Fork me on GitHub

CVE-2019-0708

漏洞验证

复现环境:

攻击机:Kali Linux(Windows子系统)

目标主机:Windows 7 SP1 64位

准备环境|Poc下载/编译

1
2
3
4
5
6
7
8
9
sudo apt install dh-autoreconf
sudo apt install libssl-dev
sudo apt install libx11-dev
git clone https://github.com/zerosum0x0/CVE-2019-0708.git
cd CVE-2019-0708/rdesktop-fork-bd6aa6acddf0ba640a49834807872f4cc0d0a773/
./bootstrap
./configure --disable-credssp --disable-smartcard
make
./rdesktop 192.168.1.7:3389

不知这个Poc在其他环境下编译结果如何,在我的Kali和Ubuntu的虚拟机和子系统中均未运行成功,我运行的是此作者的Metasploit版本Poc,Ruby文件在https://github.com/zerosum0x0/CVE-2019-0708中,将文件放到Metasploit-FrameWork下auxiliary/scanner/rdp/路径中,验证结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 ⚡ root@kali  ~  msfconsole

, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||


=[ metasploit v4.17.21-dev ]
+ -- --=[ 1822 exploits - 1035 auxiliary - 316 post ]
+ -- --=[ 539 payloads - 42 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/scanner/rdp/bluekeep
msf auxiliary(scanner/rdp/bluekeep) > show options

Module options (auxiliary/scanner/rdp/bluekeep):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3389 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads

msf auxiliary(scanner/rdp/bluekeep) > set RHOSTS 192.168.80.129
RHOSTS => 192.168.80.129
msf auxiliary(scanner/rdp/bluekeep) > run

[+] 192.168.80.129:3389 - The target is vulnerable.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

漏洞原理

The Remote Desktop Protocol (RDP) enables connection between a client and endpoint, defining the data communicated between them in virtual channels. Virtual channels are bidirectional data pipes which enable the extension of RDP. Windows Server 2000 defined 32 Static Virtual Channels (SVCs) with RDP 5.1, but due to limitations on the number of channels further defined Dynamic Virtual Channels (DVCs), which are contained within a dedicated SVC. SVCs are created at the start of a session and remain until session termination, unlike DVCs which are created and torn down on demand.

It’s this 32 SVC binding which CVE-2019-0708 patch fixes within the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions in the RDP driver termdd.sys. As can been seen in figure 1, the RDP Connection Sequence connections are initiated and channels setup prior to Security Commencement, which enables CVE-2019-0708 to be wormable since it can self-propagate over the network once it discovers open port 3389.

远程桌面协议(RDP)支持客户端和端点之间的连接,定义虚拟通道中它们之间通信的数据。虚拟通道是双向数据管道,可以扩展RDP。 Windows Server 2000使用RDP 5.1定义了32个静态虚拟通道(SVC),但由于进一步定义了动态虚拟通道(DVC)的通道数量限制,这些通道包含在专用SVC中。 SVC在会话开始时创建并保持到会话终止,这与根据需要创建和拆除的DVC不同。

这是32个SVC绑定,CVE-2019-0708补丁修复了RDP驱动程序termdd.sys中的 _IcaBindVirtualChannels 和 _IcaRebindVirtualChannels 函数。如图1所示,RDP连接序列连接在安全开始之前启动并进行通道设置,这使得CVE-2019-0708可以设置,因为它可以在发现开放端口3389后通过网络自我传播。

图:RDP协议序列

The vulnerability is due to the “MS_T120” SVC name being bound as a reference channel to the number 31 during the GCC Conference Initialization sequence of the RDP protocol. This channel name is used internally by Microsoft and there are no apparent legitimate use cases for a client to request connection over an SVC named “MS_T120.”

Figure 2 shows legitimate channel requests during the GCC Conference Initialization sequence with no MS_T120 channel.

该漏洞是由于“MS_T120”SVC名称在RDP协议的GCC会议初始化序列期间被绑定为数字31的参考信道。 此通道名称由Microsoft在内部使用,并且客户端没有明显的合法用例来请求通过名为“MS_T120”的SVC进行连接。

下图显示了没有MS_T120信道的GCC会议初始化序列期间的合法信道请求。

图:标准GCC会议初始化序列

However, during GCC Conference Initialization, the Client supplies the channel name which is not whitelisted by the server, meaning an attacker can setup another SVC named “MS_T120” on a channel other than 31. It’s the use of MS_T120 in a channel other than 31 that leads to heap memory corruption and remote code execution (RCE).

但是,在GCC会议初始化期间,客户端提供服务器未列入白名单的频道名称,这意味着攻击者可以在31以外的频道上设置另一个名为“MS_T120”的SVC。这是在31以外的频道中使用MS_T120 这会导致堆内存损坏和远程代码执行(RCE)。

图:异常/可疑GCC会议初始化序列 - 非标准信道上的MS_T120

The components involved in the MS_T120 channel management are highlighted in figure 4. The MS_T120 reference channel is created in the rdpwsx.dll and the heap pool allocated in rdpwp.sys. The heap corruption happens in termdd.sys when the MS_T120 reference channel is processed within the context of a channel index other than 31.

图中突出显示了MS_T120通道管理中涉及的组件.MS_D120引用通道在rdpwsx.dll和rdpwp.sys中分配的堆池中创建。 当在31以外的通道索引的上下文中处理MS_T120引用通道时,堆损坏发生在termdd.sys中。

图:Windows内核和用户组件

The Microsoft patch as shown in figure 5 now adds a check for a client connection request using channel name “MS_T120” and ensures it binds to channel 31 only(1Fh) in the _IcaBindVirtualChannels and _IcaRebindVirtualChannels functions within termdd.sys.

如图所示的Microsoft补丁现在使用通道名称“MS_T120”添加对客户端连接请求的检查,并确保它仅绑定到termdd.sys中的 _IcaBindVirtualChannels 和 _IcaRebindVirtualChannels 函数中的通道31(1Fh)。

图:Microsoft补丁添加通道绑定检查

防火墙规则

1
alert tcp any any -> any 3389 (msg:"NCC GROUP RDP connection setup with MS_T120 channel, potential CVE-2019-0708"; flow:to_server,established; content:"|03 00|"; offset:0; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; threshold: type limit, track by_src, count 2, seconds 600; classtype:bad-unknown; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; sid:190708; rev:1;)

参考资料:

Mcafee官博:https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/

您的支持是我最大的动力🍉