1. The Patient

Target: Windows SMBv1 Driver (srv.sys)

Component: SrvOs2FeaListSizeToNt Function

Vector: Remote Network (Port 445)

The Server Message Block (SMB) protocol is the fabric of Windows networking, facilitating file and printer sharing across the ecosystem. While modern Windows systems use SMBv2 and v3, the kernel retained legacy support for SMBv1 (originally CIFS) well into the Windows 10 era.

The specific vulnerability lies within the driver’s handling of OS/2 File Extended Attributes (FEA). These are metadata key-value pairs attached to files, a feature dating back to the 1980s. To maintain backward compatibility with obsolete OS/2 clients, modern Windows kernels kept complex parsing logic deep within srv.sys. This legacy debt created the attack surface for one of history’s most devastating cyber weapons.

The Context: Developed by The Equation Group (attributed to the NSA) and leaked by The Shadow Brokers in April 2017, this is not a commodity vulnerability. It represents a military-grade exploit that bypasses perimeter defenses by attacking the protocol layer itself. It was the engine behind the WannaCry ransomware and the NotPetya wiper, causing over $10 billion in global damages.

2. The Diagnosis

Root Cause: Integer Overflow leading to Kernel Pool Corruption.

EternalBlue is not a single bug, but a chain of three distinct logical flaws working in concert. The primary mechanism is a mathematical casting error that allows an attacker to misalign the kernel’s understanding of buffer size versus copy size.

Bug A: The Integer Truncation

The critical failure occurs in the function SrvOs2FeaListSizeToNt, which calculates the buffer size needed to convert an OS/2 FEA list into the Windows NT format.

1. The Calculation: The function calculates the required size using a 32-bit DWORD.

2. The Cast: Before allocation, this result is cast to a 16-bit WORD.

3. The Overflow: If an attacker sends a payload size of 65,537 bytes, the math fails catastrophically.

4. The Result: The kernel allocates 1 byte of memory but proceeds to copy 65,537 bytes of data into it. This is a classic kernel integer overflow.

Bug B: Transaction Type Confusion

To trigger Bug A, the attacker must send a payload larger than the standard 64KB limit. This is achieved via a logical inconsistency in transaction handling.

• The Switch: The exploit initiates a transaction using SMB_COM_NT_TRANSACT (which allows 32-bit sizes) but sends the data using SMB_COM_TRANSACTION2_SECONDARY (which uses 16-bit logic).

• The Trap: The driver validates the total size against the permissive 32-bit limit of the first command but processes the data chunks using the constraints of the second. This allows the attacker to pour data into a buffer defined by incompatible assumptions.

3. The Kill-Chain

A raw kernel overflow typically results in a Blue Screen of Death (BSOD). To achieve reliable Code Execution, EternalBlue employs Kernel Pool Grooming (or “Feng Shui”) to manipulate the layout of the NonPagedPool.

Phase 1: The Spray

The attacker opens 15+ concurrent TCP connections. Streams 1 through 13 send SMB_COM_TRANSACTION2 packets to the server.

• Purpose: This “sprays” the heap, filling existing fragmentation holes and forcing the kernel to allocate subsequent objects contiguously.

Phase 2: The Hole

Stream 14 executes Bug C, a flaw in SMB_COM_SESSION_SETUP_ANDX.

• The Trigger: By sending an Extended Security request with zero negotiation, the driver reads the ByteCount from the wrong offset.

• The Allocation: This triggers a large allocation (approx 0x11000 bytes).

• The Release: The attacker immediately closes the connection. The kernel frees this chunk, creating a precise hole in memory surrounded by data the attacker controls.

Phase 3: The Overwrite

Stream 0 sends the malicious FEA list, carefully sized to fit exactly into the “Hole” created in Phase 2.

• The Setup: The payload contains a “bridge” object (0xA8 bytes) at the very end.

• The Crash: Bug A (the integer overflow) fires. The copy operation runs past the end of the allocated hole and overwrites the header of the next object in memory.

Phase 4: Execution (DoublePulsar)

The overwritten object is a SRVNET_BUFFER structure.

• The Hook: The overflow corrupts a function pointer within this structure, redirecting it to shellcode embedded in the payload.

• The Implant: The shellcode installs DoublePulsar, a kernel-mode backdoor. It hooks system tables (like KernelCallbackTable) and uses Asynchronous Procedure Calls (APC) to inject a DLL into a user-mode process like lsass.exe.

• Result: Silent, persistent Ring 0 Remote Code Execution.

4. The Fix

The remediation was straightforward: accurate input validation. The kernel must ensure the calculated size fits into the destination type before casting.

Vulnerable Logic:

DWORD calculatedSize = SrvOs2FeaListSizeToNt(feaList);

// VULNERABILITY: Implicit truncation from 32-bit to 16-bit
WORD allocatedSize = (WORD)calculatedSize; 

// Allocates based on the truncated size (e.g., 1 byte)
buffer = ExAllocatePoolWithTag(NonPagedPool, allocatedSize, 'LSBF');

// Copies based on the original size (e.g., 65,537 bytes)
MoveMemory(buffer, feaList, calculatedSize);

Patched Logic (MS17-010):

DWORD calculatedSize = SrvOs2FeaListSizeToNt(feaList);

// FIX: Explicitly check if the size exceeds the 16-bit limit
if (calculatedSize > 0xFFFF) {
    return STATUS_INVALID_PARAMETER;
}

// Safe to cast only after validation
WORD allocatedSize = (WORD)calculatedSize;

Developer Takeaway

Kernel Math is Law.

In user-space development, an integer overflow might crash your application. In the kernel, it compromises the entire operating system. The developers of srv.sys trusted that the inputs would logically align, but they failed to mathematically enforce that alignment.

Immediate Action:

1. Patch: Ensure MS17-010 is applied to all legacy systems.

2. Mitigate: Disable SMBv1 immediately. It is deprecated and disabled by default in Windows 11 for this exact reason.

3. Hygiene: Remove legacy compatibility code (like OS/2 support) from hot paths. Unused code is just unmonitored attack surface.