suresh Lamichhane Dhiraj gajurel Pratikar uprety

ETERNAL BLUE

Variations Eternal Romance Eternal Champion Eternal Rocks Eternal Synergy

Impact Wannacry Not Petya Bad Rabbit Olympic Destroyer Baltimore Ransomware

SMB Server Message Block 1983 - Invented by Barry Feigenbaum (IBM) Used by windows as file sharing protocol Extensible protocol e.g. psexec Vulnerability was in SMBv1 serv.sys driver

SMBv1 Internals

Context

The Bugs

Bug A

Extended Attributes Metadata attached to files Name/ Value key pair OS/2 v1.2 Joint Microsoft/IBM OS EA concept introduced and had HPFS Windows NT OS for server and workstation NTFS No much extended attributes. They have alternate data streams WSL EA for permissions and case sensitivity

FEALIST structure SMB_FEA_LIST { ULONG SizeOfListInBytes ; UCHAR FEAList []; }

Exploitation Set the size for SizeOfListInBytes as 0x10000. craft 607 SMB_FEA structures appended one after another such that: 605 empty packets occupying 5 bytes. 606 th packet occupying (0xf383 + 5) bytes and 607 th packet of size (0xa8 + 5) bytes While converting OS2 Fea to NT format there is a wrong casting error for total count of bytes. From ULONG to USHORT. SrvOs2FeaListSizeToNT function This bug instead of shrinking the SizeOfListInBytes to correct size enlarges it causing Out of Bound write. If the response is status 0xC000000D, then it signifies the overwrite is successful.

Bug B

SMB TRANSACTION Transaction messages of interest SMB_COM_TRANSACTION (or Trans) SMB_COM_TRANSACTION2 (or Trans2) SMB_COM_NT_TRANSACT (or NT Trans) Each sub-command has a corresponding sub-command _SECONDARY used when data is too big for single packet.

Exploitation Difference in amount of maximum data between Trans2 and NT Trans. Parsing is according to last transaction type. No validation which for which function started the transaction. Possible to send Nt Trans followed by Trans2_SECONDARY leads to bug A by treating DWORD as WORD since both different transaction data are parsed incorrectly.

Bug C

Session Setup Allocation Error Two ways to login to SMB NT Security & Extended Security 13 words vs 12 words Certain flag values can confuse it Reads SMB_DATA_BLOCK size at wrong offset Can reserve large memory Free on demand ○ Close client socket

Exploitation heap is sprayed but this time with  srvnet!SRVBUFFER  objects using the SMBv2 protocol Send primary grooms with the FEAList in it except the last one. Send naked SMB as grooms for new pools allocation. Send session setup allocation buffer Send a session setup hole buffer Close allocation connection. Send secondary grooms Send the final FEALIST exploit fragments such that it is calculated to fit in the hole but overflows to adjacent groom.

Final Exploit SRVBUFFER contains MDL and srvnet!SRVNET_CONNECTION object. Both pointers are overwritten so that they point to fixed addresses in the HAL region. Because of the corrupted MDL pointer, the next packet payload will get written to the HAL region which contains shell code. HAL region is marked as readable, writable and executable.

Mitigation Install the MS17-010 security update MS17-010 only changed the type from short to lo ng SrvOs2FeaListSizeToNt(): SmbPut Ushort (& FeaList -> cbList , PTR_DIFF_ SHORT ( fea , FeaList )); Became SrvOs2FeaListSizeToNt(): SmbPut ULong (& FeaList -> cbList , PTR_DIFF_ LONG ( fea , FeaList ));

References https://www.virusbulletin.com/uploads/pdf/magazine/2018/201806-EternalBlue.pdf https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/ https://research.checkpoint.com/eternalblue-everything-know/#bugb
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 1,098
  • Slides 22
  • Favorites 1
  • Age 2218 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category