Shulou(Shulou.com)05/31 Report--

What is the analysis of Microsoft RDP remote code execution vulnerability CVE-2019-0708? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Overview of 0x00

In 20190514, Microsoft released a patch that fixed a serious RDP remote code execution vulnerability. This vulnerability does not require authentication and user interaction and can lead to a worm outbreak with an impact comparable to that of wannycry.

0x01 scope of influence

Windows 7

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows XP

0x02 vulnerability recur

Poc has come out to recreate several mainstream poc on the Internet:

1) 0708detector.exe (Lossless scanning tool)

/ / it doesn't feel very stable, sometimes successful and sometimes not successful for the same ip.

Some batches written according to this tool

Https://github.com/biggerwing/CVE-2019-0708-poc

Https://github.com/autoing/CVE-2019-0708-POC

2) https://github.com/zerosum0x0/CVE-2019-0708

Contains the rb of msf

Git clone https://github.com/zerosum0x0/CVE-2019-0708.gitcd CVE-2019-0708/rdesktop-fork-bd6aa6acddf0ba640a49834807872f4cc0d0a773/./bootstrap./configure-disable-credssp-disable-smartcardmake./rdesktop 192.168.1.73389

Apt-get install libssl1.0.0 libssl-dev may be required

Batch can be made with scan_with_docker.py.

/ / more stable

3) https://github.com/Ekultek/BlueKeep.git

Can be batch

Install impacket first

Https://github.com/SecureAuthCorp/impacket

Pip install-r requestments.txtpip install .vim bluekeep_poc.py

Delete a duplicate impacket

4) https://github.com/robertdavidgraham/rdpscan

Batchable

/ / more unstable

5) https://github.com/Leoid/CVE-2019-0708

Pip3 install impacket

6) https://github.com/n1xbyte/CVE-2019-0708

/ / 20190531 added blue screen poc, which appears when tested with 03standx86

OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

It should be this 03 system problem.

Directly find a few zombie hosts to test.

/ / the effect is good!

7) https://github.com/closethe/CVE-2019-0708-POC

Tried several are all timed out, may be poc is not perfect.

Some other poc (not tested):

Https://github.com/skyshell20082008/CVE-2019-0708-PoC-Hitting-Path

Https://github.com/blacksunwen/CVE-2019-0708 (basically the same as 5)

Https://github.com/Jaky5155/cve-2019-0708-exp

Https://github.com/fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status

Https://github.com/trickster0/CVE-2019-0708

Https://github.com/algo7/bluekeep_CVE-2019-0708_poc_to_exploit (powershell)

As of the post (20190605), no publicly available exp has been found. Wait and see!

One of the big gods of 360has created exp, which can pop up in win7 x64, which has not been disclosed.

20190606, it is found that msf can obtain the exp of meterpreter, which is not disclosed.

Https://twitter.com/zerosum0x0/status/1135866953996820480

There are also a bunch of fake exp, using ms12-020s, os.system (), alert, fake GUI, cheating star, and so on.

Www.cve-2019-0708.com (20190529 unreachable) is said to be a fake!

0x03 vulnerability Analysis rdp Foundation

RDP protocol provides multi-channel communication based on T.128 (T.120 protocol family) and has been extended.

Remote Desktop Protocol (RDP) supports clients to establish point-to-point connections and defines the way in which both parties communicate with each other in virtual channels. This virtual channel is a two-way data channel, which can extend the function of RDP. Windows Server 2000 defines 32 static virtual channels (SVC) in RDP V5.1, but the number of dedicated channels svc is limited due to the number of dynamic virtual channels to be defined in the future. SVC is created at the beginning of the session and remains unchanged until the session is terminated, but DVC is different because it is created and deleted according to the needs of the user.

During the initialization phase, the server will create a channel with MS_T120 and Index of 31. Channel creation and binding operations are performed after receiving the MCS Connect Initial data packet.

When binding in the IcaBindVirtualChannels function, the IcaFindChannelByName function does channel lookup only based on the channel name. When the channel is named MS_T120 (case-insensitive), the channel of the system internal channel MS_T120 is found and bound to it, and the channel index is changed to the new channel index.

Reference mcafee,seebug

I use win7sp1 x64 to test.

Check termdd.sys. There are changes.

Compare before and after patch

13628 this sub-module has changed a lot, take a look at it first.

It is found that the stricmp comparison is added, and compared with the ms_t120 channel, if 0, the dead v19 or 31 (rdp channel number) is passed into the 13ec8 sub-module as the third parameter. Therefore, it can be seen here that the leak point should be the ms_t120 channel, which triggers the vulnerability.

/ / bindiff did not resolve _ IcaBindChannel and _ IcaBindVirtualChannels.

Before the security mechanism is enabled, the system initializes the RDP connection sequence and completes the establishment of the channel, which leads to the formation of a worm.

In the gcc negotiation initialization sequence of rdp, the svc ms_t120 is bound as a reference channel 31.

This channel number 31 is used internally in microsoft, and the svc of ms_t120 does not appear in the client request connection.

However, during GCC negotiation initialization, the channel name provided by the client is not on the server-side whitelist, which means that the attacker will be able to set another SVC channel named "MS_T120" that is not numbered 31, which causes the target system to have a heap memory crash and remote code execution.

The MS_T120 reference channel is created in rdpwsx.dll, and heap memory is allocated a memory pool in rdpwp.sys. Heap memory corruption occurs when the MS_T120 reference channel is established in a scenario where the channel number is not 31.

Microsoft added a check code for the connection request part of the client to the channel name "MS_T120" in the _ IcaBindVirtualChannels and _ IcaRebindVirtualChannels functions of termdd.sys to ensure that the ms_t120 is bound to channel 31.

Use wireshark to get rdp packets (winn2003stand without 0708 patch)

Normal rdp connection:

Tcp sends rdp data after three-way handshake, and uses decode as tpkt to decode rdp packets.

/ / send clientdata only after the second tcp handshake (neg req=fff)

No ms_t120 channel information

Packets sent using the 360NDT tool (neg req=fff)

Here I speculate that the ms_t120 channel number is 1MagneChannelCount is the number of channelDefArray elements, verify the existence of vulnerabilities!

A packet sent to a zombie host using. / rdesktop (the second poc):

At this time, it is speculated that the ms_t120 channel number is 2, and the verification vulnerability exists!

Packets sent to a zombie host using blue screen crashpoc.py:

I am shallow in talent and learning, and I don't know much about rdp. I can only analyze it from a shallow level. The master can refer to the relevant analysis materials.

Related analysis data:

English:

Https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ (recommended)

Https://medium.com/@straightblast426/a-debugging-primer-with-cve-2019-0708-ccfa266682f6

Https://wazehell.io/2019/05/22/cve-2019-0708-technical-analysis-rdp-rce/

Https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html

Https://medium.com/@ab_65156/proactive-detection-content-cve-2019-0708-vs-mitre-att-ck-sigma-elastic-and-arcsight-22f9ebae7d82

Https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html

Https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability

English:

Https://xz.aliyun.com/t/5295( translation zerodayinitiative)

Https://www.anquanke.com/post/id/178964( translation mcafee)

Https://www.anquanke.com/post/id/178966

Https://www.giantbranch.cn/2019/05/14/CVE-2019-0708%20%E5%BE%AE%E8%BD%AF%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E6%9C%8D%E5%8A%A1%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E% E5%88%86%E6%9E%90%E4%B9%8B%E8%A1%A5%E4%B8%81%E5%88%86%E6%9E%90/

Https://paper.seebug.org/937/

Https://mp.weixin.qq.com/s/_MaxpGtDj2D8oENCZ68hKA

Https://mp.weixin.qq.com/s/OeJ7W3GxsQedpezTsa6z_Q

0x04 repair scheme

1. Patch

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

two。 Enable NLA network-level authentication to mitigate harm (authentication is required to exploit vulnerabilities)

0x05 conclusion

This loophole is very harmful, once the exp is made public, it will certainly cause bloodshed, and it is estimated that all kinds of extortion and mining viruses are ready to go out, so we should pay close attention to patches!

This is the answer to the analysis of Microsoft RDP remote code execution vulnerability CVE-2019-0708. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.