WinShock

Last updated
WinShock
Technical nameMS14-066
TypeExploit (from bug)
Isolation dateMay 2014
Technical details
Platform Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, , Windows Server 2012, Windows Server 2012 R2, Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1
Abused exploitsCertificate Verification Bypass, Buffer Overflow, Remote Code Execution

WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution. [1] The exploit was discovered in May 2014 by IBM, who also helped patch the exploit. [2] The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1 [3]

Contents

Details

WinShock exploits a vulnerability in the Windows secure channel (SChannel) security module that allows for remote control of a PC through a vulnerability in SSL, which then allows for remote code execution. [1] [4] With the execution of remote code, attackers could compromise the computer completely and gain complete control over it. [5] The vulnerability was given a CVSS 2.0 base score of 10.0, the highest score possible. [6]

The attack exploits a vulnerable function in the SChannel module that handles SSL Certificates. [7] A number of Windows applications such as Microsoft Internet Information Services use the SChannel Security Service Provider to manage these certificates and are vulnerable to the attack. [8]

It was later discovered in November 2014 that the attack could be executed even if the ISS Server was set to ignore SSL Certificates, as the function was still ran regardless. Microsoft Office, [9] and Remote Desktop software in Windows could also be exploited in the same way, even though it did not support SSL encryption at the time. [10]

While the attack is covered by a single CVE, and is considered to be a single vulnerability, it is possible to execute a number of different and unique attacks by exploiting the vulnerability including buffer overflow attacks as well as certificate verification bypasses. [11]

Responsibility

The exploit was discovered and disclosed privately to Microsoft in May 2014 by researchers in IBM's X-Force team who also helped to fix the issue. [3] It was later disclosed publicly on 11 November 2014, [1] with a proof-of-concept released not long after. [12]

See also

Related Research Articles

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computer security, WinNuke is an example of a Nuke remote denial-of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft Windows NT, Microsoft Windows 3.1x computer operating systems and Windows 7. The exploit sent a string of out-of-band data to the target computer on TCP port 139 (NetBIOS), causing it to lock up and display a Blue Screen of Death. This does not damage or change the data on the computer's hard disk, but any unsaved data would be lost.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoo or could be wateverr, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

POODLE is a security vulnerability which takes advantage of the fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014, a variation of the POODLE vulnerability that affected TLS was announced.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

<span class="mw-page-title-main">DROWN attack</span> Security bug

The DROWN attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

PrintNightmare is a critical security vulnerability affecting the Microsoft Windows operating system. The vulnerability occurred within the print spooler service. There were two variants, one permitting remote code execution (CVE-2021-34527), and the other leading to privilege escalation (CVE-2021-1675). A third vulnerability (CVE-2021-34481) was announced July 15, 2021, and upgraded to remote code execution by Microsoft in August.

The Microsoft Support Diagnostic Tool (MSDT) is a legacy service in Microsoft Windows that allows Microsoft technical support agents to analyze diagnostic data remotely for troubleshooting purposes. In April 2022 it was observed to have a security vulnerability that allowed remote code execution which was being exploited to attack computers in Russia and Belarus, and later against the Tibetan government in exile. Microsoft advised a temporary workaround of disabling the MSDT by editing the Windows registry.

References

  1. 1 2 3 "MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 - Microsoft Support". support.microsoft.com. Retrieved 2024-04-28.
  2. "WinShock: A 19-year-old bug". www.eset.com. Retrieved 2024-04-28.
  3. 1 2 "Microsoft patches 19-year-old Windows bug". CNET. Retrieved 2024-06-16.
  4. Mayer, Wilfried; Zauner, Aaron; Schmiedecker, Martin; Huber, Markus (2016-08-31). "No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large". 2016 11th International Conference on Availability, Reliability and Security (ARES). pp. 10–20. arXiv: 1510.08646 . doi:10.1109/ARES.2016.11. ISBN   978-1-5090-0990-9.
  5. "CERT/CC Vulnerability Note VU#505120". www.kb.cert.org. Retrieved 2024-06-16.
  6. "NVD - CVE-2014-6321". nvd.nist.gov. Retrieved 2024-06-16.
  7. Czumak, Mike (2014-11-29). "Exploiting MS14-066 / CVE-2014-6321 (aka "Winshock")". Security Sift. Retrieved 2024-06-16.
  8. "Triggering MS14-066 | BeyondTrust Blog". BeyondTrust. Retrieved 2024-06-16.
  9. "Microsoft fixes '19-year-old' bug with emergency patch". BBC News. 2014-11-12. Retrieved 2024-06-16.
  10. Hutchins, Marcus (2014-11-19). "How MS14-066 (CVE-2014-6321) is More Serious Than First Thought – MalwareTech". malwaretech.com. Retrieved 2024-06-16.
  11. Group, Talos (2014-11-11). "Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities". Cisco Blogs. Retrieved 2024-06-16.
  12. Leyden, John. "WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed". www.theregister.com. Retrieved 2024-06-16.