shhanshan
Forum Moderator
Forum Moderator
  • UID105
  • Fans3
  • Follows0
  • Posts269
Reads:1177Replies:1

[High Risk Vulnerability Alert] SMB\RDP Remote Command Execution Vulnerability in Windows

Created#
More Posted time:Apr 15, 2017 13:20 PM
The foreign hacker organization “Shadow Brokers” issued a confidential document of the NSA formula on April 14, 2017, which contains multiple Windows remote exploit tools that can cover 70% of the world's Windows servers, in order to ensure your business security on the Alibaba Cloud, please pay attention to the details of the vulnerabilities as follows:

Vulnerability Number:
No temporarily

Vulnerability Name:
Multiple SMB\RDP Remote Command Execution Vulnerability in Windows official rating: High-risk. Vulnerabilities Description: The foreign hacker organization “Shadow Brokers” issued confidential documents of the NSA formula, including multiple Windows remote exploit tools, which can cover 70% of the world's Windows servers with SMB and RDP services to successfully invade the server.

Conditions and Ways of Exploiting Vulnerabilities:
You can successfully exploit this vulnerability by using the published tool remote code.

Scope of Vulnerability:
The affected versions of Windows are known to include but are not limited to:
Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, Windows 2008, Windows 2008 R2, Windows Server 2012 SP0;

Vulnerability Detection:
Determine if the server opened 137, 139, 445, 3389 ports by using the method below:
Telnet Destination Address 445 on the extranet computer, for example, telnet 114.114.114.114 445

Telnet command installation:
Open "Start"---"Run", or direct keyboard windows key +R, enter appwiz.cpl (open Add Remove Program Admin window)
The (Program and feature) menu appears, click "Turn on or off Windows features, and then appear" on the "Open or shut down Windows features" list, find "Telnet client" to the front hook, and then click OK.

Vulnerability Repair Recommendations (or Mitigation Measures):
Shut down 137, 139, 445 ports using security group access policy;
Restrict 3389 remote login source IP address using security group access policy

Information Sources:
https://zhuanlan.zhihu.com/p/26375989?utm_medium=social&utm_source=wechat_timeline&from=timeline&isappinstalled=0
http://mp.weixin.qq.com/s/yPExtMfVbpNo-5S2Ymvz-w

Madwyn
Intern
Intern
  • UID464
  • Fans0
  • Follows0
  • Posts2
1st Reply#
Posted time:May 16, 2017 23:31 PM
Excellent work! Only after the event, people would appreciate the precautions.
Guest