Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the latest remote desktop vulnerability CVE-2019-0708 multi-sample analysis, which may not be well understood by many people. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

vulnerability information

On May 14, 2019, Microsoft officially released a security patch to fix Windows Remote Desktop Services remote code execution vulnerability CVE-2019-0708 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708). This vulnerability is pre-authenticated and requires no user interaction (no need to verify the system account password), which means that this vulnerability can be exploited by means of a network worm.

The exploit is via remote desktop port 3389, the RDP protocol. Connect via rdp protocol and send malicious code execution commands to the server. If exploited by attackers, it will lead to server intrusion, virus and denial of service hazards, such as WannaCry, Eternal Blue vulnerability as large-scale infection.

Vulnerability Summary

vulnerability testing

patch comparison

By analyzing IcaBindVirtualChannels and IcaReBindVirtualChannels in termdd.sys file, the judgment of MS_T120 protocol channel is added. If the channel protocol name is MS_T120, the third parameter of IcaBindChannel is set to 31.

When the server is initialized, it creates a channel named MS_T120 with Index 31. After receiving MCS Connect Initial data packet, it creates and binds the channel. When binding in IcaBindVirtualChannels function, IcaFindChannelByName function only searches the channel according to the channel name. When the channel name is MS_T120 (case-insensitive), the system internal channel MS_T120 will be found and bound to it. After binding, the channel index will be changed to the new channel index.

POC testing

PoC codes capable of causing blue screens have been released in public channels and tested to confirm their feasibility.

Bug fixes and security recommendations

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EWIAC

Security is set to Computer Right-click Properties-Remote Options-Allow only computer connections running remote desktops that use Network Basic Authentication (N), select Confirm to prevent vulnerability attacks.

After reading the above, do you have any further understanding of the latest remote desktop vulnerability CVE-2019-0708 multi-sample analysis? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.