A security expert has found an EternalSynergy-based exploit which is capable of compromising newer than Windows 8 versions for Windows.
EternalSynergy is among the exploits that the Shadow Brokers hacker group stole from the National Security Agency (NSA)-linked Equation Group. The exploit, together with a few other hacking tools, was first noticed in April, only a month after Microsoft released the patches for them.
In May, the EternalSynergy exploit alongside six other NSA-linked hacking tools (Architouch, DoublePulsar, Smbtouch, EternalRomance, EternalChampion, and EternalBlue) were included in the EternalRocks network worm. Just a few weeks later, the tool was pulled to prevent abuse.
Recently, the researcher Worawit Wang has announced the EternalSynergy-derived exploit which also leverages EternalRomance and can be used on a wider range of Windows versions.
The tool is available on ExploitDB and GitHub and it targets the 64-bit versions of Windows 2016, Windows 2012 R2, Windows 8.1, Windows 2008 R2 SP1, and Windows 7 SP1, including the 32-bit versions of Windows 7 SP1 and Windows 8.1.
The security expert Sheila A. Berta has recently published a paper on how to exploit Wang’s tool in order to get a Meterpreter session on Windows Server 2016.
According to Microsoft, the EternalSynergy exploit is based on the CVE-2017-0143 vulnerability, which “stems from not taking the command type of an SMB message into account when determining if the message is part of a transaction.”
“In other words, as long as the SMB header UID, PID, TID and OtherInfo fields match the corresponding transaction fields, the message would be considered to be part of that transaction.”
Microsoft also claims that due to kernel security improvements, such as Hypervisor-enforced Code Integrity (HVCI), EternalSynergy should not work on Windows iterations newer than Windows 8, as the code prevents unsigned kernel pages from being executed, and the Control Flow Guard (CFG) should prevent invalid indirect function calls.
Despite the fact that EternalSynergy is supposed to crash on unsupported operating system releases, Wang developed a stable tool targeting Windows XP and its newer versions, excluding Windows 10.
Considering the fact that Microsoft has just released its new patch, the impacted users would better install it immediately.
