3

Why is the EternalBlue exploit so successful when ASLR is likely enabled on modern machines? I may be wrong as i'm not familiar with windows internals. I can't find any explanation on this including this. Any links would be much appreciated.

Thanks.

gigasai
  • 153
  • 4
  • 1
    Apparently Eternal Blue contained a bypass for ASLR, this is outside my area but there's a fairly extensive description in this pdf report published by Risk Sense: https://risksense.com/download/datasets/4353/EternalBlue_RiskSense%20Exploit%20Analysis%20and%20Port%20to%20Microsoft%20Windows%2010_v1_2.pdf – iainpb Jun 14 '17 at 10:19

3 Answers3

4

RoRaZ and 40F4 made some real good points.

Another thing is, that especially in the health sector or finance sector, respectively in any enterprise that needs to use software specially crafted for their exquisite usage, it sometimes might not be possible to update the operating system without causing bugs in essential and expensive software that cannot be easily replaced. Especially hospitals work a lot with rather old Windows versions, making them highly vulnerable. Next thing is, it's not only the desktop systems; any (e.g. medical) device can build up on an operating system like Windows, and from what I learned those hardly ever receive any updates.

Just because there are fixes that doesn't mean that fixes are an easy option to take for everyone. The private user will not be concerned by this problem, but the private user is rather seldom the target group for exploits like EternalBlue.

Addition:

0xffffffff ffd00000 is the virtual address for 64-bit systems, if it is 32-bit, then it is just 0xffd00000

kaiya
  • 422
  • 1
  • 3
  • 11
3

From the Risk Sense PDF (opens a PDF):

3.6.2 DEP Bypass
Starting sometime in Microsoft Windows 8/8.1 (Server 2012), the HAL Heap became non-executable. A virtual memory Page Table Entry (PTE) contains information about a memory location, such as base physical addresses, CPU ring mode, a dirty bit, and starting with the introduction of hardware-enforced DEP, a No eXecute (NX) bit at offset 63. If the NX bit is set and we attempt to move the instruction pointer to the page, a kernel panic will prevent the exploitation.

In general bypasses for ASLR rely on finding a known address. ASLR is generally a one time randomization on startup for kernel/system processes. So if you can find the address of point (structure, function, DLL, etc) then you can calculate the offsets to others that you care about.

I'm not a SME on ASLR, but that's the high level view.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
3

From RiskSense P.19:

The ASLR bypass of the original EternalBlue exploit exploits the weakness that the HAL Heap (used by the Hardware Abstraction Layer) was static located at 0xffffffffffd00000 until Microsoft Windows 10 Redstone 2 (April 2017).

Such a region which a fixed offset is enough to bypass ASLR.

40F4
  • 932
  • 6
  • 16