Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

EternalSynergy-Based Exploit Targets Recent Windows Versions

A security researcher has devised an EternalSynergy-based exploit that can compromise versions of Windows newer than Windows 8.

A security researcher has devised an EternalSynergy-based exploit that can compromise versions of Windows newer than Windows 8.

EternalSynergy is one of several exploits allegedly stolen by the hacker group calling themselves the Shadow Brokers from the National Security Agency (NSA)-linked Equation Group. The exploit was made public in April along with several other hacking tools, one month after Microsoft released patches for them.

In May, a security researcher included EternalSynergy and six other NSA-linked hacking tools (EternalBlue, EternalChampion, EternalRomance, DoublePulsar, Architouch, and Smbtouch) in a network worm called EternalRocks. The tool was pulled weeks later to prevent abuse.

Security researcher Worawit Wang has now made public an EternalSynergy-derived exploit that also leverages EternalRomance and can be used on a wider range of Windows versions.

Available on both GitHub and ExploitDB, the tool targets 64-bit versions of Windows 2016, Windows 2012 R2, Windows 8.1, Windows 2008 R2 SP1, and Windows 7 SP1, as well as the 32-bit versions of Windows 8.1 and Windows 7 SP1.

Security researcher Sheila A. Berta, who is part of Telefonica’s Eleven Paths security unit, has published a paper (PDF) on how to exploit Wang’s tool to get a Meterpreter session on Windows Server 2016.

EternalSynergy is based on the CVE-2017-0143 vulnerability, which “stems from not taking the command type of an SMB message into account when determining if the message is part of a transaction,” Microsoft reveals. “In other words, as long as the SMB header UID, PID, TID and OtherInfo fields match the corresponding transaction fields, the message would be considered to be part of that transaction.”

According to Microsoft, EternalSynergy should not work on Windows iterations newer than Windows 8, due to kernel security improvements such as Hypervisor-enforced Code Integrity (HVCI), which prevents unsigned kernel pages from being executed, and Control Flow Guard (CFG), designed to prevent invalid indirect function calls.

The exploit is expected to crash on unsupported operating system releases, but Wang managed to create a stable tool that targets Windows XP and newer versions, except Windows 10. Given a patch is already available from Microsoft, impacted users should consider applying it as soon as possible.

EternalSynergy is only one of the NSA-linked exploits to have caught researchers’ attention over the past several months. EternalBlue might be the most discussed such tool, after it has been abused in global attacks by ransomware such as WannaCry, the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

Last month’s destructive NotPetya wiper also used EternalBlue to spread within compromised networks, along with the EternalRomance exploit and various other tools. 

Related: Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.