Exploits that were stolen from the NSA last year and which were believed to target older Windows releases have been tweaked to potentially impact all versions of Microsoft’s operating system back to Windows 2000.
Security researcher Sean Dillon from RiskSense (also known as @zerosum0x0 on Twitter) says the three exploits that he ported are EternalChampion, EternalRomance, and EternalSynergy. EternalBlue, another exploit stolen from the NSA by hacking group Shadow Brokers in 2017 and then published online, has already been used in attacks based on ransomware like WannaCry and NotPetya.
What Dillon managed to do (via BetaNews) was to modify the exploits to target two different vulnerabilities that exist in the majority of Windows version. The exploits were then included in the Metasploit Framework, and can impact even the newest operating systems, like Windows 10, which were originally believed to be immune to flaws stolen from the NSA.
Affecting unpatched versions of Windows
EternalSynergy can take advantage of both CVE-2017-0143 (type confusion between WriteAndX and Transaction requests) and CVE-2017-0146 (race condition with Transaction requests) vulnerabilities. EternalRomance is only aimed at the first, while EternalChampion targets the latter.
In documentation published on GitHub, Dillon explains that vulnerable targets are Windows versions released between 2000 and 2016, and attackers can obtain admin rights on a compromised host.
“You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads,” the researcher explains.
What’s important to know is that these new exploits can only compromise a system if it is not patched, so it’s critical for Windows users to deploy the latest security updates as soon as possible. This is one of the reasons the latest Windows versions are more secure, as OS releases like Windows XP and Windows Vista no longer receive updates and security patches, leaving some vulnerabilities unfixed.
Windows versions targeted by the new exploits
Windows 2000 SP0 x86
Windows 2000 Professional SP4 x86
Windows 2000 Advanced Server SP4 x86
Windows XP SP0 x86
Windows XP SP1 x86
Windows XP SP2 x86
Windows XP SP3 x86
Windows XP SP2 x64
Windows Server 2003 SP0 x86
Windows Server 2003 SP1 x86
Windows Server 2003 Enterprise SP 2 x86
Windows Server 2003 SP1 x64
Windows Server 2003 R2 SP1 x86
Windows Server 2003 R2 SP2 x86
Windows Vista Home Premium x86
Windows Vista x64
Windows Server 2008 SP1 x86
Windows Server 2008 x64
Windows 7 x86
Windows 7 Ultimate SP1 x86
Windows 7 Enterprise SP1 x86
Windows 7 SP0 x64
Windows 7 SP1 x64
Windows Server 2008 R2 x64
Windows Server 2008 R2 SP1 x64
Windows 8 x86
Windows 8 x64
Windows Server 2012 x64
Windows 8.1 Enterprise Evaluation 9600 x86
Windows 8.1 SP1 x86
Windows 8.1 x64
Windows 8.1 SP1 x64
Windows Server 2012 R2 x86
Windows Server 2012 R2 Standard 9600 x64
Windows Server 2012 R2 SP1 x64
Windows 10 Enterprise 10.10240 x86
Windows 10 Enterprise 10.10240 x64
Windows 10 10.10586 x86
Windows 10 10.10586 x64
Windows Server 2016 10.10586 x64
Windows 10 10.0.14393 x86
Windows 10 Enterprise Evaluation 10.14393 x64
Windows Server 2016 Data Center 10.14393 x64