文/羅正漢 | 2017-05-18發表
圖片來源: 

趨勢科技

對應日前WannaCry勒索軟體的橫行與威脅,已有不少資安廠商也提供建議與相關資訊供參考。而為了快速地找到公司內未修補MS17-010的電腦,我們看到有資訊人員提供,利用Nmap網路掃描與探測工具,自發性地製作一個檢測範本script(smb-vuln-ms17-010.nse),以協助網管人員來檢測。

這種方式對於企業網管人員而言應有一定的幫助,可以一次大量檢查內部網路多臺電腦的狀態,而檢查200臺電腦大約也只要10秒鐘。

步驟上也不算太複雜:一、到nmap.org 下載 nmap.exe (有windows版)並安裝,二、將smb-vuln-ms17-010.nse丟到nmap\script目錄下(相關smb-vuln-ms17-010.nse範本,請參考最下方內容,三、鍵入:nmap -p 445 --script smb-vuln-ms17-010 ip-range

此外,為簡化了個人使用者的預防工作,防毒大廠趨勢科技現在也免費推出了的WannaCry漏洞檢查工具(Trend Micro WCRY Simple Patch Validation Tool)。點擊前往官方連結

趨勢表示,此工具可以幫個人使用者在windows電腦上執行以下兩項工作,首先是檢查電腦上是否存在MS17-010的漏洞,另外就是檢查電腦上的SMB v1是否關閉,如呈現開啟,亦可協助用戶停用SMB v1。若是企業用戶,最好先與IT管理人員確認,公司電腦是否須利用此工具關閉SMBv1(像是有可能導致公司電腦遇到無法使用列印功能的情形)。

同時他們表示,近日又偵測到另一新勒索蠕蟲變種「UIWIX」,同樣也是利用Server Message Block(SMB)漏洞EternalBlue(亦被稱為CVE-2017-0144和MS17-10)以執行擴散行為,甚至他們認為比WannaCry更加狡猾且不留痕跡,提醒使用者不該就此鬆懈。

在執行Trend Micro WCRY Simple Patch Validation Tool後,若電腦已完成MS17-010相關更新,會出現以上訊息,讓使用者快速知道這臺電腦,已經完成WannaCry必裝的Windows安全更新套件。

另外,該程式若發現電腦上的SMB v1呈現開啟,也將會詢問用戶是否要停用SMB v1。

 

使用Nmap針對WannaCry檢測的Scripts範本

企業網管人員可將下方純文字內容存成smb-vuln-ms17-010.nse檔,有能力的人亦可參考Github上的文件自行修正

  1. local smb = require "smb"
  2. local vulns = require "vulns"
  3. local stdnse = require "stdnse"
  4. local string = require "string"
  6. description = 
  8. ---
  9. -- @usage nmap -p445 --script smb-vuln-ms2017-010 <target>
  10. -- @usage nmap -p445 --script vuln <target>
  11. --
  12. -- @output
  13. -- Host script results:
  14. -- | smb-vuln-ms17-010: 
  15. -- |   VULNERABLE:
  16. -- |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
  17. -- |     State: VULNERABLE
  18. -- |     IDs:  CVE:CVE-2017-0143
  19. -- |     Risk factor: HIGH
  20. -- |       A critical remote code execution vulnerability exists in Microsoft SMBv1
  21. -- |        servers (ms17-010).
  22. -- |       
  23. -- |     Disclosure date: 2017-03-14
  24. -- |     References:
  25. -- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
  26. -- |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  27. -- |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  28. --
  29. -- @xmloutput
  30. -- <table key="CVE-2017-0143">
  31. -- <elem key="title">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>
  32. -- <elem key="state">VULNERABLE</elem>
  33. -- <table key="ids">
  34. -- <elem>CVE:CVE-2017-0143</elem>
  35. -- </table>
  36. -- <table key="description">
  37. -- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1&#xa; servers (ms17-010).&#xa;</elem>
  38. -- </table>
  39. -- <table key="dates">
  40. -- <table key="disclosure">
  41. -- <elem key="month">03</elem>
  42. -- <elem key="year">2017</elem>
  43. -- <elem key="day">14</elem>
  44. -- </table>
  45. -- </table>
  46. -- <elem key="disclosure">2017-03-14</elem>
  47. -- <table key="refs">
  48. -- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>
  49. -- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>
  50. -- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>
  51. -- </table>
  52. -- </table>
  53. ---
  55. author = "Paulino Calderon <paulino()calderonpale.com>"
  56. license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
  57. categories = {"vuln", "safe"}
  59. hostrule = function(host)
  60.   return smb.get_port(host) ~= nil
  61. end
  63. local function check_ms17010(host, port, sharename)
  64.   local status, smbstate = smb.start_ex(host, true, true, sharename, nil, nil, nil)
  65.   if not status then
  66.     stdnse.debug1("Could not connect to '%s'", sharename)
  67.     return false, string.format("Could not connect to '%s'", sharename)
  68.   else
  69.     local overrides = {}
  70.     local smb_header, smb_params, smb_cmd
  72.     stdnse.debug1("Connected to share '%s'", sharename)
  74.     overrides['parameters_length'] = 0x10
  76.     --SMB_COM_TRANSACTION opcode is 0x25
  77.     smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)
  78.     smb_params = string.pack(">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2",
  79.       0x0,     -- Total Parameter count (2 bytes)
  80.       0x0,     -- Total Data count (2 bytes)
  81.       0xFFFF,  -- Max Parameter count (2 bytes)
  82.       0xFFFF,  -- Max Data count (2 bytes)
  83.       0x0,     -- Max setup Count (1 byte)
  84.       0x0,     -- Reserved (1 byte)
  85.       0x0,     --Flags (2 bytes)
  86.       0x0,     --Timeout (4 bytes)
  87.       0x0,     --Reserved (2 bytes)
  88.       0x0,     --ParameterCount (2 bytes)
  89.       0x4a00,  --ParameterOffset (2 bytes)
  90.       0x0,     --DataCount (2 bytes)
  91.       0x4a00,  -- DataOffset (2 bytes)
  92.       0x02,    -- SetupCount (1 byte)
  93.       0x0,     -- Reserved (1 byte)
  94.       0x2300,  -- PeekNamedPipe opcode
  95.       0x0,     --
  96.       0x0700,  --BCC (Length of "\PIPE\")
  97.       0x5c50,  --\P
  98.       0x4950,  --IP 
  99.       0x455c   --E\
  100.     )
  101.     stdnse.debug2("SMB: Sending SMB_COM_TRANSACTION")
  102.     result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)
  103.     if(result == false) then
  104.       stdnse.debug1("There was an error in the SMB_COM_TRANSACTION request")
  105.       return false, err
  106.     end
  108.     result, smb_header, _, _ = smb.smb_read(smbstate)
  109.     _ , smb_cmd, err = string.unpack("<c4 B I4", smb_header)
  110.     if smb_cmd == 37 then -- SMB command for Trans is 0x25
  111.       stdnse.debug1("Valid SMB_COM_TRANSACTION response received")
  113.       --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched
  114.       if err == 0xc0000205 then 
  115.         stdnse.debug1("STATUS_INSUFF_SERVER_RESOURCES response received")
  116.         return true
  117.       end
  118.     else
  119.       stdnse.debug1("Received invalid command id.")
  120.       return false, err
  121.     end
  122.   end
  123. end
  125. action = function(host,port)
  126.   local vuln_status, err
  127.   local vuln = {
  128.     title = "Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)",
  129.     IDS = {CVE = 'CVE-2017-0143'},
  130.     risk_factor = "HIGH",
  131.     description = ,
  132.     references = {
  133.     'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',
  134.     'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'
  135.     },
  136.     dates = {
  137.       disclosure = {year = '2017', month = '03', day = '14'},
  138.     }
  139.   }
  140.   local sharename = stdnse.get_script_args(SCRIPT_NAME .. ".sharename") or "IPC$"
  141.   local report = vulns.Report:new(SCRIPT_NAME, host, port)
  142.   vuln.state = vulns.STATE.NOT_VULN
  144.   vuln_status, err = check_ms17010(host, port, sharename)
  145.   if vuln_status then
  146.     stdnse.debug1("This host is missing the patch for ms17-010!")
  147.     vuln.state = vulns.STATE.VULN
  148.   else
  149.     if nmap.verbosity() >=1 then
  150.       return err
  151.     end
  152.   end
  153.   return report:make_output(vuln)
  154. end

熱門新聞

Advertisement