/Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash (via WindowsKernel.com)

Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash (via WindowsKernel.com)

Share this story

Recent in-the-wild attacks on the aren’t just affecting unpatched machines. It turns out the exploits—which repurpose the —are also causing many patched machines to crash.

Late last week, Windows users learned why: a for the . Word of the crashes first emerged five days ago, when researcher Kevin Beaumont discovered a malicious, in-the-wild Bluekeep exploit . Metasploit developer Sean Dillon initially blamed the crashes on “mystical reptilian forces that control everything.” Then he read a from researcher Worawit Wang:

In a , Dillon wrote:

Turns out my BlueKeep development labs didn‘t have the Meltdown patch, yet out in the wild it‘s probably the most common case.

tl;dr: Side effects of the Meltdown patch inadvertently breaks the syscall hooking kernel payloads used in exploits such as EternalBlue and BlueKeep. Here is a horribly hacky way to get around it… but: it pops system shells so you can run Mimikatz, and after all isn‘t that what it‘s all about?

Recursive loop

Dillon’s post offers a deep-dive explanation for why his exploit didn’t work on machines that installed the Meltdown patch, which Microsoft called KVA Shadow, short for Kernel Virtual Address Shadow. In short, the mitigation worked by isolating virtual memory page tables of user-mode threads from kernel memory. The exception is a small subset of kernel code and structures, which must be exposed enough to swap kernel page tables when carrying out trap exceptions, syscalls, and similar functions. The shellcode spawned by Dillon’s Bluekeep exploit wasn’t part of the KVA Shadow code, so user mode couldn’t react with the Shadow Code. As a result, the kernel got stuck in a recursive loop until the system finally crashed.

Dillon has since . He expects the fix to be integrated into the official Metasploit Bluekeep module soon.

The crashes came to light after attackers started exploiting Bluekeep in an attempt to install cryptocurrency miners on unpatched machines. The exploits don’t spread from computer to computer with no user interaction, and as noted, they also caused many machines to crash, causing many people to discount the potential severity of the Bluekeep vulnerability. Microsoft researchers, however, that they “cannot discount enhancements that will likely result in more effective attacks.” They also said that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”

Meanwhile, Marcus Hutchins, the security researcher who also goes by the handle MalwareTech, that Bluekeep exploits have the potential to be severe even if they don’t spread as a worm from computer to computer without user interaction in the way the and outbreaks did.

Internal pivot

WannaCry and NotPetya exploited the server message block protocol, which was enabled in many desktop computers. Bluekeep, by contrast, exploits Windows’ Remote Desktop Services, which is usually turned on only on servers.

“A worm would not only attract a lot of attention, but be technically challenging due to the limitations of BlueKeep,” Hutchins . That hardly means Bluekeep doesn’t have the potential to do significant damage. Because servers typically act as domain administrators, network management tools, or share the same local administrator credentials with other network machines, they have the ability to control much of the network.

“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network),” Hutchins .

Bluekeep affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. Patches for those versions are available . Because of its severity, Microsoft has for Windows XP, Vista, and Server 2003, which are no longer supported. People or organizations that have yet to patch should do so as soon as possible.

This is a syndicated post. Read the original post at Source link .