Another Day and another leak – Yes we are still seen waves coming from the NSA exploit leakage last year – Am I worried, hell no because the good thing is that the holes getting detected and we can fix it! So the good thing is that people getting a higher attention because the word ‘NSA’ in it and might reading the article which is exactly why I wrote it, to make people aware of the current situation.
A security researcher has made three leaked NSA exploits work on all versions of Windows since Windows 2000 up to the latest Windows 10 versions. These exploits were leaked last year by The Shadow Brokers. This is the same group that had leaked the notorious EternalBlue exploit that was used to power the biggest online ransomware campaign this industry has seen so far. The three exploits in question now include EternalChampion, EternalRomance, and EternalSynergy, all of which were leaked by TSB in April, last year. One security researcher has now worked on the source code to make all of these run on all Windows versions released in the last two decades for “the purposes of academic research and for the development of effective defensive techniques”.
Source Code and Protection
The source code is available on GitHub, and from my tests Windows Defender is already aware of it and blocks the attack via it’s network scanning module as long as you set UAC to high and enable SmartScreen protection the additional payload can’t be loaded or executed.
- TCP: 445
- UDP: 137, 138 & TCP ports 137, 139 (NetBIOS over TCP/IP)
- On several legacy protocols such as NBF, IPX/SPX.
Disabling Windows Script Host
This will stop the payload from been loaded/executed. The original article can be found here.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
In the right panel, you will see Enabled. If you see the entry 0, it means that the Windows Script Host access is disabled on your Windows machine.
Double Click on it and give it Value Data 1 to enable it.
- A value of 1 will enable Windows Script Host
- A value of 0 will disable Windows Script Host.
Click on OK and exit the Registry. If you don’t see this entry, then you may need to create it, as it does not exist by default in Windows.
The exploit is dangerous and can be abused, I’m sure right as I wrote this article here, someone tried to abuse it for evil reasons but as long your NAT and Windows own mechanism are set to the highest settings you should be secure, sadly these days there less pages which really showing you what you should do to avoid such things, blocking the SMB protocol with the windows own firewall still seems for most people enough unless you really work with SMB. But you might should consider to switch to more secure alternatives.