Exploiting MS17-010: A technical overview

Introduction

Friday, May 12, 2017 saw what is thought to be the first widespread use of a vulnerability (MS17-010) that was believed to be originally used by the NSA and was subsequently released in a leak of their data by the Shadow Brokers group.

These tools specifically were named ‘EternalBlue’ and ‘DoublePulsar.’ Further details on this data leak can be found online within various news articles and analysis has been covered by numerous security researchers.

In this instance, a piece of ransomware was released and infected organizations in over 150 countries worldwide, which included the United Kingdom’s National Health Service (NHS). As a result of this there were scheduled medical operations throughout the United Kingdom that were delayed, potentially putting lives in danger. SureCloud have written an article providing recommendations and advice for aiding in the prevention of and recovery from ransomware attacks.

Within this article SureCloud will provide an overview of the exploitation of these vulnerabilities for organizations and security professionals to better prepare themselves. Step-by-step instructions have not been provided, but details of the set up of a concept environment and the tools have been detailed.

What is MS17-010?

The security bulletin ‘MS17-010’ was released by Microsoft in response to the disclosure of these vulnerabilities, which includes a critical vulnerability within the SMB version 1 protocol. A successful exploitation of this can result in remote code execution (RCE) of an affected system, providing an attacker with access to the system with SYSTEM permissions.

The Microsoft Security Bulletin article can be found here, with a separate article providing guidance for customers for the WannaCrypt attacks.

Replicating the attack

Before delving into this further it is important to note that SureCloud do not own any rights to the software mentioned within this post and any use of the exploitation tool detailed below is used at your own risk. Whilst utilizing this exploit, please do so within a controlled lab environment. The lab environment used by SureCloud for this analysis consisted of a fully updated Kali Linux and a Microsoft Windows Server 2008 R2 (x64) VM. The Server 2008 R2 system did not have the ‘MS17-010’ update installed for the proof of concept.

Due to the publishing of these tools by the Shadow Brokers group everything that a penetration tester or attacker would require to exploit this vulnerability is available, and a quick search online reveals numerous repositories on GitHub relating to these vulnerabilities.

For those that would look to include these exploit tools within their penetration testing arsenal, this can be accomplished by establishing a custom configuration for Kali Linux and Metasploit. Firstly, obtaining a Metasploit module that acts as a wrapper. An example of this has been written by a GitHub user (ElevenPaths), can be freely cloned, and includes the Metasploit module and the required dependencies.

You will also need to install some additional software and add i386 architecture support to your Kali Linux installation, which can be achieved by running the following command:

dpkg –add-architecture i386 && apt-get update && apt-get install wine32

The ‘eternalblue_doublepulsar.rb’ script would need to be moved into the Metasploit custom modules folder; this was located within the path ‘~/.msf4/modules/exploits/shadowbrokers/’ (you will have to create the ‘shadowbrokers’ directory).

Once completed start the Metasploit console and reload your plugin sets using ‘reload_all.’ This should then allow you to search for the new module to begin using it within the console.

Configuring the module

It is recommended that you select either ‘explorer.exe’ or ‘lsass.exe’ as the PROCESSINJECT default entry point does not always work. Select the desired payload (for example, ‘windows/x64/meterpreter/reverse_tcp’) and set the ‘LHOST’ parameter, target IP, and then select the architecture/operating system type. Once you have everything configured just run the exploit, then await the response from the target system.

Please note that when injecting into ‘explorer.exe’ if the remote system has not been logged onto by anyone the exploit may fail. As the process runs as the local logged on user it may be possible to obtain administrative privileges directly. However, usual post-exploitation privilege escalation methods could then be used to escalate.

The following images show the proof of concept in use:

Fig 1: Configured options for eternalblue_doublepulsar Metasploit module

Fig 2: Launched exploit with Meterpreter reverse shell

Discovering vulnerable systems

Nessus and Metasploit both have plugins that will provide the detection capabilities for vulnerable systems on the network. Metasploit has the ‘smb_ms17-010’ module, and the Nessus plugins have both authenticated and unauthenticated detections (97737 and 97833 respectively).
An example of the Metasploit detection module ‘smb_ms17-010’ in use:

Fig 3: Metasploit smb_ms17-010 detection module

SureCloud’s vulnerability scanning platform services are actively detecting where these security updates are missing for clients whom are utilizing credentialed scanning with an internal SureCloud Scanning Appliance. External detection of the missing updates is possible, but only where the SMB services are exposed, which is not recommended to the public internet.

Mitigation and compensating controls

Microsoft have released security updates for these vulnerabilities, including emergency patches for both Windows Server 2003, Windows XP, and Windows Vista despite these no longer being supported for feature and security updates. As these operating systems are long out of support it is highly unorthodox for Microsoft to release patches for these systems, and demonstrates how critical this vulnerability is in terms of real-world risk.

References

Exploiting MS17-010: A technical overview

How can we help?