Exploit Derived From EternalSynergy Upgraded To Target Newer Windows Versions

An anonymous reader writes: "Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system," reports Bleeping Computer. "ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections. The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements. Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method 'should never crash a target,' the expert says. 'Chance should be nearly 0%,' Wang adds." Combining his exploit with the original ETERNALSYNERGY exploit would allow a hacker to target all Windows versions except Windows 10. This is about 75% of all Windows PCs. The exploit code is available for download from Wang's GitHub or ExploitDB. Sheila A. Berta, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.

Conspiracy Theory

[Topwiz]

I wonder if Microsoft is actually behind all these leaks in order to push people towards Windows 10.

Re: Conspiracy Theory

[guruevi]

Don't attribute to malice what can be attributed to incompetence.

Windows is and has always been a pile of excrement especially when it comes to security.

Re:

[Anonymous Coward]

No more so than linux. But noone has cared about exploiting it because theres just not many consumers running it.

Re: Conspiracy Theory

[Zero__Kelvin]

Yes. Once most of the Internet runs on Linux there is going to be real trouble!

Re:

[Zero__Kelvin]

You don't seem to understand. That router your Windows box is talking to the internet through ... Linux. The systems hosting your Azure instances? Linux. The wireless APs everone is using? Linux. The list goes on, and on, and on. If attractivenes of target was the issue then Linux exploits would FAR outweigh Windows ones.

Re: Conspiracy Theory

[bluefoxlucid]

Yeah, the main line of thinking would be, "WOW! Microsoft pushed Windows 10 so hard to get people protected from all this shit!"

Then you realize Microsoft didn't have patches and didn't know about this shit until the storm came.

Never attribute to brilliance what can be attributed to dumb luck.

Re:

[EndlessNameless]

Microsoft has been compartmentalizing and hardening Windows for over a decade now. This is the result of hard work rather than blind luck.

I have complaints about their direction sometimes, but they do have some excellent developers who do amazing work---when they're not under orders to build user-hostile functionality.

Re:

[bluefoxlucid]

Kernel bugs generally don't get exploit protection; and CVE scores don't account for exploit mitigation prevention. If your little proxy server is vulnerable to a buffer overflow from a long domain name, then it's RCE. Never mind that RCE is physically-impossible because, once you guess your way past ASLR and perform a return-to-libc to change memory protections, it turns out the OS won't allow memory that's ever been writable to become executable, thus preventing a bit from being set which is plugged in

Re:

[eneville]

A broken clock is right once a day.

*twice.*

Re:

[Hognoxious]

A stopped clock.

And it might be right only once or three times when daylight saving starts or ends.

Re:

[bluefoxlucid]

They weren't specifically-aware of these exploits though. That's the point: that these don't work on Windows 10 isn't the storm from which Microsoft tried to save us; it's just another storm nobody predicted, and nobody predicted one this bad. "We told you to switch to Windows 10! You should have listened! Look what happened!" isn't much of a valid argument because Microsoft's decision to push for Windows 10 wasn't based on "what happened", or any prediction thereof.

Attribution to incompetence doesn

Re:

[thegreatbob]

I feel like they could've won over a fairly large handful of people by increasing the flexibility of the UI configuration... e.g. win10 internals with win7 GUI. I'd be nearer the threshold of 'deal with it' if their start menu/taskbar menus were actually responsive. When I right-click on a taskbar item, i want a damned menu, not 2-10 seconds of waiting, followed by a flyout transition, just after having right-clicked again because I thought it wasn't working, followed by more of the same...

So he updated it to work with Windows 8.1?

[devjoe]

The original exploit worked up to Windows 8. The "security researcher" updated it to work with newer Windows versions, but not Windows 10, apparently. So he updated it to work against Windows 8.1, and maybe Windows Server 2016 if it somehow works there but not on Windows 10.

Re:

[Anonymous Coward]

More than just that. You should never trust your internal network either. All these companies that got hit by this TURNED OFF THE WINDOWS FIREWALL (or, at a minimum opened the ports for SMB). This means they trusted their internal network and some stupid admin at the company wanted to be able to use the c$ or admin$ share to access the machines. For this, they enabled SMB on the computers to get through the firewall. A default, out of box install has this blocked. We have it blocked at the enterprise where

"security researcher"..

[Fly Swatter]

My ass, posting it to the open public makes you nothing more than a script kiddie.

Re:

[Junta]

While you may feel the guy acted irresponsibly and deserves some sort of insulting moniker, script kiddie isn't a good fit.

A script kiddie can't write exploits or generally understand the things they are using. They don't post exploits because they aren't that capable, they just know where to go to download and then clumsily apply the work of others.

Re:

[Fly Swatter]

It was intended as an insult. But thanks for explaining it for the younger crowd, I guess.

Re: "security researcher"..

[Zero__Kelvin]

So you are telling us you are part of "the younger crowd"?

Re:

[bluefoxlucid]

Security by obscurity is not security. We can now use his published exploit to prime our IDS and IPS. There's no way he could get this to every IDS vendor in the world; he'd have to identify them all, and even I can't do that.

Just disable SMBv1

[JourneymanMereel]

Makes me glad I took the somewhat drastic step of disabling SMBv1 on my network. As an added bonus, this makes it so Windows XP and Server 2003 are useless :).

Re:

[mspohr]

Your patch is a temporary fix.
The real fix would be to dump Windows.

Re:

[EndlessNameless]

The Windows bashing is just stupid. It oversimplifies the problem and whitewashes Linux security issues.

Samba has a recent arbitrary code vulnerability.

NFS had some arbitrary remote code vulnerabilities too (although not recently).

The real fix is: layers of security, intrusion detection, and auditing---with trained, vigilant personnel to monitor it all. There is no single solution for security.

Re:

[mspohr]

I can understand why those who still use Windows are defensive but any objective view of the issue of security would have to conclude that Windows continues to be a security nightmare with new vulnerabilities being developed and exploited every month.
"Stupidity is doing the same thing over and over and expecting a different result."

Re:

[EndlessNameless]

continues to be a security nightmare with new vulnerabilities being developed and exploited every month.

This is true of every piece of software. Making this out to be a Windows-specific problem is just ignorant. It applies to applications like IIS and Apache, too, not just operating systems.

Now, is Windows worse than the average Linux distro when considering both vulnerability count and severity? I would answer yes, but the gap is much smaller than the Win 9x/XP days.

Are the requirements to secure and monitor the infrastructure drastically different for Windows vs Linux hosts? No, not really.

In either case, y

Re:

[EndlessNameless]

It is ILLEGAL to fix bugs in proprietary software, no matter how much active exploits are hurting you.

This is largely irrelevant at the enterprise level.

Very few enterprises have the expertise in-house to fix kernel bugs or contribute to Apache/Samba/etc. In both cases, they are beholden to their vendors. The same applies to home users.

There is only really a very small niche of people who can introduce custom fixes for zero-day exploits.

The vast majority of internet hosts will see better security from having dedicated firewall, IDS, and auditing personnel vs retaining a kernel hacker. Even having a competen

Re: Just disable SMBv1

[F.Ultra]

True, but to be honest that Samba exploit required the user to already have write access to the share. Still bad, but not as bad as this SMBv1 exploit.

Re:

[UnknowingFool]

Well in some cases, the researchers contacted the companies themselves about the exploits. And the companies didn't do anything about them and sometimes didn't even acknowledge them. So the researcher can wait but the exploit might be found by someone else. Or they can publish the exploit. In this case, this researcher is talking about modifying an already leaked exploit, ETERNALSYNERGY.

linux IS the prime target

[Anonymous Coward]

WHY WHY WHY would anyone target Windows when all of the INTERESTING data is on LINUX servers?

WHO CARES about your recipes and your photos and your music.

ALL of the data worth stealing is on LINUX, on SERVERS at places like Amazon and ebay and YOUR BANK. The info on MILLIONS of people can be had if you can break into ONE server!

So WHY do they go after Windows, even though the pickings are slim? Because it's EASY.