CVE-2017-0144: EternalBlue: MS17-010
EternalBlue (MS17-010/CVE-2017-0144) is a critical vulnerability in the Windows Server Message Block (SMBv1) protocol that allows attackers to remotely execute arbitrary code and gain access to a Windows system, potentially compromising the entire network. The exploit, developed by the NSA, was leaked by a hacker group called the Shadow Brokers in 2017.
Why the Vulnerability Occurs
The vulnerability occurs due to improper handling of specially crafted SMBv1 packets, allowing attackers to send malicious packets to a vulnerable machine. This flaw enables attackers to execute arbitrary commands remotely without authentication.
The EternalBlue vulnerability occurs because of a buffer overflow in the Windows SMBv1 protocol caused by improper validation of transaction requests. Specifically, the vulnerability involves incorrectly handling the length of the input data fields and the error conditions, which allow attackers to execute arbitrary code remotely. This vulnerability leads to remote code execution with high-level privileges, making it a critical issue that can be exploited to propagate malware like WannaCry across networks.
Key Features of EternalBlue
Exploits the SMBv1 vulnerability (MS17-010) in unpatched Windows systems.
Affected versions include Windows Vista, 7, Server 2008, 8.1, Server 2012, 10, and Server 2016.
Was infamously used in the WannaCry ransomware attack on June 27, 2017, which spread rapidly across networks.
Microsoft released a patch for the vulnerability in March 2017, but many systems remain unpatched, leaving them vulnerable to attacks.
Exploitation
MSF
EternalBlue allows attackers to send crafted packets to a vulnerable system, gaining privileged access. It has an MSF auxiliary module to check if a system is vulnerable and an exploit module to execute the attack, granting a privileged session on unpatched systems. The exploit can also be manually executed using publicly available code.
AutoBlue
TryHackMe:Blue Exploitation
w/ MSF
w/ AutoBlue
other Semi MSF
Last updated