Jumping into the Vale of Windows SMB exploits
Pradeep Kulkarni & Sameer Patil, Quick Heal
Windows SMB protocol provides shared access to resources in a network. Since its development in the 1990’s, many exploits have been developed by taking advantage of the vulnerabilities present in the protocol. Unpatched versions of SMB are being exploited remotely without any user interaction which is a critical in nature. The Shadow Brokers leak in 2017 contained some high profile SMB exploits. Currently we see ransomware, cryptominer and banking trojans(like Trickbot) are using these exploits to spread across a network.
SMB allows two remote machines to connect using named pipes. Hence SMB is also a medium for exploiting vulnerabilities in other drivers, DLLs and other windows services (like netapi, ASN.1, nwapi32.dll, NetDDE service etc..)
In this talk, we will go through various famous SMB exploits seen in the wild like the NetAPI vulnerability exploited in Conficker worm,EternalBlue and other Shadow Brokers leaked exploits targeting SMB . To conclude we present an insight of how to safeguard the network from various SMB attacks.
Pradeep Kulkarni is leading the IDS/IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 13 years, he has worked on various security products and has a keen interest in researching new exploit and malware trends.
Sameer Patil is part of the IDS/IPS team in Quick Heal. He has 5 years of experience working in different security products and architectures. His interest lies in analyzing and keeping track of new vulnerabilities being exploited in the wild.