Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash, Ars Technica

        

Recent in-the-wild attacks on thecritical Bluekeep vulnerability in many versions of Windowsaren’t just affecting unpatched machines. It turns out the exploits — which repurpose theSeptember release from the Metasploit framework– are also causing many patched machines to crash.

Late last week, Windows users learned why: aseparate patch Microsoft released (months ago) for theMeltdown vulnerability in Intel CPUs. Word of the crashes first emerged five days ago, when researcher Kevin Beaumont discovered a malicious, in-the-wild Bluekeep exploitcaused one of his honeypots to crash four times overnight. Metasploit developer Sean Dillon initially blamed the crashes on “mystical reptilian forces that control everything.” Then he read aTwitter postfrom researcher Worawit Wang:

From call stack, seems target has kva shadow patch. Original eternalblue kernel shellcode cannot be used on kva shadow patch target. So the exploit failed while running kernel shellcode

– Worawit Wang (@sleepya_)November 4, 2019

In apost published on Thursday, Dillon wrote:

Turns out my BlueKeep development labs didn’t have the Meltdown patch, yet out in the wild it’s probably the most common case.

tl; dr: Side effects of the Meltdown patch inadvertently breaks the syscall hooking kernel payloads used in exploits such as EternalBlue and BlueKeep. Here is a horribly hacky way to get around it … but: it pops system shells so you can run Mimikatz, and after all isn’t that what it’s all about?

Recursive loop

Dillon’s post offers a deep-dive explanation for why his exploit didn’t work on machines that installed the Meltdown patch, which Microsoft called KVA Shadow, short for Kernel Virtual Address Shadow. In short, the mitigation worked by isolating virtual memory page tables of user-mode threads from kernel memory. The exception is a small subset of kernel code and structures, which must be exposed enough to swap kernel page tables when carrying out trap exceptions, syscalls, and similar functions. The shellcode spawned by Dillon’s Bluekeep exploit wasn’t part of the KVA Shadow code, so user mode couldn’t react with the Shadow Code. As a result, the kernel got stuck in a recursive loop until the system finally crashed.

Dillon has sincerewritten the exploit code. He expects the fix to be integrated into the official Metasploit Bluekeep module soon.

The crashes came to light after attackers started exploiting Bluekeep in an attempt to install cryptocurrency miners on unpatched machines. The exploits don’t spread from computer to computer with no user interaction, and as noted, they also caused many machines to crash, causing many people to discount the potential severity of the Bluekeep vulnerability. Microsoft researchers, however,warned last weekthat they “cannot discount enhancements that will likely result in more effective attacks.” They also said that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners. ”

Meanwhile, Marcus Hutchins, the security researcher who also goes by the handle MalwareTech,made a compelling casethat Bluekeep exploits have the potential to be severe even if they don’t spread as a worm from computer to computer without user interaction in the way theWannaCryandNotPetyaoutbreaks did.

Internal pivot

WannaCry and NotPetya exploited the server message block protocol, which was enabled in many desktop computers. Bluekeep, by contrast, exploits Windows ’Remote Desktop Services, which is usually turned on only on servers.

“A worm would not only attract a lot of attention, but be technically challenging due to the limitations of BlueKeep,” Hutchinswrote. That hardly means Bluekeep doesn’t have the potential to do significant damage. Because servers typically act as domain administrators, network management tools, or share the same local administrator credentials with other network machines, they have the ability to control much of the network.

“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network), ”Hutchinsexplained.

Bluekeep affects Windows 7, Windows Server 2008 R2 , and Windows Server 2008. Patches for those versions are availablehere. Because of its severity, Microsoft hasmade patches availablefor Windows XP, Vista, and Server 2003, which are no longer supported. People or organizations that have yet to patch should do so as soon as possible.