Exploit Derived From ETERNALSYNERGY Upgraded to Target Newer Windows Versions

Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system.

ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections.

The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements.

Under the hood, ETERNALSYNERGY leverages a vulnerability in version 1 of the SMB file sharing protocol. The vulnerability is tracked as CVE-2017-0143.

New exploit is different but uses the same vulnerability

Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method "should never crash a target," the expert says. "Chance should be nearly 0%," Wang adds.

During the WannaCry ransomware outbreak, the ETERNALBLUE exploit mainly infected Windows 7 machines because it crashed on XP computers. A reliable exploit is as important as exploits that work on multiple OS versions.

Furthermore, Wang created his exploit to target newer versions of the Windows operating system. Tests confirmed the exploit worked on:

These are all the supported versions of the Windows OS, except Windows 10.

CVE-2017-0143 can now impact nearly 75% of all Windows PCs

This means that there are now three exploits available for the CVE-2017-0143 vulnerability: ETERNALSYNERGY, ETERNALROMANCE, and Wang's exploit.

An attacker could combine these three exploits to target almost all Windows versions from XP up to Windows Server 2016, except Windows 10. That's about 75% of all the Windows computers available today.

The publication of Wang's exploit is yet another sign of alarm that users should patch their systems with MS17-010 before someone else weaponizes SMB vulnerabilities or extends NSA exploits for new attacks.

The exploit code is available for download from Wang's GitHub or ExploitDB.  Sheila A. Berta‏, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.

In June, security researchers also extended the ETERNALBLUE exploit to target Windows 10, and it's very likely that other NSA exploits will be expanded to more OS versions as well.

ETERNALBLUE and ETERNALROMANCE were also used for the self-spreading worm component in the NotPetya ransomware outbreak. Additional information on ETERNALROMANCE can be found here and here.

Image credits: Mark S Waterhouse, Bleeping Computer.