Often, software vendors such as Microsoft release security patches for their products. Instead of a full-scale upgrade, patches are smaller, targeted updates that address vulnerabilities discovered in the current version of the product. The vulnerabilities fixed by these patches are often critical issues that can be exploited by attackers to gain access to sensitive information or even infect systems with ransomware.
In this week’s “Back to Basics” post, we will cover three of the most common and critical Microsoft patches, how the vulnerabilities these patches address are exploited, what successful exploits accomplish, and how best to apply these and other security patches.
MS17-010
In May 2017, the WannaCry ransomware attack was deployed worldwide, affecting as many as 200,000 computers globally and causing at least hundreds of millions of dollars in damages. This devastating attack took advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol. Multiple published exploits exist for this vulnerability which, if successful, provide an attacker with SYSTEM access to the affected machine without having to provide any credentials. In the case of the WannaCry attack, EternalBlue was the exploit used.
The patch for this vulnerability was released in March 2017 for all operating systems supported at the time, two months before the WannaCry ransomware attack, but many users and organizations had not applied the patch in that time. This is one example of why it’s so important to apply critical patches in a timely manner. After the attack, Microsoft released additional patches for end-of-life operating systems that were no longer supported, such as Windows XP.
How to Exploit MS17-010
After verifying that one or more machines in the organization’s network are missing the MS17-010 patch, the following steps can be performed to exploit it:
- Open the Metasploit Framework (an industry standard, free and open-source exploitation framework) with ‘msfconsole.’
Opening the Metasploit Framework Searching for the EternalBlue Module - Load the auxiliary/scanner/smb/smb_ms17_010 module. This will check whether the target machine is vulnerable to EternalBlue before actually exploiting it.
- Set the RHOSTS parameter to the IP address of the target machine, and run the module.
Loading the EternalBlue scanner module, setting the RHOSTS to our target machine, and running the module - Once we’ve verified that the target machine is vulnerable, load the exploitation module exploit/windows/smb/ms17_010_eternalblue.
- Set the RHOSTS to the IP address of the target machine, and the LHOST to your attacking machine’s IP address.
- Run the exploit!
Loading the EternalBlue exploit module, setting the RHOSTS to our target machine, setting the LHOST to our IP address (in this case, our ethernet interface), and running the exploit. Successfully obtained a reverse shell.
BlueKeep
The BlueKeep vulnerability, first reported in May 2019, affects the implementation of Microsoft’s Remote Desk Protocol (RDP) service. This vulnerability can allow an attacker to remotely execute code on affected devices with SYSTEM privileges. This means the device would be fully compromised without requiring any user interaction or credentials. The publicly available exploit for this vulnerability, released in September 2019, is self-replicating, meaning that even if only one device on a network is initially infected, the infection can spread to other devices without any additional work on behalf of the attacker.
BlueKeep affects unpatched Microsoft systems running through Windows Server 2008 R2 and Windows 7, and the issue is so critical that Microsoft has released patches for all affected systems, including those that are no longer supported otherwise.
How to Exploit BlueKeep
After verifying that one or more machines in the organization’s network are missing the BlueKeep patch, the following steps can be performed to exploit it:
- Open the Metasploit Framework (an industry standard, free and open-source exploitation framework) with ‘msfconsole’ (PICTURED ABOVE)
- Load the auxiliary/scanner/rdp/cve_2019_0708_bluekeep module. This will check whether the target machine is vulnerable to BlueKeep before actually exploiting it.
- Set the RHOSTS parameter to the IP address of the target machine and run the module.
Running the BlueKeep scanner module. - Once we’ve verified that the target machine is vulnerable, load the exploitation module exploit/windows/rdp/cve_2019_0708_bluekeep_rce.
- Set the RHOSTS to the IP address of the target machine, and the LHOST to your attacking machine’s IP address.
- Run the exploit!
Loading the BlueKeep exploit module, setting the RHOSTS to our target machine, setting the LHOST to our IP address (in this case, our ethernet interface), and running the exploit. Successfully obtained a reverse shell.
It is important to note that this exploit, when not configured correctly, will cause the target machine to bluescreen and reboot. Here’s an example of this:
And here’s what it looks like with successful exploitation:
Zerologon
In 2020, an elevation of privilege vulnerability known as Zerologon was discovered in the Microsoft Netlogon Remote Protocol (NRPC) interface. This vulnerability allows for an uncredentialed user to bypass the entire authentication process to connect to remote systems. Once authentication has been bypassed, the attacker can utilize a variety of calls available within the NRPC interface, most notably the “NetrServerPasswordSet2” call, which is used by machine accounts to update their account passwords within Active Directory.
The attacker could perform this attack against a domain controller, changing the account password to a known value in order to access this machine and, from there, control the entire network.
The initial patch for Zerologon as released in August 2020, and an additional patch was released in February 2021.
How to Exploit Zerologon
After verifying that one or more machines in the organization’s network are missing the Zerologon patch, the following steps can be performed to exploit it:
- Make sure you have the latest version of Impacket installed. You can find it here.
- Clone the ZeroLogon repository from here. This can be done with ‘git clone <repo>’.
Cloning the ZeroLogon GitHub repository - In the ZeroLogon repository, run the “set_empty_pw.py” Python script. Set the first parameter to the target Domain Controller’s NETBIOS name, and the second parameter to the target Domain Controller’s IP address.
Running the set_empty_pw.py script against the AJMANCORP-DC1 Domain Controller. The machine account’s password has been successfully set to an empty string. - Run Impacket’s “secretsdump.py” tool against the Domain Controller, and when it prompts you for a password, just press enter. ZeroLogon has set the Domain Controller’s machine account password to an empty string, so it will go right through.
Secretsdump.py successfully dumping all password hashes stored on the Domain Controller.
How to Remediate
All of the above attacks can be prevented by applying patches and ensuring that the organization has a robust patch management program in place. Proactively patching systems reduces the potential for exploitation and involves considerably less time and effort than responding after an attack has occurred.
Patch management is one of the most basic and critical forms of protecting an organization’s systems and information. This is because without a formalized patch management process and by not patching systems with critical security patches, even the most rudimentary hackers can gain full access to devices within a network. It is also important to include both Windows and third-party software in the patching process.
Patch management should include procedures for the following:
- Identifying newly-released patches
- Testing patches
- Deploying patches during defined timeframes or based on criticality
- Rolling back patches, if necessary
- Emergency patching
Special thanks to AJ Hammond for providing step-by-step instructions and for providing video, screenshots, and reviewing the article for accuracy