Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog - ETERNALBLUE: Windows SMBv1 Exploit (Patched) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ETERNALBLUE: Windows SMBv1 Exploit (Patched)

Published: 2017-04-14
Last Updated: 2017-04-15 12:17:15 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Microsoft released a blog post outlining which patches address which vulnerability exploited by various "Shadowbroker" exploits. According to the table released by Microsoft, "ETERNALBLUE" was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as "not used in exploits". Microsofts acknowledgement page does not list a source for the vulnerability disclosure. 

We decided to keep our "Infocon" at Green in light fo the availability of a patch.

To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445. 

A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978.

-----

Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises an exploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name "ETERNALBLUE". 

Right now, I haven't been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters. 

In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is 10.128.0.243.

After repeated attempts, the Windows 7 host crashed.

pcap: https://isc.sans.edu/diaryimages/eternalblue.pcap

 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
9 comment(s)
Diary Archives