Double Pulsar Infection Detect

2017-04-1800:00:00

plugins.openvas.org

352

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%

JSON

This host is vulnerable to

# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.810698");
  script_version("2023-07-14T16:09:27+0000");
  script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
  script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
  script_cve_id("CVE-2017-0146", "CVE-2017-0147");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2023-07-14 16:09:27 +0000 (Fri, 14 Jul 2023)");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2018-06-21 01:29:00 +0000 (Thu, 21 Jun 2018)");
  script_tag(name:"creation_date", value:"2017-04-18 15:25:17 +0530 (Tue, 18 Apr 2017)");
  script_tag(name:"qod_type", value:"remote_active");
  script_name("Double Pulsar Infection Detect");

  script_tag(name:"summary", value:"This host is vulnerable to 'Eternalblue'
  tool attack and is prone to remote code-execution vulnerability.");

  script_tag(name:"vuldetect", value:"Send an SMB trans2 session setup request
  and check for presence of Multiplex ID '0x51' in the response.");

  script_tag(name:"insight", value:"An SMBv1 (Server Message Block 1.0) exploit
  that could trigger a RCE in older versions of Windows dubbed as 'ETERNALBLUE'
  has been discovered in latest dump of NSA Tools. One covert channel, 'double
  pulsar', is designed to particular for systems that are vulnerable to Eternalblue.
  The covert channel uses SMB features that have so far been not used, in
  particular, the 'Trans2' feature.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote
  attackers to execute arbitrary code on the affected system. Failed attacks
  will cause denial of service conditions.");

  script_tag(name:"affected", value:"All Windows Platforms from Windows XP
  through Windows 2012");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_tag(name:"solution_type", value:"VendorFix");

  script_xref(name:"URL", value:"https://github.com/countercept/doublepulsar-detection-script");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/96707");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/96709");
  script_xref(name:"URL", value:"https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312");
  script_xref(name:"URL", value:"http://blog.binaryedge.io/2017/04/21/doublepulsar");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2017 Greenbone AG");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("gb_smb_version_detect.nasl", "os_detection.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("smb_v1/supported", "Host/runs_windows");
  script_xref(name:"URL", value:"https://technet.microsoft.com/library/security/MS17-010");
  exit(0);
}

include("smb_nt.inc");
include("host_details.inc");

name = kb_smb_name();
smbPort = kb_smb_transport();
if(!name || !smbPort){
  exit(0);
}

soc = open_sock_tcp( smbPort );
if( ! soc ) exit( 0 );

## SMB Negotiate Protocol Request
smb_neg_req = raw_string(0x00, 0x00, 0x00, 0x85, 0xff, 0x53, 0x4d, 0x42,
                         0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xc0,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
                         0x00, 0x00, 0x40, 0x00, 0x00, 0x62, 0x00, 0x02,
                         0x50, 0x43, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f,
                         0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52,
                         0x41, 0x4d, 0x20, 0x31, 0x2e, 0x30, 0x00, 0x02,
                         0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e,
                         0x30, 0x00, 0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f,
                         0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57,
                         0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70,
                         0x73, 0x20, 0x33, 0x2e, 0x31, 0x61, 0x00, 0x02,
                         0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30,
                         0x32, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41,
                         0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54,
                         0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32,
                         0x00);

## SMB Negotiate Protocol Response
send( socket:soc, data:smb_neg_req );
smb_neg_resp = smb_recv( socket:soc );
if(strlen(smb_neg_resp) < 9 || !ord(smb_neg_resp[9])==0)
{
  close( soc );
  exit( 0 );
}


## SMB Session Setup AndX Request,Anonymous User
smb_sess_req = raw_string(0x00, 0x00, 0x00, 0x88, 0xff, 0x53, 0x4d, 0x42,
                          0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,
                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe,
                          0x00, 0x00, 0x40, 0x00, 0x0d, 0xff, 0x00, 0x88,
                          0x00, 0x04, 0x11, 0x0a, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
                          0x00, 0x00, 0x00, 0xd4, 0x00, 0x00, 0x00, 0x4b,
                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00,
                          0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
                          0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00,
                          0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,
                          0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00,
                          0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00,
                          0x64, 0x00, 0x6f, 0x00, 0x77, 0x00, 0x73, 0x00,
                          0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
                          0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2e, 0x00,
                          0x30, 0x00, 0x00, 0x00);

## Session Setup AndX Response
send( socket:soc, data:smb_sess_req );
smb_sess_resp = smb_recv( socket:soc );
if(strlen(smb_sess_resp) < 9 || !ord(smb_sess_resp[9])==0)
{
  close( soc );
  exit( 0 );
}

##Extract UID from Session Setup AndX Response
if(smb_sess_resp)
{
  uid_low   = ord(smb_sess_resp[32]);
  uid_high  = ord(smb_sess_resp[33]);
  uid   = uid_high * 256;
  uid  += uid_low;
}

## SMB Tree Connect AndX Request, Path: \\xxx.xxx.xxx.xxx\IPC$
smb_tree_resp = smb_tconx( soc:soc, name:name, uid:uid, share:"IPC$" );
if(strlen(smb_tree_resp) < 9 || !ord(smb_tree_resp[9])==0)
{
  close( soc );
  exit( 0 );
}

##Extract Tree ID from SMB Tree Connect Response
if(smb_tree_resp)
{
  tid_low = ord(smb_tree_resp[28] );
  tid_high = ord(smb_tree_resp[29] );
}

## SMB TRANS2 Request
smbtrans2_request = raw_string(0x00, 0x00, 0x00, 0x4e, 0xff, 0x53, 0x4d, 0x42,
                               0x32, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xc0,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0x00, 0x00, 0x00) + raw_string(tid_low, tid_high) +
                               raw_string(0xff, 0xfe) +  raw_string(uid_low, uid_high) +
                               raw_string(0x41, 0x00, 0x0f, 0x0c, 0x00, 0x00,
                               0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0xa6, 0xd9, 0xa4, 0x00, 0x00, 0x00, 0x0c,
                               0x00, 0x42, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x01,
                               0x00, 0x0e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                               0x00, 0x00 );

send( socket:soc, data: smbtrans2_request);

##Trans2 Response, SESSION_SETUP, Error: STATUS_NOT_IMPLEMENTED
smb_trans2_resp = smb_recv( socket:soc );
if(strlen(smb_trans2_resp) < 34)
{
  close( soc );
  exit( 0 );
}

##The intent of this request is to check if the system is already compromised.
##Infected or not, the system will respond with a "Not Implemented" message.
if(smb_trans2_resp && (ord(smb_trans2_resp[9])==2 && ord(smb_trans2_resp[10])==0
                   && ord(smb_trans2_resp[11])==0 && ord(smb_trans2_resp[12])==192))
{
  ##As part of the message, a "Multiplex ID" is returned.
  ##For normal systems it is 65 (0x41) and for infected systems it is 81 (0x51).
  if(ord(smb_trans2_resp[34]) == 81)
  {
    security_message(port:smbPort );
    close(soc);
    exit(0);
  }
}
close(soc);