CrAKeN Posted May 25, 2017 Share Posted May 25, 2017 Cyber-security firm enSilo has released a patch for Windows XP and Windows Server 2003 that will protect against attacks via ESTEEMAUDIT, a hacking tool dumped online by the Shadow Brokers last month, and allegedly developed by the NSA. At the technical level, ESTEEMAUDIT is a zero-day in the RDP protocol used by Windows to open desktop sessions on remote computers. An analysis of this exploit reveals its usability for breaking into computers with open RDP ports, or for moving laterally inside a network that features PCs with open RDP connections. Microsoft didn't patch against ESTEEMAUDIT attacks enSilo researchers developed a patch for ESTEEMAUDIT because Microsoft has not provided security updates to protect against this zero-day. This is because ESTEEMAUDIT only works on Windows XP and Windows 2003, two operating system that Microsoft stopped supporting in 2014, and 2015, respectively. After the Shadow Brokers dumped a collection of NSA hacking tools on April 14, a day later, Microsoft announced that its engineers had secretly patched Windows against most exploits a month earlier, in March. ESTEEMAUDIT is one of the exploits that didn't receive a patch, along with ENGLISHMANSDENTIST and EXPLODINGCAN. Does Microsoft have an ESTEEMAUDIT patch laying around? After the WannaCry ransomware outbreak, Microsoft did something uncharacteristic and issued an update for Windows XP, Windows 8, and Windows Server 2003, all unsupported versions of its OS. This out-of-band security update patched the older OS versions against the ETERNALBLUE exploit, used by the WannaCry ransomware. Later it was discovered that Microsoft had created the ETERNALBLUE patch in February, but didn't release it, for unknown reasons. Furthermore, the Washington Post found out that the NSA had reached out to Microsoft earlier in the year, to tell the company about the stolen exploits and their capabilities. This is the reason why Microsoft had released patches since March, a month before the actual Shadow Brokers dump. If Microsoft has a patch for the ESTEEMAUDIT exploit stockpiled on one of its servers, we'll never know. In the meantime, XP and Windows Server 2003 users can utilize enSilo's patch to protect against attacks with ESTEEMAUDIT. enSilo hotpatch available for download The security company says the patch — which can be downloaded from here — works on Windows XP SP3 x86, Windows XP SP3 x64, and Windows Server 2003 R2. Quote Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail. The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions. The patch is direly needed. Despite the advanced age of both operating systems, both are still very popular. For example, Windows XP remains the third most popular OS on the market today, accounting for 7% of all operating systems in use today. Similarly, Windows Server 2003 is currently used by 18% of all organizations today, accounting for more than 600,000 web-facing computers, which host upwards of 175 million websites. Besides applying the enSilo patch, users can disable RDP as an alternative method of protecting their systems. Source Link to comment Share on other sites More sharing options...
straycat19 Posted May 26, 2017 Share Posted May 26, 2017 After reading the details of the patch it is just easier to disable RDP and not bother with it. Here is the technical information on their patch from their site. Quote Technical Details enSilo’s ESTEEMAUDIT patch is a persistent patch for Windows XP and Windows Server 2003. It supports the newest versions of these OSes, both x86 and x64, including: XP SP3 x86 – with all patches installed XP SP2 x64 - with all patches installed 2003 SP2 – with all patches installed Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail. The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions. Link to comment Share on other sites More sharing options...
UnknownOne Posted May 26, 2017 Share Posted May 26, 2017 apparently there is a way to do it, even if it is disabled.. remove the files needed to use rdp.. Link to comment Share on other sites More sharing options...
steven36 Posted May 26, 2017 Share Posted May 26, 2017 1 hour ago, UnknownOne said: apparently there is a way to do it, even if it is disabled.. remove the files needed to use rdp.. Why not just use the reg file and do xp embedded updates ? http://securityaffairs.co/wordpress/58025/hacking/shadow-brokers-windows-exploits.html If you not done updates since 2014 there is most likely a zillion holes in the OS and you just living on borrowed time . Last time Microsoft waited tell after people got attacked too release a patch for XP and it was patched on supported OS in march. Link to comment Share on other sites More sharing options...
humble3d Posted May 29, 2017 Share Posted May 29, 2017 HAS ANYONE TESTED AND OR USED THIS FOR XP ? Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.