Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out CVE-2019-0708 early warning of code execution vulnerabilities in Windows remote Desktop Services. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

In the early morning of September 7, 2019, the security team was convinced that intelligence about CVE-2019-0708, which disclosed CVE-2019-0708 exploit code, could be used for remote code execution attacks via the RDP protocol. The official description of the vulnerability-related hazards can refer to the 2017 WannaCry event, and users are strongly advised to install patches in time to avoid losses.

Vulnerability name: Remote Desktop Protocol vulnerability

Threat level: severe

Scope of influence: windows 7; Windows Server 2003 / Windows Server Server 2008 / Windows Server Server 2008 R2

Type of vulnerability: arbitrary code execution vulnerability

Difficulty to use: easy

Overview of vulnerabilities

CVE-2019-0708 is an arbitrary code remote execution vulnerability that can be triggered when an unauthenticated attacker uses RDP to connect to the target system and send a specially crafted request. This vulnerability is pre-authentication and requires no user interaction, and an attacker who successfully exploits this vulnerability can install an application, view, change or delete data, or create a new account with full user privileges.

As the possible consequences of this vulnerability are relatively serious, in May this year, the security team was convinced that when tracking the information of the vulnerability, the security team immediately pushed early warning to the majority of users and provided corresponding preventive measures: vulnerability early warning | Remote Desktop Protocol arbitrary code execution vulnerability (CVE-2019-0708)

At present, due to the public release of EXP, malicious attackers are also likely to take advantage of this vulnerability to write customized malware, and the spread of malware using this vulnerability will trigger incidents similar to the global spread of WannaCry malware in 2017. Users need to be more vigilant against the emergence of malware that exploits this vulnerability and take precautions in advance.

Loophole analysis

Successful exploitation requires that a static channel named "MS_T120" is successfully bound outside the normal channel. Because Microsoft officially uses a channel called MS_T120 internally, this channel should not theoretically receive arbitrary messages.

There are many internal components of RDP, including several user-mode dll in svchost.exe and several kernel-mode drivers. The vulnerability is triggered by an attacker sending a message on the MS_T120 channel, which causes a double release vulnerability (free-after-free) to be triggered in the termdd.sys driver.

After completing the handshake for the RDP protocol, messages will begin to be sent to each channel that has been bound. The messages for the MS_T120 channel are managed by the user-mode component, rdpwsx.dll, which creates a thread that will loop in the function rdpwsxnotify IoThreadFunc and read the message through the Imax O port.

After the data is passed through the Icano packet, it will be processed in the rdpwsxroomMCSPortData function:

As you can see from the function, there are two opcode:0x0 and 0x2 in the rdpwsxvariant MCSPortData function. If opcode is 0x2, call rdpwsx! The HandleDisconnectProviderIndication function performs the cleanup action, and then uses rdpwsx! MCSChannelClose closes the channel.

In theory, MS_T120 messages whose packet sizes are within the legal range will normally close the MS_T120 channel, disconnect the program (in this case, opcode is 0x2), and clean up without the risk of remote code execution and blue screen crash. If the packet size sent is invalid, it can result in remote code execution and denial of service.

Loophole recurrence

According to the publisher of the EXP, the EXP is for Windows 7 and Windows Server 2008 R2 x64. I am convinced that Qianliu reproduced at the first time, confirming that the EXP can indeed lead to arbitrary code execution.

The EXP is published in the Pull Request of Metasploit's official Github, but has not yet been loaded into the official framework of Metasploit.

As shown in the figure above, the Metaploit can be loaded according to the normal usage procedure of EXP. The RHOSTS parameter specifies the target host, and the target parameter specifies the system version of the target host. Currently, there are only two versions, Windows 7 and Windows Server 2008 R2. After the EXP is loaded and executed, the permissions of the target host can be obtained.

Scope of influence

Currently affected Windows versions:

Microsoft Windows XP

Microsoft Windows Server 2008 R2 for x64-based Systems SP1

Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1

Microsoft Windows Server 2008 for x64-based Systems SP2

Microsoft Windows Server 2008 for Itanium-based Systems SP2

Microsoft Windows Server 2008 for 32-bit Systems SP2

Microsoft Windows Server 2003

Microsoft Windows 7 for x64-based Systems SP1

Microsoft Windows 7 for 32-bit Systems SP1

Solution 1. Install the security update patch released by Microsoft in time:

Microsoft officially fixed the vulnerability on May 14, 2019, and users can add security patches to the system by installing Microsoft's security update, which can be downloaded from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Also for security updates provided by Windows Server 2003 and Windows XP, which are no longer supported by Microsoft updates, download from:

Https://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708

2. Mitigation measures (as a temporary solution if Microsoft security updates cannot be installed in a timely manner):

(1) if the user does not need to use the remote desktop service, it is recommended to disable the service.

(2) enable network-level authentication (NLA), which is applicable to Windows 7, Windows Server 2008, and Windows Server 2008 R2.

The above mitigation measures can only partially alleviate the system temporarily for this vulnerability, and it is strongly recommended that Microsoft security updates be installed in time if conditions permit.

The above content is how to carry out CVE-2019-0708 early warning of code execution vulnerabilities in Windows remote Desktop Services. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.