Any thoughts on WanaDecrypt0r?

This has been all over the news in my country and I doubt people on LtU will have missed it. There is a large scale SMBv1/SMBv2 worm active in the world called WanaDecryt0r.

Any thought what this means for language security features as hackers are becoming more and more creative in exploiting holes?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Exploits are old

The particular coding problems that have come to light are quite basic:

WannaDecrypt0r / wannacry: a call to memmove where the size is calculated from a sum of values from a network packet. The input is not checked, the sum can overflow.

The vPro / IME exploit: using strncmp to look for differences in the digest without checking the size of n (should be constant rather than the network input).

Many data-flow analyses can find these kinds of problems, the code is written in C so there tends to be lots of false positives. Exploiting this kind of code (that had no real QA for security) is a matter of access to the source, and the resources to throw at the problem.

It looks like Apple is next: the point release for macOS / IOS from yesterday is probably a good idea to install before the public disclosure.

Ah, I was wondering

I guessed it might have been an unlink exploit, but good to see it has been reverse engineered.

The team that wrote it

The team that wrote it probably has the original source - is it interesting to ask what kind of analysis they are doing to mine these exploits? Given their unlimited resources they might not need to worry about false positive rates, or they might have access to techniques that have not been publicly disclosed. Cryptographers used to ponder what kind of "secret maths" existed within the NSA parallel to the academy, perhaps we should start to ask what kind of "secret analyses" they have developed? Edit: was supposed to be a reply above.

My money's on "fuzz it 'til

My money's on "fuzz it 'til it breaks" being the discovery vector rather than any analytical method.

Why would they?

Why not make it easy on yourself. And anyway, since Windows is critical to the US infrastructure it makes more sense to simply obtain the source code or plant someone there. It wouldn't even surprise me if they simply pay a contractor a million bucks for an exploit, no questions asked.

If you raise the bar high enough, people will walk underneath it

I have the idea that you look at the problem in the wrong manner; i.e., your assumption is that the NSA consists of very smart people doing extremely smart analysis. No doubt they are capable of that but for I think for a spying and military organisation the problem is far easier.

What is the price of a Tomahawk missile? They're willing to pay probably at least that for a cyber weapon. What would you do? You hire a subcontractor on a 'I don't want to know what you did' basis, who will probably get someone to simply expose or even plant a small exploit and write a program for that. Probably two weeks of work for people who know what they are doing.

That's a lot easier than hiring staff and fuzzing every protocol and reverse engineering the code.

Smart people

Well, yeah... there probably are a lot of smart people in the NSA. What they have in common with other smart people is that they are probably really quite lazy. Which is less work in the long-run?

1. Writing a linting tool for some crusty old libraries that you have the source code for. Passing the thousands of hits to an intern to check for exploitability.
2. Hiring an external contractor, giving them the code and letting them find the exploit, arranging a believable car accident afterwards so that the exploit remains valuable.

Can you imagine how many meetings are involved in commissioning wet-work? More seriously - they wrote custom firmware for the 12 most common brands of hard-disk so that they can put a back-door into the storage system. That is - hide data on the drive that cannot be recovered by any level of privilege on the target system, only by someone that knows how to access the secret firmware. They also wrote trojans that implement a dead-drop system in secret to overcome airgaps in networks. These are quite sophisticated pieces of software, it is safe to say that they do employ some smart engineers.

The typical life-cycle of these exploits is long. Both the recently publicised exploits are old: they were used for surveillance up until 2008. The more they are used the higher the probability of discovery, so they become less valuable as they age. When they loss enough value they are handed off to external teams.

Not like that

Oh, I am pretty sure they have the source code but I don't think they would pass that to a subcontractor. But that's not my point. It's a (counter-)espionage organization. So you shouldn't be thinking code and math, you should be thinking money, drugs, and hookers.

Pretty sure you can get a lot done if you find someone with the right knowledge and connections and just pass him money to 'fix the problem'.

Yes. Assuming sane managers,

Yes. Assuming sane managers, they should use efficient methods for developing exploits. I assume they'd develop a study of efficient methods—"exploit engineering"—like we have software engineering.

Hence, buy what you can and fuzz (or whatever) what you can't buy. But honestly, I'd use the spies to steal the source (or any intel) of Windows (or OS X, or any other tool worth hacking), and then get my analysts to do most of the work with whatever analysis tool. I might buy exploits externally sometimes, but they seem to need exclusive 0-days, and discovering them internally sounds easiest for the NSA.
Especially if it's true that they have some of the best analysts and most other good analysts work for other (enemy) countries like Russia and China.