Overview

On October 23, 2017, CrowdStrike® became aware of a new type of ransomware called BadRabbit. The initial infection occurred via a drive-by download masquerading as an Adobe Flash update. Once downloaded, the malware required user interaction in order to execute. After that occured, BadRabbit could self-propagate across a network by using stolen credentials either via a tool based on Mimikatz, reusing an authenticated session, or brute-forcing account credentials to exploit multiple vulnerabilities in Server Message Block (SMB) version 1.

The CrowdStrike Falcon® endpoint protection (EPP) platform provides defense against this variant of ransomware. For Falcon customers, this can be enabled by turning on the prevention features within the product.

This blog provides a technical analysis of the exploits used by BadRabbit. Here are the sample hashes that were analyzed:

Dropper: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

Upon detonation of the malware, the CrowdStrike Security Response Team (SRT) noticed a couple of things: first, attempts to leverage credentials dumped via Mimikatz, and second, an odd SMB network activity that appeared similar to one of the SMBv1 vulnerabilities in MS17-010 when exploited. The team immediately dug into the code to sort out where the network traffic came from, and found the exploit code located directly after one of the brute force routines. From there, we were able to work out the specific vulnerabilities being exploited and how BadRabbit leverages them to spread across a network.

MS17-010 is the Microsoft Security Bulletin released on March 14, 2017 that covers the multiple exploits discovered in the Shadow Brokers’ dump. In that dump, there was a tool called Fuzzbunch that contained several binaries (EternalRomance, EternalBlue, etc). Each of these binaries exploits one or more of the vulnerabilities identified in the security bulletin.

On October 26, 2017, Talos posted an update to its blog indicating that a similar MS17-010 vulnerability was used by EternalRomance to exploit hosts. The blog includes a link to an exploit built by Worawit Wang (_sleepya, on Twitter) that uses two vulnerabilities in MS17-010 to exploit a system via privilege escalation. Although our analysis was complete, we went back and fixed a few incorrect assumptions related to kernel structure offsets using Worawit’s code. (The link is in the resources section at the end of the blog.)

The analysis below explains how this exploit works, and provides concrete values based on our detonation in a Windows 7 SP1 x86 environment.

Technical Analysis

BadRabbit exploits two of the vulnerabilities covered in the MS17-010 security bulletin:

• CVE-2017-0146
  • A race condition using SMB_COM_NT_TRANSACT requests to leak kernel memory
• CVE-2017-0143
  • Allows an out-of-bounds (OOB) write to modify a memory-adjacent data structure

All of the SMB packets are built manually by BadRabbit. The relevant code offsets from the infpub.dat DLL to build, send and receive requests are located at the following addresses:

• 0x10001CA3 – SMB session setup function
• 0x10002191- Named pipe connection function
• 0x100046C7 – Exploit MS17-010 function
• 0x100021DC – Close and disconnect post exploitation function
• 0x10001EB9 – Connect ADMIN$ share
• 0x10002054 – Check for cscc.dat
• 0x10004AB5 – Write BadRabbit malware (infpub.dat)
• 0x1000516B – RPC svcctl service setup function

These addresses should provide context for anyone who wants to follow along with the analysis.

Establishing the SMB Connection

An initial SMB connection attempt is made using the hardcoded username/password combinations within the BadRabbit binary. Any successful SMB authentication will launch into the MS17-010 privilege escalation exploit.

Figure 1: SMB Session Setup

Examining the “Session Setup Response” packet shows that the Administrator login initially failed. However, due to the configuration of this machine, the session was still authenticated as Guest. After the successful authentication an SMB_COM_TREE_CONNECT_ANDX request is made to open a connection to the \\<target address\IPC$ share.

Figure 2: SMB Tree Connect and Connect to Pipe

Once completed, a SMB_COM_NT_CREATE_ANDX request is sent to create a connection to a named pipe on the target. BadRabbit contains a list of potential named pipes; the example used throughout this write-up makes use of “atsvc.” A unique file ID (FID) is assigned to the connection: 0x4000 (16394 in decimal).

Test for Vulnerable Condition

Similar to NotPetya, WannaCry, and Fuzzbunch, BadRabbit tests to determine if the target machine is vulnerable to MS17-010. The test, itself, however, is different from its counterparts in previous attacks. Rather than generate an invalid response from the server, BadRabbit leaks kernel memory and then verifies the leaked data.  

SMBv1 contains a vulnerable race condition triggered by sending an SMB_COM_NT_TRANSACT request, followed immediately by an SMB_COM_NT_TRANSACT_SECONDARY request. This occurs when the MaxBufferSize (set during session setup) is smaller than the size of the response from the target.

In this example, the MaxBufferSize is set to 4356, and the size of the response is established by setting MaxParameterCount to 16188. The SMB_COM_NT_TRANSACT_SECONDARY request indicates the number of bytes to leak by setting DataCount to 276.

Figure 3: SMB Packet, NT Rename Race Condition

These two requests are wrapped into a single packet and fired off to the target. This creates a race condition ultimately leading to a response containing leaked kernel memory. See, Worawit’s Bug 4 and Bug 5 descriptions outlined in the BUG.txt file at this github link.

Figure 4: Leaked Kernel Memory for Test

BadRabbit parses this response to look for the “Frag” and “Free” tags. These two strings are indicators that the information leak was successful and the exploit can continue.

Leaking a Transaction Data Structure

Once it is confirmed the system is vulnerable to MS17-010, a useful information leak can be manufactured, which will contain data for carrying out a privilege escalation exploit. An SMB_COM_TRANSACTION data structure is going to be leaked from kernel memory using the same bug.

Packet Sandwich

In order to leak something useful to manipulate memory, a large packet containing 17 requests is sent from the attacker to the target. Each request contains a different Multiplex ID (MID). A MID is a unique way to identify a single transaction. For the purposes of this analysis the Multiplex IDs that are generated based on the test results are going to be consistently used throughout. Just note that the MID will be different between tests.

• SMB_COM_NT_TRANSACT
• SMB_COM_NT_TRANSACT_SECONDARY
  • This combined with the NT Rename Trans will create the information leak
• SMB_COM_NT_TRANSACT
  • Multiplex ID is the same as the File ID (FID)
  • This transaction is going to be used to write to the adjacent data structure
• SMB_COM_TRANSACTION
  • MID 5377, this transaction is going to be corrupted at a later point via the same bug that is used by EternalRomance
• SMB_COM_TRANSACTION
  • MID 5378, padding
• SMB_COM_TRANSACTION
  • MID 5379, this is the data structure that is going to be leaked
• 9 SMB_COM_TRANSACTIONs
  • MID 5380-5388

In order to properly align page pool memory on the target, all of these requests are sent in a single packet. This ensures that useful data will be leaked. A flurry of responses are received from the target, culminating in a packet that contains the leaked transaction data.

Figure 5: Leaked Kernel Memory that Contains Transaction

Once again, the hex dump contains two tags:  “Frag,” and instead of “Free,” “LStr.” Now the leaked data can be mined for useful information.

Leaked Transaction

The hex dump below contains the leaked SMB_COM_TRANSACTION from above with the extraneous data trimmed. The highlighted bytes “00 08 FF FE 00 08” are the Tree ID, Process ID and User ID for the SMB connection. The Tree ID is a unique identifier that represents an open connection to a share. Process ID is assigned on the client end of the SMB connection and identifies the process on the client that initiated the request. The User ID represents the authenticated connection to the share.

Figure 6: Leaked MID 5379 Transaction

The two bytes, “03 15” that follow the User ID make up the transaction’s Multiplex ID. The value in decimal form is 5379.  Looking back at the “Packet Sandwich” section, MID 5379 is one of the multiple requests inside that packet.

Useful Memory Addresses

A lot of useful data is pulled from the information leak:

• 0x0C – Connection Structure address
  • 0x862579F0
• 0x10 – Session Structure address
  • 0x864CFA58
• 0x14 – TreeConnect address
  • 0x864D3DD8
• 0x18 – _FLINK Address
  • 0x86516050

These memory addresses will be used at a later point in the exploit.

Taking Control of a Transaction

Now BadRabbit needs to take control of a transaction data structure. To do this, it exploits one of the vulnerabilities used by EternalRomance.

Figure 7: Exploiting the Out-of-Bounds Write

The graphic above is a layout of how EternalRomance exploits the vulnerability. BadRabbit does not use a TRANS_READ_NMPIPE request as the initial request, but rather an SMB_COM_NT_TRANSACT request previously seen in the Packet Sandwich section. The MID of this request is set to the same File ID that was assigned earlier by the Nt Create AndX Request in the initialization section. An initial SMB_COM_WRITE_ANDX request is set to raw mode, the MID = 0x4000 (same as the File ID), and the DataLength is set to 512 bytes.

Figure 8: SMB Packet that Overwrites MID of Adjacent Transaction

The subsequent SMB_COM_TRANSACTION_SECONDARY request sets the Data Displacement value to 15880, causing an out-of-bounds write beyond the end of the InData buffer. Here, a single NULL byte is being written to an adjacent data structure in kernel memory. The adjacent structure is an SMB_COM_TRANSACTION data structure with a MID of 5377. Looking back at the Packet Sandwich section, the structures with a MID of 0x4000 and a MID of 5377 are adjacent to each other.

Modifying the Multiplex ID of MID 5377

BadRabbit uses this exploit to change the Multiplex ID of the adjacent transaction data structure. This is similar to EternalRomance, but the difference is that EternalRomance changes the MID to 0, while BadRabbit modifies the least significant byte of the Multiplex ID with 0x00. The hex representation of 5377 is “0x1503.” The “03” byte is what is going to be overwritten with 0x00, changing the MID to 5376.

Figure 9: Overwrites MID of Adjacent Transaction

Once complete, BadRabbit confirms this by sending an NT Trans Rename request to the target with the MID set to 5376. Due to the modification, the server responds with a non-specific error code. The Server Class field is set to 0x012 and the Error Code is set to 0x0001.

Figure 10: SMB Traffic to Test Successful Modification

BadRabbit does a check to ensure the error code is in the response and then continues if it matches. At this point, BadRabbit, can make legitimate SMB requests using MID 5376 to write to other areas of memory.

The Writer Object

More than just the MID of the adjacent transaction can be modified using the method list above. For example, if the pointer to the buffer that receives data (InData Pointer) is modified, it means any subsequent transaction request that sends data and uses MID 5376 will overwrite any data pointed to, no matter what address is at that offset within the transaction data structure.

BadRabbit uses this to modify the MID 5379 data structure that was leaked in a previous section.

Changing the InData Ptr in MID 5376 to point to MID 5379 and Overwrite

Another SMB_COM_TRANSACTION_SECONDARY request where the MID is set to the File ID (FID) is going to be used to modify a pointer in the memory adjacent to the MID 5376 data structure. To do this, the DataDisplacement value is set to 15,824, and the base memory address of the MID 5379 data structure is going to be written to that offset.

Figure 11: Point MID 5376 InData Pointer to MID 5379

Calculating the base address of the MID 5379 Transaction data structure will require revisiting the information leaked that contained that data structure. A variety of pointers are located throughout the data structure. The InDataParameters buffer pointer located at offset 0x40 in the leaked transaction can be used to calculate the base address of the MID 5379 transaction.

Figure 12: Leaked MID 5379 Transaction

This yields a base address of 0x86510038. In Figure 11, the InData pointer of MID 5376 is replaced with this base address. Now the subsequent MID 5376 request can be used to write data to the MID5379 transaction

Figure 13: Overwrite InDataParameters, OutParameters, and InData pointers

Three pointers are being overwritten in the MID 5379 data structure: InDataParameters, OutParameters, and InData. The address 0x8651038 that is used to overwrite the InData pointer for MID 5379, is the location of another transaction that is modified similar to the way the MID 5377 was modified.

Post analysis we came across code written by _sleepya (Worawit) that contains offset for the data structure (listed and linked in the references). Using the identified offsets it breaks down as follows:

• +0x40 – 0x86510038
  • InDataParameters Buffer Pointer
  • Set to the memory location of MID 5379
  • This gives MID 5379 the ability to modify itself using an SMB request that contains parameters
• +0x44 – 0x86510238
  • OutParameters Buffer Pointer
  • MID 5379 + 0x200
• +0x48 – 0x86516038
  • InData Buffer Pointer
  • Offset of next transaction in the list
  • Calculated from the _FLINK pointer (offset 0x18 in the MID 5379 info leak)
    • Address of a linked transaction
  • Used in the next section

Controlling Multiplex ID 5851

The original MID for this transaction is unknown, but it is going to be changed to 5851. This will allow the attacker to use it by referencing MID 5851 in future transaction requests. To accomplish this, an SMB_COM_TRANSACTION_SECONDARY request is made using MID 5379.

Figure 14: SMB Packet Change Unknown Transaction’s MID

It is going to overwrite the MID of the transaction located at 0x86516038 with 5851 (0x16db). The last two bytes of the packet hexdump contain little endian 0x16db. Data Count is set to 2 and Data Displacement is 128, thus, overwriting whatever exists at that offset with 5851.

Figure 15: MID 5379 Request to Change the MID to 5851

This transaction is going to be used to leak the address of a security context structure and then overwrite with values to elevate privileges to System.

Conclusion

As demonstrated, BadRabbit, exploits two of the vulnerabilities identified in MS17-010 to leak information and take control of multiple data structures.The second part of this blog post will cover how the controlled transactions will be leveraged to elevate privileges to System.

Reference

Transaction Data Structure

Part of the following  is created from the code on _sleepya’s (Worawit) github and the rest is derived from analyzing the SrvSmbTransaction function in the SMB Driver (srv.sys). This is based on Windows 7 SP1 x86.

Figure 16: Transaction Data Structure

This transaction is going to be used to leak the address of a security context structure and then overwrite with values to elevate privileges to System.

Resources

Worawit Wang’s Exploit Code

We discovered Worawit’s (_sleepya on Twitter) github after doing the analysis. It was used to fill in incorrect assumptions and gaps (references throughout this article). This exploit code was used to model the exploit used by BadRabbit.

• https://github.com/worawit/MS17-010/blob/20301cc5a96fa367d46d88291637247cc6252488/zzz_exploit.py

Check out the rest of Worawit Wang’s github. It contains a significant amount of analysis on MS17-010 done by Worawit.

Nicolas Joly’s HITCON 2017 Presentation

The following is another good resource we came across after doing the analysis:

• Mitigating the Unkn0wn: When your SMB Exploit Fails

The presentation covers multiple MS17-010 exploits that were leaked by The Shadow Brokers. The EternalSynergy slides match what is going on during BadRabbit’s exploitation of MS17-010.

CrowdStrike Falcon Intelligence

Learn more about the CrowdStrike Falcon Intelligence™ offerings, and read the white paper, “Threat Intelligence, Cybersecurity’s Best Kept Secret.”

The post BadRabbit MS17-010 Exploitation Part One: Leak and Control appeared first on .

Article Link: https://www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control/