Live exploits intercepted for CVE-2017-0143
The SonicWall threat research team has intercepted a number of live exploit attacks of the CVE-2017-0143 (MS17-010) in the past few weeks. These exploits triggered a vulnerability on Windows SMB service which improperly handles the Trans command. A successful attack could expose the target host's kernel memory and eventually execute arbitrary code.
In general, the exploits send a SMB transaction command, which is used for communicate with mailslots (one-way inter-process communication) and named pipes. And then followed by a TRANS_PEEK_NMPIPE subcommand to trigger the kernel memory disclosure vulnerability.
The attack network flow can be decribed as followed:
- A Tree Connect request sends from attacker to the server's IPC$.
- After server approved, the attacker requests opening the "lsarpc" file.
- The server will respond with the FID of "lsarpc" file.
- The attacker binds to the file's interface, sends a large request to trigger the vulnerability. And then a TRANS_PEEK_NMPIPE subcommand.
- The vulnerability will be triggered, server responds with the kernel memory contents.
The SonicWall threat research team has developed the following signature to protect our customers from this vulnerability:
- IPS 12849: Windows SMB Remote Code Execution (MS17-010) 6