EternalChampion is a binary that was disclosed by The Shadow Brokers’ Equation Group in April 2017. The vulnerability is caused by the existence of a race condition between primary transactions which are executing on one thread and secondary transactions executing on separate threads. This modifies the transaction that is being executed. Combined with inadequate validation of some parameters used during this processing, an attacker can utilize this binary to install the Double Pulsar (DOPU) implant bundled in the Fuzzbunch framework.
- SMBTouch is executed (as with other Equation Group tools) to identify usable shares or pipes and to find out if the host is vulnerable.
- DoublePulsar executes an implant ping (the exploit will not continue if already infected), such as Multiplex ID delta between session setup req->resp is 0x0010.
- One Sync Transaction is followed immediately by a number of other miscellaneous transaction requests (spray). The aim of the spray is to create transaction structures in memory around the primary transaction which will be leaked later.
- A secondary transaction triggers a race with the executing sync, resulting in Kernel memory information disclosure. The aim is to get the secondary transaction to modify the executing sync request.
- A sequence of SMB transactions containing the same Stage 1 shellcode is sprayed, followed by one set of transaction(s) containing the user-supplied Stage 2 shellcode once.
- Exploit attempts consisting of Primary Trans2 QueryPathInfo requests are followed by a series of Trans2 secondary requests. The race condition allows stack values of the executing thread to be modified from the secondary transaction.
- SMBv1 must be enabled and exposed (non-firewall).
- Depending on server configuration, existing credentials or anonymous access is required.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.