Softpedia >News >Microsoft >Windows
Softpedia Homepage   

Leaked NSA Exploits Can Now Hack Any Windows Version

Security researcher tweaks exploits stolen from the NSA last year to affect nearly all versions of Windows

Feb 6, 2018 09:48 GMT  ·  By
All Windows versions released after Windows 2000 are affected
   All Windows versions released after Windows 2000 are affected

Exploits that were stolen from the NSA last year and which were believed to target older Windows releases have been tweaked to potentially impact all versions of Microsoft’s operating system back to Windows 2000.

Security researcher Sean Dillon from RiskSense (also known as @zerosum0x0 on Twitter) says the three exploits that he ported are EternalChampion, EternalRomance, and EternalSynergy. EternalBlue, another exploit stolen from the NSA by hacking group Shadow Brokers in 2017 and then published online, has already been used in attacks based on ransomware like WannaCry and NotPetya.

What Dillon managed to do (via BetaNews) was to modify the exploits to target two different vulnerabilities that exist in the majority of Windows version. The exploits were then included in the Metasploit Framework, and can impact even the newest operating systems, like Windows 10, which were originally believed to be immune to flaws stolen from the NSA.

Affecting unpatched versions of Windows

EternalSynergy can take advantage of both CVE-2017-0143 (type confusion between WriteAndX and Transaction requests) and CVE-2017-0146 (race condition with Transaction requests) vulnerabilities. EternalRomance is only aimed at the first, while EternalChampion targets the latter.

In documentation published on GitHub, Dillon explains that vulnerable targets are Windows versions released between 2000 and 2016, and attackers can obtain admin rights on a compromised host.

“You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads,” the researcher explains.

What’s important to know is that these new exploits can only compromise a system if it is not patched, so it’s critical for Windows users to deploy the latest security updates as soon as possible. This is one of the reasons the latest Windows versions are more secure, as OS releases like Windows XP and Windows Vista no longer receive updates and security patches, leaving some vulnerabilities unfixed.

Windows versions targeted by the new exploits
Windows 2000 SP0 x86 Windows 2000 Professional SP4 x86 Windows 2000 Advanced Server SP4 x86 Windows XP SP0 x86 Windows XP SP1 x86 Windows XP SP2 x86 Windows XP SP3 x86 Windows XP SP2 x64 Windows Server 2003 SP0 x86 Windows Server 2003 SP1 x86 Windows Server 2003 Enterprise SP 2 x86 Windows Server 2003 SP1 x64 Windows Server 2003 R2 SP1 x86 Windows Server 2003 R2 SP2 x86 Windows Vista Home Premium x86 Windows Vista x64 Windows Server 2008 SP1 x86 Windows Server 2008 x64 Windows 7 x86 Windows 7 Ultimate SP1 x86 Windows 7 Enterprise SP1 x86 Windows 7 SP0 x64 Windows 7 SP1 x64 Windows Server 2008 R2 x64 Windows Server 2008 R2 SP1 x64 Windows 8 x86 Windows 8 x64 Windows Server 2012 x64 Windows 8.1 Enterprise Evaluation 9600 x86 Windows 8.1 SP1 x86 Windows 8.1 x64 Windows 8.1 SP1 x64 Windows Server 2012 R2 x86 Windows Server 2012 R2 Standard 9600 x64 Windows Server 2012 R2 SP1 x64 Windows 10 Enterprise 10.10240 x86 Windows 10 Enterprise 10.10240 x64 Windows 10 10.10586 x86 Windows 10 10.10586 x64 Windows Server 2016 10.10586 x64 Windows 10 10.0.14393 x86 Windows 10 Enterprise Evaluation 10.14393 x64 Windows Server 2016 Data Center 10.14393 x64