Solved: Why in-the-wild Bluekeep exploits are causing patched machines to crash

Recent in-the-wild attacks on the critical Bluekeep vulnerability in many versions of Windows aren’t just affecting unpatched machines. It turns out the exploits—which repurpose the September release from the Metasploit framework—are also causing many patched machines to crash.

Late last week, Windows users learned why: a separate patch Microsoft released 20 months ago for the Meltdown vulnerability in Intel CPUs. Word of the crashes first emerged five days ago, when researcher Kevin Beaumont discovered a malicious, in-the-wild Bluekeep exploit caused one of his honeypots to crash four times overnight. Metasploit developer Sean Dillon initially blamed the crashes on “mystical reptilian forces that control everything.” Then he read a Twitter post from researcher Worawit Wang:

In a post published on Thursday, Dillon wrote:

Turns out my BlueKeep development labs didn’t have the Meltdown patch, yet out in the wild it’s probably the most common case.

tl;dr: Side effects of the Meltdown patch inadvertently breaks the syscall hooking kernel payloads used in exploits such as EternalBlue and BlueKeep. Here is a horribly hacky way to get around it… but: it pops system shells so you can run Mimikatz, and after all isn’t that what it’s all about?

Recursive loop

Dillon’s post offers a deep-dive explanation for why his exploit didn’t work on machines that installed the Meltdown patch, which Microsoft called KVA Shadow, short for Kernel Virtual Address Shadow. In short, the mitigation worked by isolating virtual memory page tables of user-mode threads from kernel memory. The exception is a small subset of kernel code and structures, which must be exposed enough to swap kernel page tables when carrying out trap exceptions, syscalls, and similar functions. The shellcode spawned by Dillon’s Bluekeep exploit wasn’t part of the KVA Shadow code, so user mode couldn’t react with the Shadow Code. As a result, the kernel got stuck in a recursive loop until the system finally crashed.

Dillon has since rewritten the exploit code. He expects the fix to be integrated into the official Metasploit Bluekeep module soon.

The crashes came to light after attackers started exploiting Bluekeep in an attempt to install cryptocurrency miners on unpatched machines. The exploits don’t spread from computer to computer with no user interaction, and as noted, they also caused many machines to crash, causing many people to discount the potential severity of the Bluekeep vulnerability. Microsoft researchers, however, warned last week that they “cannot discount enhancements that will likely result in more effective attacks.” They also said that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”

Meanwhile, Marcus Hutchins, the security researcher who also goes by the handle MalwareTech, made a compelling case that Bluekeep exploits have the potential to be severe even if they don’t spread as a worm from computer to computer without user interaction in the way the WannaCry and NotPetya outbreaks did.

Internal pivot

WannaCry and NotPetya exploited the server message block protocol, which was enabled in many desktop computers. Bluekeep, by contrast, exploits Windows’ Remote Desktop Services, which is usually turned on only on servers.

“A worm would not only attract a lot of attention, but be technically challenging due to the limitations of BlueKeep,” Hutchins wrote. That hardly means Bluekeep doesn’t have the potential to do significant damage. Because servers typically act as domain administrators, network management tools, or share the same local administrator credentials with other network machines, they have the ability to control much of the network.

“By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network),” Hutchins explained.

Bluekeep affects Windows 7, Windows Server 2008 R2, and Windows Server 2008. Patches for those versions are available here. Because of its severity, Microsoft has made patches available for Windows XP, Vista, and Server 2003, which are no longer supported. People or organizations that have yet to patch should do so as soon as possible.





LEAVE A REPLY

Please enter your comment!
Please enter your name here