In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
What is the analysis of Microsoft RDP remote code execution vulnerability CVE-2019-0708? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.
Overview of 0x00
In 20190514, Microsoft released a patch that fixed a serious RDP remote code execution vulnerability. This vulnerability does not require authentication and user interaction and can lead to a worm outbreak with an impact comparable to that of wannycry.
0x01 scope of influence
Windows 7
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows XP
0x02 vulnerability recur
Poc has come out to recreate several mainstream poc on the Internet:
1) 0708detector.exe (Lossless scanning tool)
/ / it doesn't feel very stable, sometimes successful and sometimes not successful for the same ip.
Some batches written according to this tool
Https://github.com/biggerwing/CVE-2019-0708-poc
Https://github.com/autoing/CVE-2019-0708-POC
2) https://github.com/zerosum0x0/CVE-2019-0708
Contains the rb of msf
Git clone https://github.com/zerosum0x0/CVE-2019-0708.gitcd CVE-2019-0708/rdesktop-fork-bd6aa6acddf0ba640a49834807872f4cc0d0a773/./bootstrap./configure-disable-credssp-disable-smartcardmake./rdesktop 192.168.1.73389
Apt-get install libssl1.0.0 libssl-dev may be required
Batch can be made with scan_with_docker.py.
/ / more stable
3) https://github.com/Ekultek/BlueKeep.git
Can be batch
Install impacket first
Https://github.com/SecureAuthCorp/impacket
Pip install-r requestments.txtpip install .vim bluekeep_poc.py
Delete a duplicate impacket
4) https://github.com/robertdavidgraham/rdpscan
Batchable
/ / more unstable
5) https://github.com/Leoid/CVE-2019-0708
Pip3 install impacket
6) https://github.com/n1xbyte/CVE-2019-0708
/ / 20190531 added blue screen poc, which appears when tested with 03standx86
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')
It should be this 03 system problem.
Directly find a few zombie hosts to test.
/ / the effect is good!
7) https://github.com/closethe/CVE-2019-0708-POC
Tried several are all timed out, may be poc is not perfect.
Some other poc (not tested):
Https://github.com/skyshell20082008/CVE-2019-0708-PoC-Hitting-Path
Https://github.com/blacksunwen/CVE-2019-0708 (basically the same as 5)
Https://github.com/Jaky5155/cve-2019-0708-exp
Https://github.com/fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status
Https://github.com/trickster0/CVE-2019-0708
Https://github.com/algo7/bluekeep_CVE-2019-0708_poc_to_exploit (powershell)
As of the post (20190605), no publicly available exp has been found. Wait and see!
One of the big gods of 360has created exp, which can pop up in win7 x64, which has not been disclosed.
20190606, it is found that msf can obtain the exp of meterpreter, which is not disclosed.
Https://twitter.com/zerosum0x0/status/1135866953996820480
There are also a bunch of fake exp, using ms12-020s, os.system (), alert, fake GUI, cheating star, and so on.
Www.cve-2019-0708.com (20190529 unreachable) is said to be a fake!
0x03 vulnerability Analysis rdp Foundation
RDP protocol provides multi-channel communication based on T.128 (T.120 protocol family) and has been extended.
Remote Desktop Protocol (RDP) supports clients to establish point-to-point connections and defines the way in which both parties communicate with each other in virtual channels. This virtual channel is a two-way data channel, which can extend the function of RDP. Windows Server 2000 defines 32 static virtual channels (SVC) in RDP V5.1, but the number of dedicated channels svc is limited due to the number of dynamic virtual channels to be defined in the future. SVC is created at the beginning of the session and remains unchanged until the session is terminated, but DVC is different because it is created and deleted according to the needs of the user.
During the initialization phase, the server will create a channel with MS_T120 and Index of 31. Channel creation and binding operations are performed after receiving the MCS Connect Initial data packet.
When binding in the IcaBindVirtualChannels function, the IcaFindChannelByName function does channel lookup only based on the channel name. When the channel is named MS_T120 (case-insensitive), the channel of the system internal channel MS_T120 is found and bound to it, and the channel index is changed to the new channel index.
Reference mcafee,seebug
I use win7sp1 x64 to test.
Check termdd.sys. There are changes.
Compare before and after patch
13628 this sub-module has changed a lot, take a look at it first.
It is found that the stricmp comparison is added, and compared with the ms_t120 channel, if 0, the dead v19 or 31 (rdp channel number) is passed into the 13ec8 sub-module as the third parameter. Therefore, it can be seen here that the leak point should be the ms_t120 channel, which triggers the vulnerability.
/ / bindiff did not resolve _ IcaBindChannel and _ IcaBindVirtualChannels.
Before the security mechanism is enabled, the system initializes the RDP connection sequence and completes the establishment of the channel, which leads to the formation of a worm.
In the gcc negotiation initialization sequence of rdp, the svc ms_t120 is bound as a reference channel 31.
This channel number 31 is used internally in microsoft, and the svc of ms_t120 does not appear in the client request connection.
However, during GCC negotiation initialization, the channel name provided by the client is not on the server-side whitelist, which means that the attacker will be able to set another SVC channel named "MS_T120" that is not numbered 31, which causes the target system to have a heap memory crash and remote code execution.
The MS_T120 reference channel is created in rdpwsx.dll, and heap memory is allocated a memory pool in rdpwp.sys. Heap memory corruption occurs when the MS_T120 reference channel is established in a scenario where the channel number is not 31.
Microsoft added a check code for the connection request part of the client to the channel name "MS_T120" in the _ IcaBindVirtualChannels and _ IcaRebindVirtualChannels functions of termdd.sys to ensure that the ms_t120 is bound to channel 31.
Use wireshark to get rdp packets (winn2003stand without 0708 patch)
Normal rdp connection:
Tcp sends rdp data after three-way handshake, and uses decode as tpkt to decode rdp packets.
/ / send clientdata only after the second tcp handshake (neg req=fff)
No ms_t120 channel information
Packets sent using the 360NDT tool (neg req=fff)
Here I speculate that the ms_t120 channel number is 1MagneChannelCount is the number of channelDefArray elements, verify the existence of vulnerabilities!
A packet sent to a zombie host using. / rdesktop (the second poc):
At this time, it is speculated that the ms_t120 channel number is 2, and the verification vulnerability exists!
Packets sent to a zombie host using blue screen crashpoc.py:
I am shallow in talent and learning, and I don't know much about rdp. I can only analyze it from a shallow level. The master can refer to the relevant analysis materials.
Related analysis data:
English:
Https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ (recommended)
Https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6
Https://wazehell.io/2019/05/22/cve-2019-0708-technical-analysis-rdp-rce/
Https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html
Https://medium.com/@ab_65156/proactive-detection-content-cve-2019-0708-vs-mitre-att-ck-sigma-elastic-and-arcsight-22f9ebae7d82
Https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html
Https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability
English:
Https://xz.aliyun.com/t/5295( translation zerodayinitiative)
Https://www.anquanke.com/post/id/178964( translation mcafee)
Https://www.anquanke.com/post/id/178966
Https://www.giantbranch.cn/2019/05/14/CVE-2019-0708%20%E5%BE%AE%E8%BD%AF%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E6%9C%8D%E5%8A%A1%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E% E5%88%86%E6%9E%90%E4%B9%8B%E8%A1%A5%E4%B8%81%E5%88%86%E6%9E%90/
Https://paper.seebug.org/937/
Https://mp.weixin.qq.com/s/_MaxpGtDj2D8oENCZ68hKA
Https://mp.weixin.qq.com/s/OeJ7W3GxsQedpezTsa6z_Q
0x04 repair scheme
1. Patch
Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
two。 Enable NLA network-level authentication to mitigate harm (authentication is required to exploit vulnerabilities)
0x05 conclusion
This loophole is very harmful, once the exp is made public, it will certainly cause bloodshed, and it is estimated that all kinds of extortion and mining viruses are ready to go out, so we should pay close attention to patches!
This is the answer to the analysis of Microsoft RDP remote code execution vulnerability CVE-2019-0708. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.