Microsoft windows smb server multiple vulnerabilities remote 4013389

Detailed information about the MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) Nessus plugin (97833) including list of exploits and PoCs found on GitHub, in Metasploit or Exploit-DB.

High   Plugin ID: 97833

This page contains detailed information about the MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

  • Plugin Overview
  • Vulnerability Information
    • Synopsis
    • Description
    • Solution
  • Public Exploits
  • Risk Information
  • Plugin Source
  • How to Run
  • References
  • Version

Plugin Overview

ID: 97833

Name: MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

Filename: ms17-010.nasl

Vulnerability Published: 2017-03-14

This Plugin Published: 2017-03-20

Last Modification Time: 2022-04-07

Plugin Version: 1.29

Plugin Type: remote

Plugin Family: Windows

Dependencies:
os_fingerprint.nasl, smb_v1_enabled_remote.nasl
Required KB Items [?]: Host/OS, SMB/SMBv1_is_supported

Vulnerability Information

Severity: High
Vulnerability Published: 2017-03-14
Patch Published: 2017-03-14
CVE [?]: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
CPE [?]: cpe:/o:microsoft:windows
Exploited by Malware: True
In the News: True

Synopsis

The remote Windows host is affected by multiple vulnerabilities.

Description

The remote Windows host is affected by the following vulnerabilities :

— Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)

— An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.

Solution

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.

For unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)

Exploit Ease: Exploits are available

Here’s the list of publicly known exploits and PoCs for verifying the MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) vulnerability:

  1. Metasploit: exploit/windows/smb/smb_doublepulsar_rce
    [SMB DOUBLEPULSAR Remote Code Execution]
  2. Metasploit: auxiliary/admin/smb/ms17_010_command
    [MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution]
  3. Metasploit: exploit/windows/smb/ms17_010_eternalblue
    [MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption]
  4. Metasploit: exploit/windows/smb/ms17_010_eternalblue_win8
    [MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption]
  5. Metasploit: exploit/windows/smb/ms17_010_psexec
    [MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution]
  6. Metasploit: auxiliary/scanner/smb/smb_ms17_010
    [MS17-010 SMB RCE Detection]
  7. Exploit-DB: exploits/windows/dos/41891.rb
    [EDB-41891: Microsoft Windows — SMB Remote Code Execution Scanner (MS17-010) (Metasploit)]
  8. Exploit-DB: exploits/windows/remote/43970.rb
    [EDB-43970: Microsoft Windows — ‘EternalRomance’/’EternalSynergy’/’EternalChampion’ SMB Remote Code Execution (Metasploit) (MS17-010)]
  9. Exploit-DB: exploits/windows_x86-64/remote/41987.py
    [EDB-41987: Microsoft Windows Server 2008 R2 (x64) — ‘SrvOs2FeaToNt’ SMB Remote Code Execution (MS17-010)]
  10. Exploit-DB: exploits/windows/remote/47456.rb
    [EDB-47456: DOUBLEPULSAR — Payload Execution and Neutralization (Metasploit)]
  11. GitHub: https://github.com/3hydraking/MS17-010_CVE-2017-0143
    [CVE-2017-0143]
  12. GitHub: https://github.com/4n0nym0u5dk/MS17-010_CVE-2017-0143
    [CVE-2017-0143]
  13. GitHub: https://github.com/6A0BCD80/Etern-blue-Windows-7-Checker
    [CVE-2017-0143: This would basically send smb1 (not smb2) packets to determine if a machine is …]
  14. GitHub: https://github.com/Al1ex/WindowsElevation
    [CVE-2017-0143]
  15. GitHub: https://github.com/ArcadeHustle/X3_USB_softmod
    [CVE-2017-0143]
  16. GitHub: https://github.com/Ascotbe/Kernelhub
    [CVE-2017-0143]
  17. GitHub: https://github.com/Cyberwatch/cyberwatch_api_powershell
    [CVE-2017-0143]
  18. GitHub: https://github.com/ErdemOzgen/ActiveDirectoryAttacks
    [CVE-2017-0143]
  19. GitHub: https://github.com/HacTF/poc—exp
    [CVE-2017-0143]
  20. GitHub: https://github.com/Jean-Francois-C/Boot2root-CTFs-Writeups
    [CVE-2017-0143]
  21. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0143]
  22. GitHub: https://github.com/NatteeSetobol/Etern-blue-Windows-7-Checker
    [CVE-2017-0143: Eternal Blue is a well known SMB expliot created by the NSA to attack various …]
  23. GitHub: https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense
    [CVE-2017-0143]
  24. GitHub: https://github.com/PWN-Kingdom/Test_Tasks
    [CVE-2017-0143]
  25. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0143]
  26. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0143]
  27. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2017-0143]
  28. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0143]
  29. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0143]
  30. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0143]
  31. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0143]
  32. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0143]
  33. GitHub: https://github.com/czq945659538/-study
    [CVE-2017-0143]
  34. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0143]
  35. GitHub: https://github.com/geeksniper/active-directory-pentest
    [CVE-2017-0143]
  36. GitHub: https://github.com/gwyomarch/Legacy-HTB-Writeup-FR
    [CVE-2017-0143]
  37. GitHub: https://github.com/homjxi0e/Script-nmap-scan-ms17-010
    [CVE-2017-0143]
  38. GitHub: https://github.com/ihebski/A-Red-Teamer-diaries
    [CVE-2017-0143]
  39. GitHub: https://github.com/infosecn1nja/AD-Attack-Defense
    [CVE-2017-0143]
  40. GitHub: https://github.com/jeredbare/ms17-010_to_slack
    [CVE-2017-0143]
  41. GitHub: https://github.com/k4u5h41/MS17-010_CVE-2017-0143
    [CVE-2017-0143]
  42. GitHub: https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense
    [CVE-2017-0143]
  43. GitHub: https://github.com/mynameisv/MMSBGA
    [CVE-2017-0143]
  44. GitHub: https://github.com/notsag-dev/htb-legacy
    [CVE-2017-0143]
  45. GitHub: https://github.com/rosonsec/Exploits
    [CVE-2017-0143]
  46. GitHub: https://github.com/superhero1/OSCP-Prep
    [CVE-2017-0143]
  47. GitHub: https://github.com/tataev/Security
    [CVE-2017-0143]
  48. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0143]
  49. GitHub: https://github.com/wateroot/poc-exp
    [CVE-2017-0143]
  50. GitHub: https://github.com/wrlu/Vulnerabilities
    [CVE-2017-0143]
  51. GitHub: https://github.com/xiaoy-sec/Pentest_Note
    [CVE-2017-0143]
  52. GitHub: https://github.com/ycdxsb/Exploits
    [CVE-2017-0143]
  53. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2017-0143]
  54. GitHub: https://github.com/zhang040723/web
    [CVE-2017-0143]
  55. GitHub: https://github.com/zimmel15/HTBBlueWriteup
    [CVE-2017-0143]
  56. GitHub: https://github.com/61106960/adPEAS
    [CVE-2017-0144]
  57. GitHub: https://github.com/Ali-Imangholi/EternalBlueTrojan
    [CVE-2017-0144: EternalBlueTrojan(CVE-2017-0144)]
  58. GitHub: https://github.com/Astrogeorgeonethree/Starred
    [CVE-2017-0144]
  59. GitHub: https://github.com/Cyberwatch/cyberwatch_api_powershell
    [CVE-2017-0144]
  60. GitHub: https://github.com/EEsshq/CVE-2017-0144—EtneralBlue-MS17-010-Remote-Code-Execution
    [CVE-2017-0144]
  61. GitHub: https://github.com/ErdemOzgen/ActiveDirectoryAttacks
    [CVE-2017-0144]
  62. GitHub: https://github.com/JeffEmrys/termux-
    [CVE-2017-0144]
  63. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0144]
  64. GitHub: https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense
    [CVE-2017-0144]
  65. GitHub: https://github.com/PWN-Kingdom/Test_Tasks
    [CVE-2017-0144]
  66. GitHub: https://github.com/Project-WARMIND/Exploit-Modules
    [CVE-2017-0144]
  67. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0144]
  68. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0144]
  69. GitHub: https://github.com/ShubhamGuptaIN/WannaCry-ransomware-attack-Virus
    [CVE-2017-0144]
  70. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0144]
  71. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0144]
  72. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0144]
  73. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0144]
  74. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0144]
  75. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0144]
  76. GitHub: https://github.com/fernandopaezmartin/SAD_2021—Metasploit
    [CVE-2017-0144]
  77. GitHub: https://github.com/geeksniper/active-directory-pentest
    [CVE-2017-0144]
  78. GitHub: https://github.com/infosecn1nja/AD-Attack-Defense
    [CVE-2017-0144]
  79. GitHub: https://github.com/kimocoder/eternalblue
    [CVE-2017-0144]
  80. GitHub: https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense
    [CVE-2017-0144]
  81. GitHub: https://github.com/tataev/Security
    [CVE-2017-0144]
  82. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0144]
  83. GitHub: https://github.com/wuvel/TryHackMe
    [CVE-2017-0144]
  84. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2017-0144]
  85. GitHub: https://github.com/zorikcherfas/eternalblue_linux_cpp
    [CVE-2017-0144]
  86. GitHub: https://github.com/Astrogeorgeonethree/Starred
    [CVE-2017-0145]
  87. GitHub: https://github.com/Cyberwatch/cyberwatch_api_powershell
    [CVE-2017-0145]
  88. GitHub: https://github.com/ErdemOzgen/ActiveDirectoryAttacks
    [CVE-2017-0145]
  89. GitHub: https://github.com/JeffEmrys/termux-
    [CVE-2017-0145]
  90. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0145]
  91. GitHub: https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense
    [CVE-2017-0145]
  92. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0145]
  93. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0145]
  94. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0145]
  95. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0145]
  96. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0145]
  97. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0145]
  98. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0145]
  99. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0145]
  100. GitHub: https://github.com/geeksniper/active-directory-pentest
    [CVE-2017-0145]
  101. GitHub: https://github.com/infosecn1nja/AD-Attack-Defense
    [CVE-2017-0145]
  102. GitHub: https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense
    [CVE-2017-0145]
  103. GitHub: https://github.com/tataev/Security
    [CVE-2017-0145]
  104. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0145]
  105. GitHub: https://github.com/Cyberwatch/cyberwatch_api_powershell
    [CVE-2017-0146]
  106. GitHub: https://github.com/ErdemOzgen/ActiveDirectoryAttacks
    [CVE-2017-0146]
  107. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0146]
  108. GitHub: https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense
    [CVE-2017-0146]
  109. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0146]
  110. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0146]
  111. GitHub: https://github.com/Urahara3389/SmbtouchBatchScan
    [CVE-2017-0146]
  112. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0146]
  113. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0146]
  114. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0146]
  115. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0146]
  116. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0146]
  117. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0146]
  118. GitHub: https://github.com/geeksniper/active-directory-pentest
    [CVE-2017-0146]
  119. GitHub: https://github.com/infosecn1nja/AD-Attack-Defense
    [CVE-2017-0146]
  120. GitHub: https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense
    [CVE-2017-0146]
  121. GitHub: https://github.com/tataev/Security
    [CVE-2017-0146]
  122. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0146]
  123. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2017-0146]
  124. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0147]
  125. GitHub: https://github.com/Malware-S/Exploit-Win32.CVE-2017-0147.A
    [CVE-2017-0147: the name of virus is the detection of microsoft defender, is the tipic antivirus]
  126. GitHub: https://github.com/RobertoLeonFR-ES/Exploit-Win32.CVE-2017-0147.A
    [CVE-2017-0147: The name of virus is the detection of microsoft defender, is the tipic antivirus]
  127. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0147]
  128. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0147]
  129. GitHub: https://github.com/Urahara3389/SmbtouchBatchScan
    [CVE-2017-0147]
  130. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0147]
  131. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0147]
  132. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0147]
  133. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0147]
  134. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0147]
  135. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0147]
  136. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0147]
  137. GitHub: https://github.com/Cyberwatch/cyberwatch_api_powershell
    [CVE-2017-0148]
  138. GitHub: https://github.com/ErdemOzgen/ActiveDirectoryAttacks
    [CVE-2017-0148]
  139. GitHub: https://github.com/Kiz619ao630/StepwisePolicy3
    [CVE-2017-0148]
  140. GitHub: https://github.com/Nieuport/Active-Directory-Kill-Chain-Attack-Defense
    [CVE-2017-0148]
  141. GitHub: https://github.com/RodrigoVarasLopez/Download-Scanners-from-Nessus-8.7-using-the-API
    [CVE-2017-0148]
  142. GitHub: https://github.com/R-Vision/ms17-010
    [CVE-2017-0148]
  143. GitHub: https://github.com/androidkey/MS17-011
    [CVE-2017-0148]
  144. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Auto-Mode
    [CVE-2017-0148]
  145. GitHub: https://github.com/cb4cb4/EternalBlue-EK-Manual-Mode
    [CVE-2017-0148]
  146. GitHub: https://github.com/ceskillets/DCV-Predefined-Log-Filter-of-Specific-CVE-of-EternalBlue-and-BlueKeep-with-Auto-Tag-
    [CVE-2017-0148]
  147. GitHub: https://github.com/chaao195/EBEKv2.0
    [CVE-2017-0148]
  148. GitHub: https://github.com/ericjiang97/SecScripts
    [CVE-2017-0148]
  149. GitHub: https://github.com/geeksniper/active-directory-pentest
    [CVE-2017-0148]
  150. GitHub: https://github.com/infosecn1nja/AD-Attack-Defense
    [CVE-2017-0148]
  151. GitHub: https://github.com/mishmashclone/infosecn1nja-AD-Attack-Defense
    [CVE-2017-0148]
  152. GitHub: https://github.com/tataev/Security
    [CVE-2017-0148]
  153. GitHub: https://github.com/trend-anz/Deep-Security-Open-Patch
    [CVE-2017-0148]
  154. GitHub: https://github.com/uroboros-security/SMB-CVE
    [CVE-2017-0148]
  155. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2017-0148]
  156. GitHub: https://github.com/valarauco/wannafind
    [CVE-2017-0143: Simple script using nmap to detect CVE-2017-0143 MS17-010 in your network]
  157. GitHub: https://github.com/peterpt/eternal_scanner
    [CVE-2017-0144: An internet scanner for exploit CVE-2017-0144 (Eternal Blue) & CVE-2017-0145 …]
  158. GitHub: https://github.com/MelonSmasher/chef_tissues
    [CVE-2017-0145: Install patch for CVE-2017-0145 AKA WannaCry.]
  159. GitHub: https://github.com/peterpt/eternal_scanner
    [CVE-2017-0145: An internet scanner for exploit CVE-2017-0144 (Eternal Blue) & CVE-2017-0145 …]
  160. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2017-0148

CVSS V2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score: 9.3 (High)
Impact Subscore: 10.0
Exploitability Subscore: 8.6
CVSS Temporal Score: 8.1 (High)
CVSS Environmental Score: NA (None)
Modified Impact Subscore: NA
Overall CVSS Score: 8.1 (High)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score: 8.1 (High)
Impact Subscore: 5.9
Exploitability Subscore: 2.2
CVSS Temporal Score: 7.7 (High)
CVSS Environmental Score: NA (None)
Modified Impact Subscore: NA
Overall CVSS Score: 7.7 (High)

STIG Severity [?]: I
STIG Risk Rating: High

Go back to menu.

Plugin Source

This is the ms17-010.nasl nessus plugin source code. This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(97833);
  script_version("1.29");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/07");

  script_cve_id(
    "CVE-2017-0143",
    "CVE-2017-0144",
    "CVE-2017-0145",
    "CVE-2017-0146",
    "CVE-2017-0147",
    "CVE-2017-0148"
  );
  script_bugtraq_id(
    96703,
    96704,
    96705,
    96706,
    96707,
    96709
  );
  script_xref(name:"EDB-ID", value:"41891");
  script_xref(name:"EDB-ID", value:"41987");
  script_xref(name:"MSFT", value:"MS17-010");
  script_xref(name:"IAVA", value:"2017-A-0065");
  script_xref(name:"MSKB", value:"4012212");
  script_xref(name:"MSKB", value:"4012213");
  script_xref(name:"MSKB", value:"4012214");
  script_xref(name:"MSKB", value:"4012215");
  script_xref(name:"MSKB", value:"4012216");
  script_xref(name:"MSKB", value:"4012217");
  script_xref(name:"MSKB", value:"4012606");
  script_xref(name:"MSKB", value:"4013198");
  script_xref(name:"MSKB", value:"4013429");
  script_xref(name:"MSKB", value:"4012598");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/10");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/27");

  script_name(english:"MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by the following vulnerabilities :

  - Multiple remote code execution vulnerabilities exist in
    Microsoft Server Message Block 1.0 (SMBv1) due to
    improper handling of certain requests. An
    unauthenticated, remote attacker can exploit these
    vulnerabilities, via a specially crafted packet, to
    execute arbitrary code. (CVE-2017-0143, CVE-2017-0144,
    CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)

  - An information disclosure vulnerability exists in
    Microsoft Server Message Block 1.0 (SMBv1) due to
    improper handling of certain requests. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted packet, to disclose sensitive
    information. (CVE-2017-0147)

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are
four of multiple Equation Group vulnerabilities and exploits disclosed
on 2017/04/14 by a group known as the Shadow Brokers. WannaCry /
WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit,
and EternalRocks is a worm that utilizes seven Equation Group
vulnerabilities. Petya is a ransomware program that first utilizes
CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads
via ETERNALBLUE.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?68fc8eff");
  # https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?321523eb");
  # https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/?source=mmpc
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?065561d0");
  # https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9f569cf");
  script_set_attribute(attribute:"see_also", value:"https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/");
  # https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b9d9ebf9");
  # https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8dcab5e4");
  # https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?234f8ef8");
  # https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4c7e0cf3");
  script_set_attribute(attribute:"see_also", value:"https://github.com/stamparm/EternalRocks/");
  # https://www.tenable.com/blog/petyanotpetya-ransomware-detection-for-the-modern-enterprise
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?59db5b5b");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also
released emergency patches for Windows operating systems that are no
longer supported, including Windows XP, 2003, and 8.

For unsupported Windows operating systems, e.g. Windows XP, Microsoft
recommends that users discontinue the use of SMBv1. SMBv1 lacks
security features that were included in later SMB versions. SMBv1 can
be disabled by following the vendor instructions provided in Microsoft
KB2696547. Additionally, US-CERT recommends that users block SMB
directly by blocking TCP port 445 on all network boundary devices. For
SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137
/ 138 on all network boundary devices.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-0148");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SMB DOUBLEPULSAR Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "smb_v1_enabled_remote.nasl");
  script_require_keys("Host/OS", "SMB/SMBv1_is_supported");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("byte_func.inc");
include("global_settings.inc");
include("smb_func.inc");

function smb_get_error_code (data)
{
 local_var header, flags2, code;

 # Some checks in the header first
 header = get_smb_header (smbblob:data);
 if (!header)
   return NULL;

 flags2 = get_header_flags2 (header:header);
 if (flags2 & SMB_FLAGS2_32BIT_STATUS)
 {
   code = get_header_nt_error_code (header:header);
 }
 else
 {
   code = get_header_dos_error_code (header:header);
 }

 return code;
}


function my_smb_trans_and_x (setup, transname, param, data, max_pcount, max_dcount)
{
 local_var header, parameters, dat, packet, ret, pad1, trans, p_offset, d_offset, plen, dlen, slen, pad2, npad;

 npad = pad1 = pad2 = NULL;

 if (session_is_unicode () == 1)
  trans = cstring (string:transname);
 else
  trans = transname;

 header = smb_header (Command: SMB_COM_TRANSACTION,
                      Status: nt_status (Status: STATUS_SUCCESS));

 p_offset = 32 + 1 + 28 + strlen(setup) + 2 + strlen(trans);

 # Unicode transname should be aligned to 2 byte 
 if(session_is_unicode() == 1)
 {
  npad = crap(data:'x00', length: (2 - p_offset % 2) % 2);
  p_offset += strlen(npad);
 }

 # Parameter is aligned to 4 byte
 pad1 = crap(data:'x00', length: (4 - p_offset % 4) % 4);
 p_offset += strlen(pad1);

 # Data is aligned to 4 byte
 d_offset = p_offset + strlen (param);
 pad2 = crap(data:'x00', length: (4 - d_offset % 4) % 4);
 d_offset += strlen(pad2);

 plen = strlen(param);
 dlen = strlen(data);
 slen = strlen(setup);

 if(isnull(max_pcount)) max_pcount =0xffff;
 if(isnull(max_dcount)) max_dcount =0xffff;

 parameters = 
        raw_word (w:plen)       +   # total parameter count
	      raw_word (w:dlen)       +   # total data count
	      raw_word (w:max_pcount) +   # Max parameter count
	      raw_word (w:max_dcount) +   # Max data count
	      raw_byte (b:0)          +   # Max setup count
        raw_byte (b:0)          +   # Reserved
	      raw_word (w:0)          +   # Flags
	      raw_dword (d:0)         +   # Timeout
	      raw_word (w:0)          +   # Reserved
	      raw_word (w:plen)       +   # Parameter count
	      raw_word (w:p_offset)   +   # Parameter offset
	      raw_word (w:dlen)       +   # Data count
	      raw_word (w:d_offset)   +   # Data offset
	      raw_byte (b:slen/2)     +   # Setup count
	      raw_byte (b:0);             # Reserved

 parameters += setup;

 parameters = smb_parameters (data:parameters);

 dat = npad +
       trans +
       pad1 +
       param +
       pad2 +
       data;

 dat = smb_data (data:dat);

 packet = netbios_packet (header:header, parameters:parameters, data:dat);

 return packet;
}


#
# MAIN
#

# Make sure it's Windows 
os = get_kb_item_or_exit("Host/OS");
if ("Windows" >!< os)
  audit(AUDIT_HOST_NOT, "Windows"); 
  
# Make sure SMBv1 is enabled
if (! get_kb_item("SMB/SMBv1_is_supported"))
  exit(0, "SMB version 1 does not appear to be enabled on the remote host."); 

if (!smb_session_init(smb2:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');

r = NetUseAdd(share:"IPC$");
if (r != 1)
{
  exit(1, 'Failed to connect to the IPC$ share anonymously.');
}

fid = 0; # Invalid FID 
setup = raw_word (w:0x23) + raw_word (w:fid);  

packet = my_smb_trans_and_x (setup: setup, transname:"PIPE");
ret = smb_sendrecv (data:packet);
if (ret)
  status = smb_get_error_code (data:ret);
else
  status = NULL;

NetUseDel();

if(! isnull(status))
{
  if(status == STATUS_INVALID_HANDLE
    ||  status == STATUS_ACCESS_DENIED # Win 10
  )
  {
    audit(AUDIT_HOST_NOT , "affected"); 
  }
  else if (status == STATUS_INSUFF_SERVER_RESOURCES)
  {
    port = kb_smb_transport();

    report = 'Sent:n';
    report += ereg_replace(pattern:"([0-9a-f]{1,80})", replace:'\1n', string:hexstr(packet)) + 'n';
    report += 'Received:n';
    report += ereg_replace(pattern:"([0-9a-f]{1,80})", replace:'\1n', string:hexstr(ret));

    security_report_v4(port: port, severity: SECURITY_HOLE, extra: report);
  }
  else
  {
    status = "0x" + toupper(hexstr(mkdword(status)));
    audit(AUDIT_RESP_BAD, port, "an SMB_COM_TRANSACTION request. Status code: " + status);
  }
}
else
{
  exit(1, "Failed to get response status for an SMB_COM_TRANSACTION request."); 
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/ms17-010.nasl
  • Windows:
    C:ProgramDataTenableNessusnessuspluginsms17-010.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/ms17-010.nasl

Go back to menu.

How to Run

Here is how to run the MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check) plugin ID 97833.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl ms17-010.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a ms17-010.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - ms17-010.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state ms17-010.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID:

  • 96703, 96704, 96705, 96706, 96707, 96709

MSKB | Microsoft Knowledge Base:

  • 4012212, 4012213, 4012214, 4012215, 4012216, 4012217, 4012598, 4012606, 4013198, 4013429

MSFT | Microsoft Security Bulletin:

  • MS17-010

IAVA | Information Assurance Vulnerability Alert:

  • 2017-A-0065

See also:

  • https://www.tenable.com/plugins/nessus/97833
  • https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
  • https://github.com/stamparm/EternalRocks/
  • http://www.nessus.org/u?4c7e0cf3
  • http://www.nessus.org/u?8dcab5e4
  • http://www.nessus.org/u?59db5b5b
  • http://www.nessus.org/u?68fc8eff
  • http://www.nessus.org/u?234f8ef8
  • http://www.nessus.org/u?065561d0
  • http://www.nessus.org/u?321523eb
  • http://www.nessus.org/u?b9d9ebf9
  • http://www.nessus.org/u?d9f569cf
  • https://vulners.com/nessus/MS17-010.NASL

Similar and related Nessus plugins:

  • 99439 — SMB Server DOUBLEPULSAR Backdoor / Implant Detection (EternalRocks)
  • 97737 — MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
  • 96392 — MS17-003: Security Update for Adobe Flash Player (3214628)
  • 97729 — MS17-006: Cumulative Security Update for Internet Explorer (4013073)
  • 97730 — MS17-007: Cumulative Security Update for Microsoft Edge (4013071)
  • 97745 — MS17-008: Security Update for Windows Hyper-V (4013082)
  • 97732 — MS17-011: Security Update for Microsoft Uniscribe (4013076)
  • 97743 — MS17-012: Security Update for Microsoft Windows (4013078)
  • 97794 — MS17-013: Security Update for Microsoft Graphics Component (4013075)
  • 97733 — MS17-017: Security Update for Windows Kernel (4013081)
  • 97734 — MS17-020: Security Update for Windows DVD Maker (3208223)
  • 97735 — MS17-023: Security Update for Adobe Flash Player (4014329)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file ms17-010.nasl version 1.29. For more plugins, visit the Nessus Plugin Library.

Go back to menu.

Источник

Today, for its March 2017 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server offering File Sharing services using the Server Message Block (SMB) version 1.0 protocol.

The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

About the vulnerabilities

The vulnerabilities that are fixed with this security update are:

  • Windows SMB Remote Code Execution Vulnerability – CVE-2017-0143
  • Windows SMB Remote Code Execution Vulnerability – CVE-2017-0144
  • Windows SMB Remote Code Execution Vulnerability – CVE-2017-0145
  • Windows SMB Remote Code Execution Vulnerability – CVE-2017-0146
  • Windows SMB Information Disclosure Vulnerability – CVE-2017-0147
  • Windows SMB Remote Code Execution Vulnerability – CVE-2017-0148

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Affected Operating Systems

All currently supported Windows versions and Windows Server versions are affected.
Both Full installations and Server Core installations are affected.

Note:
Windows Server 2003 is also affected, but not supported anymore. The above SMBv1 vulnerabilities remain in this version of Windows Server.

About the update

The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.

To apply the update, install the following update per Windows and/or Windows Server version:

Windows Vista with Service Pack 2 x86 KB4012598
Windows Vista with Service Pack 2 x64 KB4012598
Windows Server 2008 with Service Pack 2 x86 KB4012598
Windows Server 2008 with Service Pack 2 x64 KB401259
Windows 7 with Service Pack 1 x86 KB4012212 or KB4012215
Windows 7 with Service Pack 1 x64 KB4012212 or KB4012215
Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012215
Windows 8.1 x86 KB4012213 or KB4012216
Windows 8.1 x64 KB4012213 or KB4012216
Windows Server 2012 KB4012214 or KB4012217
Windows Server 2012 R2 KB4012213 or KB4012216
Windows 10 x86 KB4012606
Windows 10 x64 KB4012606
Windows 10 version 1511 x86 KB4013198
Windows 10 version 1511 x64 KB4013198
Windows 10 version 1607 x86 KB4013429
Windows 10 version 1607 x64 KB4013429
Windows Server 2016 KB4013429

Call to action

I urge you to install the necessary security updates  on Windows Server installations, running as Active Directory Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Active Directory Domain Controllers, in the production environment.

Disabling SMBv1 on these systems is the recommended action for the longer run.
Microsoft KnowledgeBase Article 2696547 describes how to disable SMB v1 on supported Windows and Windows Server versions. An auditing-only mode is available to assess the impact of disabling SMBv1, too.

Источник
  • Remove From My Forums

  • Вопрос

  • через wsus не видно kb4013389 (ms17-010). Как поставить данное обновление? через wsus

Ответы

  • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx  вот данный бюллтень безопасности. 

    в wsus имеется только за март 2017 ms17-080 (при этом это обновление под другим номером). 

    посмотрите
    статью о которой идет речь в вашей ссылке, под данным обновлением для каждой ОС есть своя обнова со своим номером

    The opinion expressed by me is not an official position of Microsoft

    • Изменено

      9 июля 2017 г. 9:59

    • Помечено в качестве ответа
      Petko KrushevMicrosoft contingent staff, Moderator
      18 июля 2017 г. 9:40

Источник

Понравилась статья? Поделить с друзьями:
  • Microsoft windows server с технологией hyper v
  • Microsoft windows server with hyper v
  • Microsoft windows server update services windows 7
  • Microsoft windows server standard edition 2008 скачать
  • Microsoft windows server standard 2022 купить