Recent in-the-wild attacks on the critical Bluekeep vulnerability in many versions of Windows arent just affecting unpatched machines. It turns out the exploits—which repurpose the September release from the Metasploit framework—are also causing many patched machines to crash.
Late last week, Windows users learned why: a separate patch Microsoft released 20 months ago for the Meltdown vulnerability in Intel CPUs. Word of the crashes first emerged five days ago, when researcher Kevin Beaumont discovered a malicious, in-the-wild Bluekeep exploit caused one of his honeypots to crash four times overnight. Metasploit developer Sean Dillon initially blamed the crashes on “mystical reptilian forces that control everything.” Then he read a Twitter post from researcher Worawit Wang:
From call stack, seems target has kva shadow patch. Original eternalblue kernel shellcode cannot be used on kva shadow patch target. So the exploit failed while running kernel shellcode
— Worawit Wang (@sleepya_) November 4, 2019
In a post published on Thursday, Dillon wrote:
Turns out my BlueKeep development labs didn't have the Meltdown patch, yet out in the wild it's probably the most common case.
tl;dr: Side effects of the Meltdown patch inadvertently breaks the syscall hooking kernel payloads used in exploits such as EternalBlue and BlueKeep. Here is a horribly hacky way to get around it… but: it pops system shells so you can run Mimikatz, and after all isn't that what it's all about?
Recursive loop
Dillons post offers a deep-dive explanation for why his exploit didnt work on machines that installed the Meltdown patch, which Microsoft called KVA Shadow, short for Kernel Virtual Address Shadow. In short, the mitigation worked by isolating virtual memory page tables of user-mode threads from kernel memory. The exception is a small subset of kernel code and structures, which must be exposed enough to swap kernel page tables when carrying out trap exceptions, syscalls, and similar functions. The shellcode spawned by Dillons Bluekeep exploit wasnt part of the KVA Shadow code, so user mode couldnt react with the Shadow Code. As a result, the kernel got stuck in a recursive loop until the system finally crashed.
Dillon has since rewritten the exploit code. He expects the fix to be integrated into the official Metasploit Bluekeep module soon.
The crashes came to light after attackers started exploiting Bluekeep in an attempt to install cryptocurrency miners on unpatched machines. The exploits dont spread from computer to computer with no user interaction, and as noted, they also caused many machines to crash, causing many people to discount the potential severity of the Bluekeep vulnerability. Microsoft researchers, however, warned last week that they “cannot discount enhancements that will likely result in more effective attacks.” They also said that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”
Meanwhile, Marcus Hutchins, the security researcher who also goes by the handle MalwareTech, made a compelling case that Bluekeep exploits have the potential to be severe even if they dont spread as a worm from computer to computer without user interaction in the way the Read More – Source