Jump to content

Security Firm Releases Windows XP Patch for NSA Exploit ESTEEMAUDIT


CrAKeN

Recommended Posts

XP.jpg

 

Cyber-security firm enSilo has released a patch for Windows XP and Windows Server 2003 that will protect against attacks via ESTEEMAUDIT, a hacking tool dumped online by the Shadow Brokers last month, and allegedly developed by the NSA.

 

At the technical level, ESTEEMAUDIT is a zero-day in the RDP protocol used by Windows to open desktop sessions on remote computers.

 

An analysis of this exploit reveals its usability for breaking into computers with open RDP ports, or for moving laterally inside a network that features PCs with open RDP connections.

 

Microsoft didn't patch against ESTEEMAUDIT attacks

 

enSilo researchers developed a patch for ESTEEMAUDIT because Microsoft has not provided security updates to protect against this zero-day.

 

This is because ESTEEMAUDIT only works on Windows XP and Windows 2003, two operating system that Microsoft stopped supporting in 2014, and 2015, respectively.

 

After the Shadow Brokers dumped a collection of NSA hacking tools on April 14, a day later, Microsoft announced that its engineers had secretly patched Windows against most exploits a month earlier, in March.

 

ESTEEMAUDIT is one of the exploits that didn't receive a patch, along with ENGLISHMANSDENTIST and EXPLODINGCAN.

 

Does Microsoft have an ESTEEMAUDIT patch laying around?

 

After the WannaCry ransomware outbreak, Microsoft did something uncharacteristic and issued an update for Windows XP, Windows 8, and Windows Server 2003, all unsupported versions of its OS. This out-of-band security update patched the older OS versions against the ETERNALBLUE exploit, used by the WannaCry ransomware.

 

Later it was discovered that Microsoft had created the ETERNALBLUE patch in February, but didn't release it, for unknown reasons.

 

Furthermore, the Washington Post found out that the NSA had reached out to Microsoft earlier in the year, to tell the company about the stolen exploits and their capabilities. This is the reason why Microsoft had released patches since March, a month before the actual Shadow Brokers dump.

 

If Microsoft has a patch for the ESTEEMAUDIT exploit stockpiled on one of its servers, we'll never know. In the meantime, XP and Windows Server 2003 users can utilize enSilo's patch to protect against attacks with ESTEEMAUDIT.

 

enSilo hotpatch available for download

 

The security company says the patch — which can be downloaded from here — works on Windows XP SP3 x86, Windows XP SP3 x64, and Windows Server 2003 R2.

 

Quote

Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail.

 

The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions.

 

The patch is direly needed. Despite the advanced age of both operating systems, both are still very popular. For example, Windows XP remains the third most popular OS on the market today, accounting for 7% of all operating systems in use today.

 

Similarly, Windows Server 2003 is currently used by 18% of all organizations today, accounting for more than 600,000 web-facing computers, which host upwards of 175 million websites.

 

Besides applying the enSilo patch, users can disable RDP as an alternative method of protecting their systems.

 

Source

Link to comment
Share on other sites


  • Replies 4
  • Views 885
  • Created
  • Last Reply
straycat19

After reading the details of the patch it is just easier to disable RDP and not bother with it.  Here is the technical information on their patch from their site.

 

Quote

Technical Details
 
enSilo’s ESTEEMAUDIT patch is a persistent patch for Windows XP and Windows Server 2003. It supports the newest versions of these OSes, both x86 and x64, including:
XP SP3 x86 – with all patches installed
XP SP2 x64 - with all patches installed
2003 SP2 – with all patches installed
 
Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail.
 
The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions.

 

 

Link to comment
Share on other sites


UnknownOne

apparently there is a way to do it, even if it is disabled.. remove the files needed to use rdp..

Link to comment
Share on other sites


1 hour ago, UnknownOne said:

apparently there is a way to do it, even if it is disabled.. remove the files needed to use rdp..

Why not just  use the reg file and do xp embedded  updates ?

http://securityaffairs.co/wordpress/58025/hacking/shadow-brokers-windows-exploits.html

If you not done updates since 2014 there is most likely a zillion holes in the OS and you just living on borrowed time . Last time Microsoft waited tell after people got attacked too release a patch for XP  and it was patched on supported OS in march.

 

3cfobm0m1ocn973.jpg
 

Link to comment
Share on other sites


HAS ANYONE TESTED AND OR USED THIS FOR XP ?

 

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]    
"Installed"=dword:00000001

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...