Jump to content

WannaCrypt


tErmY

Recommended Posts


I would like to know if 9x/me is vulnerable.  The details to the EternalBlue SMB vulnerability is here:

https://packetstormsecurity.com/files/142548/ms17_010_eternalblue.rb.txt

A short but very technical explanation is here:

https://security.stackexchange.com/questions/159654/how-does-the-eternalblue-exploit-work

If someone can compile an executable (that can run on XP/7) that probes the local lan (or be pointed to a specific lan IP where a win-9x machine is operating) and can display a basic pass/fail message to indicate if the target machine was exploitable (or cause the target machine to do something lame, like start the calculator app) then I'd be willing to test it.


 

Link to comment
Share on other sites

  • 4 weeks later...

Well, this is certainly disappointing. There used to be several guys around here who knew about these things, or were willing to test them. I guess they've all moved on. Where's Axcel216 when you need him? Oh hell, I'd settle for Problemchylde right about now :)

Looks like I'll have to test these files myself. The latest unofficial "update pack" for XP that I found was XPSP3_QFE_UpdatePack_20170619. It's designed to be "slipstreamed," so the files don't need to be patched.

Inside was a newer version of GDIPLUS.DLL. It's a Vista file. Version 5.2.6002.24064. File date 02/13/17. 1,753,088 bytes.

It seems to work under SE. There are no missing dependencies. Of course, ti wouldn't register, but I don't believe any version of GDIPLUS will. My network works. I've got Internet access. As far as I can tell, it hasn't screwed anything up yet. Looks like it's safe enough to test.

I don't rightly know what GDIPLUS is used for. I believe it's got something to do with Visual C. I'll be sure to let you guys know if my machine blows up :)

Link to comment
Share on other sites

Now this is weird.  I looked at three different XP "update packs."  All of them are using MSXML 4.0 SP 2 instead of SP 3.  I downloaded Problemchylde's latest "service pack" for 98.  He's got one from 07/12/16.  It's up to v3.56 now.  Last one I had was v3.37 from 01/15.  He's also using MSXML 4.0 SP 2.

Why aren't these guys using SP 3?  It's been out for almost seven years.

Link to comment
Share on other sites

  • 4 weeks later...
On 6/19/2017 at 10:23 PM, tErmY said:

Well, this is certainly disappointing. There used to be several guys around here who knew about these things, or were willing to test them. I guess they've all moved on. Where's Axcel216 when you need him? Oh hell, I'd settle for Problemchylde right about now :)

Looks like I'll have to test these files myself. The latest unofficial "update pack" for XP that I found was XPSP3_QFE_UpdatePack_20170619. It's designed to be "slipstreamed," so the files don't need to be patched.

Inside was a newer version of GDIPLUS.DLL. It's a Vista file. Version 5.2.6002.24064. File date 02/13/17. 1,753,088 bytes.

It seems to work under SE. There are no missing dependencies. Of course, ti wouldn't register, but I don't believe any version of GDIPLUS will. My network works. I've got Internet access. As far as I can tell, it hasn't screwed anything up yet. Looks like it's safe enough to test.

I don't rightly know what GDIPLUS is used for. I believe it's got something to do with Visual C. I'll be sure to let you guys know if my machine blows up :)

I'm still here, lurking in the shadows. 

Link to comment
Share on other sites

  • 2 weeks later...
On ‎17‎/‎05‎/‎2017 at 4:26 PM, tErmY said:

So, are 9X machines vulnerable?

There's two parts to answering that:

Part 1 Does W9x/ME have the SMB problem that allows wannacrypt to get in from the internet or travel round my LAN?

Almost undoubtedly. As far as I understand it uses a flaw in SMB 1.0 which you might know as "File and printer sharing", I suspect the bulk of the codebase is shared with NT4 which is reported to have the vulnerability that wannacrypt used to get into a system. SMB has been present by default since Win 3.11, prior to Win 2000 it does have to be enabled manually, if you haven't done so on an old OS to move files round your network, then you should be safe. Most people end up enabling it very early after installing or during setup though. 

Part 2 If wannacrypt (or other malware using this exploit) got on my network somehow, will my 9x/ME machines get hosed?

By way of a "best guess", I very much doubt that that most modern malware would run if it got in, there are reports from good sources which you can turn up using google, that wannacrypt specifically caused a BSOD on XP unless sp3 was installed.  Which is no guarantee about variants, but I doubt the malware authors are going to bother making their ransomware backwards compatible to 9x, they're almost certainly using development platforms which are too new to make that easy.  You might end up stuck in a boot/crash loop though.

What defenses do I have?  How safe am I from it?

Most domestic ISPs block the SMB ports, this stops SMB being exploited directly from outside. Even if yours doesn't, you're almost certainly behind NAT, this will stop it getting in cold unless you do crazy things like:

  • Forwarding any of ports TCP 137, 139, 445 or UDP 137, 138
  • Putting any of your machines in the router's DMZ
  • Keeping UPNP enabled in your router (The risk being malware inside your LAN could forward these ports to itself without you knowing).
  • Connecting a machine directly to the modem (or turning off NAT) in a single PC setup. ALWAYS use a router.

Other than that it comes down to the same defenses you use elsewhere to keep malware out.

Keep a backup of these old systems! Image or if virtual a copy of your virtual disk, reverting to a clean state if something gets in then becomes trivial.

A heads up for these running old OSes alongside Windows 10 the next major update (Fall Creators Update) will remove support for SMB 1.0 from the OS, which will break network sharing with everything pre Vista.  This may also break shared folders within VMWare and Virtual box via additions too, since these use a network redirect (effectively a mapped network drive) under the hood.. I'm not in a position to test.

You might want to look into an alternate to network shares as a means of getting files on and off these machines if you're running Win10, possibilities here are endless.. Local HTTP or FTP servers, creating ISOs, creating VHD files and injecting files from your OS then using them in your VM, using a Vista/7/8.1 VM or NAS as a staging area..  USB drives.

On ‎17‎/‎05‎/‎2017 at 4:26 PM, tErmY said:

I see MickeySoft released a patch for XP.  Could portions of it be used with 98?

Way beyond my skillset, but possibly, there's other problems incoming though, since SMB 1.0 is starting to go away soon which will render XP and earlier even less useful generally.  I'll leave others to debate if that's M$ pushing people off old operating systems for profit, or eliminating legacy code on security grounds.

On ‎17‎/‎05‎/‎2017 at 6:48 PM, DougB said:

And... does anyone have a link to the .exe-file patch for XP? (I do use an XP system occasionally.)

If you run XP, it'll pull it from Windows Update. Just check for updates from behind a router. Or find it directly in the M$ download centre.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...