Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

General "EternalBlue" Discussion


  • Please log in to reply
5 replies to this topic

#1 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 04 June 2017 - 03:13 PM

I just read the Wikipedia article on this.

 

https://en.wikipedia.org/wiki/EternalBlue
 

The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

 

 

The way this is phrased is ambiguous and leaves open two very different possibilities.

 

1) That there is an accidental defect in SMB that somehow "accepts" what might be called "deformed" packets, or

2)  That there is a deliberate backdoor installed in SMB, that allows people that know the right "code" to access a machine remotely.

 

My nearest approximation to possibility #2 is the "magic packet" used to turn on a sleeping/suspended network card on a Network.

 

Is EternalBlue an exploit that takes advantage of a flaw in the code, or is it a backdoor allowing "just anyone" that knows the right "key" to access someone's computer.  Given the close association between this "vulnerability" (I think it's a backdoor" and the NSA, I'm thinking it's not an accident.  But I don't see anyone saying this openly at this point, so I'm asking.



BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 04 June 2017 - 04:10 PM

Considering that same Wikipedia article the Microsoft issued a patch to deal with it, that tends to largely point to it just being a vulnerability that the NSA was just exploiting and not a backdoor.

Now, if one is into conspiracy theories, then you can likely come up with a way where it being a backdoor still fits, but that kind of flies in the face of obvious information. Not saying that such a conspiracy theory is definitely not true, but then that is typically true of any good conspiracy theory...they are typically almost impossibly hard to prove definitively false.

#3 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 04 June 2017 - 10:54 PM

Considering that same Wikipedia article the Microsoft issued a patch to deal with it, that tends to largely point to it just being a vulnerability that the NSA was just exploiting and not a backdoor.

 

I've heard rumors that the NSA (et al..) went around to all the various corporations seeking backdoors into everything.  CPU, Operating systems, routers, everything and everyone gave it to them and it was a big secret. That was 5 years ago or more.  Now this.  I think it was a backdoor, and I think that MS wants to pretend it wasn't.  I want to know the definition of "specifically crafted packets" and I'd also like to know who found out and how, i.e. who first broke the story or whatever.  My sense is that someone from MS spilled the beans.

 

But maybe you are right, and it was just a random chance sort of thing.  Okay gotta go, the tooth fairy is coming by tonight, and I gotta get ready for the Easter Bunny too.



#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:40 AM

Posted 05 June 2017 - 12:01 AM

"specifically crafted packets"


That can just mean packets that are formatted or ordered in a specific way. Kind of like a DOS command or programming command has a specific syntax. Just like if you don't use the DOS command with the correct syntax it will not do anything, it is likely that if you send packets with the wrong syntax, so to speak, it will not do any thing. After all, any browser is sending effectively sending "specifically crafted packets" to the web server so that the web server understands what I am asking for and then the web server sends back "specifically crafted packets" to my browser to display the page that I requested. If it sent back "randomly crafted packets" then who knows what my browser would display.

So, you are likely reading too much into it.

And I am not saying it is a random chance type of thing. I have ZERO doubt that the NSA and other alphabet soup agencies look for flaws and exploits in Windows, macOS, iOS, Android, etc in an effort to help them do their job (and maybe beyond their job) and that is what was implied if not stated in that Wikipedia article. That is not random. It would be deliberate. But, that is way different then them asking say Microsoft to build them a backdoor into Windows. Neither is random, but one is more deliberate than the other and requires active collaboration by Microsoft (or Apple or Google or etc).

Personally, I am not going to get too obsessed over it because even if I were to assume it was true that they asked for and got a backdoor, then the only way I could realistically avoid it is to just not use computers. That is not something that I am willing to do. They are too useful plus my life would be rather boring without computers as I am too much of a nerd. I am not saying that a lot of this stuff does not bother me, but I have learned long ago due to major medical issues that there are just somethings that I cannot control, so I am not going to stress too much over them.

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 05 June 2017 - 03:18 AM

Details of the "specially crafted packets" can be found in the source code for Metasploit's EternalBlue module:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb

The overflow is on line 508.

 

If you want a pcap file, there's one available for download here:

https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:40 AM

Posted 05 June 2017 - 11:40 PM

i did a fuzzer to create and test all sorts of packets when i was a yahoo booter kid and found a lot of packets that could be implemented in a way to achieve all sorts of things ;).

Packet size of 1 GIG? Yes they didnt even check the size of a packet LOL, dropping files on your desktop with out you even knowing, voice amplification, locking PC/keyboard, accessing accounts with out Y & T cookie and or auth token by exploiting the login string EPOC time, basically you name it.

Then again yahoos lax security on packet inspection was a joke.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users