Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits
Conference: Defcon 26
2018-08-01
Summary
The presentation discusses the ETERNAL exploits, which were dumped by the Shadow Brokers and used in major cyber attacks like WannaCry and NotPetya. The talk focuses on the reverse engineering of the exploits and how they take advantage of undocumented features of the Windows kernel and SMBv1 protocol. The MS17-010 patch, which fixed the vulnerabilities, is also discussed along with additional vulnerabilities that were patched around the same time.
- ETERNAL exploits were dumped by the Shadow Brokers and used in major cyber attacks
- Exploits take advantage of undocumented features of Windows kernel and SMBv1 protocol
- Reverse engineering of the exploits is discussed
- MS17-010 patch is described and additional vulnerabilities that were patched around the same time are identified
Abstract
MS17-010 is the most important patch in the history of operating systems, fixing remote code execution vulnerabilities in the world of modern Windows. The ETERNAL exploits, written by the Equation Group and dumped by the Shadow Brokers, have been used in the most damaging cyber attacks in computing history: WannaCry, NotPetya, Olympic Destroyer, and many others. Yet, how these complicated exploits work has not been made clear to most. This is due to the ETERNAL exploits taking advantage of undocumented features of the Windows kernel and the esoteric SMBv1 protocol. This talk will condense years of research into Windows internals and the SMBv1 protocol driver. Descriptions of full reverse engineering of internal structures and all historical background info needed to understand how the exploit chains for ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY work will be provided. This talk will also describe how the MS17-010 patch fixed the vulnerabilities, and identify additional vulnerabilities that were patched around the same time.
Materials:
Tags: