How CoreGuard Blocks Ransomware Attacks Like Wannacry

Starting in May of 2017, the WannaCry ransomware attack caused a huge amount of damage.

It attacks unpatched versions of Microsoft Windows, using an exploit allegedly developed by the United States NSA (National Security Agency) and then leaked by a group calling themselves "The Shadow Brokers." Microsoft released a patch in March 2017, The Shadow Brokers distributed the exploits in April, and millions of unpatched systems were compromised by WannaCry in May.

Every cyber attack consists of the exploit (the way the attacker "gets in") and the payload. In the case of WannaCry, the payload was executable code that encrypted files on the victim machine and displayed a message asking for payment in Bitcoin cryptocurrency to retrieve a decryption key. In this blog post, we describe the exploit, which has been named EternalBlue, and how Dover CoreGuard blocks this sort of attack.

The core software vulnerability that the EternalBlue exploit targets is a buffer overflow.

There are a number of good descriptions of EternalBlue (see references). Following is a summary, in my own words.

Summary of EternalBlue exploit: While handling a Microsoft SMB (Server Message Block) protocol request, there is a conversion from a list of FEA (File Extended Attributes) blocks to a list of those same blocks but in a different format called FEA NT. The number of FEA blocks is sent as part of the SMB protocol, but the Microsoft code (correctly) does not trust the received length parameter and instead calls another function to calculate the length of the list of FEA blocks. The function that calculates the list length returns the correct number of list elements; it also updates the SMB list header with an incorrect list size in bytes. The coding error that results in the incorrect size is explained well in the Microsoft and Scademy posts. It is essentially a type error where a 16 bit value is stored into a 32 bit word. If the 32 bit word has any bits set between 16-31, those bits remain set and the resultant value is larger than the intended size. A buffer for the converted list of FEA NT blocks is allocated according to the correct list length, but the incorrect (too large) number of bytes is used to do the memory copy. This results in both buffer over-reads and over-writes. Bytes that the attacker has some control over (due to careful "heap grooming" ahead of time) are copied into memory past the end of the newly- allocated list. The prepratory heap grooming, when successful, results in function pointers being installed into valid SMB data structures such that those pointers point to injected payload code.

There are (at least) three classes of error involved in the EternalBlue exploit, all of which can be detected and blocked by Dover CoreGuard:

1. Memory safety (heap over-read and over-write)

2. Execution of attacker-supplied data

3. Dynamic type error

How Dover CoreGuard Blocks Buffer Over-read and Over-write Errors

When memory is allocated using system-provided memory allocation routines, Dover CoreGuard's heap memory safety policy ensures that every word in the newly-allocated region has metadata with a unique ID for that region (we sometimes call that unique ID the region's "color"). The pointer returned from the allocation has metadata indicating that the value is a pointer to a region with that specific ID. At every memory access (LOAD or STORE), the heap memory safety policy checks whether the region ID on the pointer matches the region ID on the memory being referenced. If not, a policy violation is signaled. This heap memory safety policy prevents exploits such as EternalBlue, which is the attack vector for the WannaCry attack.

How Dover CoreGuard Blocks Execution of Attacker-supplied Data

The relatively simple RWX policy labels regions of memory as being various combinations of readable, writable, and executable. Any regions of memory that receive data from the network should certainly not be labeled executable! Labeling such regions as non-executable using CoreGuard's RWX policy stops payloads, such as the one from the WannaCry ransomware attack, from being executed.

More recent versions of Microsoft Windows do in fact use operating system services to flag regions written by SMB drivers as not executable, and this does mitigate attacks such as Wannacry. Note, however, that there is a plethora of exploits that attack the operating system itself and then disable protections such as non- executable bits.

How Dover CoreGuard can block dynamic type errors

It is possible to generate metadata that labels words in memory with the type of data that they are meant to contain. This is especially useful in high level, dynamically typed languages such as Python, PHP, and Javascript (more on this in a future blog post), but can still be useful in low-level system code written in C. The actual coding error that enables the EternalBlue exploit is a type error, where a 16-bit word is written into a 32- bit word. Other dynamic type errors that can be detected by tracking value types with metadata include when integers are treated as pointers, when words containing instructions are treated as integers, and vice versa.

Conclusion

The EternalBlue exploit that underpins the WannaCry ransomware attack is a typical example of an effectively unlimited number of vulnerabilities that exist in code we all rely on every day. The core coding error in EternalBlue is a dynamic type error. That type error leads to buffer overflow errors, and the buffer overflow errors lead to injection of malicious ransomware. Finally, the lack of RWX protection on memory that is written by the attacker allows the attacker to take over the machine by jumping to the injected code.

Dover CoreGuard is the only technology that is able to effectively block all of the above-mentioned attack vectors (and more).

References

A good blog post on the EternalBlue exploit and underlying vulnerability: The legacy code behind WannaCry – the skeleton in the closet

Wikipedia has, of course, good descriptions of WannaCry and the underlying EternalBlue vulnerability and exploit: Wikipedia WannaCry, Wikipedia EternalBlue

A Microsoft blog post with a good description of a couple of SMB vulnerabilities, including EternalBlue (about halfway down the page): Microsoft blog post including EternalBlue

The official CVE (Common Vulnerabilities Enumeration) page for EternalBlue: CVE-2017-0144

A TrendMicro description of EternalBlue: TrendMicro

Share This Post

More from Dover

PublishedOctober 12, 2017

National Cybersecurity Awareness Week 2: Keeping the office Secure

Hacking Security Software Security NCSAM