Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-0708 "BlueKeep" auxiliary scanner module #11869

Merged
merged 18 commits into from May 24, 2019

Conversation

@zerosum0x0
Copy link
Contributor

commented May 22, 2019

JaGoTu and I created this MSF module to detect CVE-2019-0708.

It should work on XP and 7, x86 and x64. I'd also be curious if anyone has NT4/Win2000 terminal services. There may be false negatives, but VULNERABLE == VULNERABLE.

Please test and offer any suggestions.

Reference: https://github.com/zerosum0x0/CVE-2019-0708

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
  • Scan a vulnerable RHOST
  • Verify the module reports host is vulnerable (report false negative conditions below)
  • Scan a patched RHOST
  • Verify the module reports host is patched (false positive should NOT happen)

Windows Versions:

  • Windows NT 4.0 Terminal Server ?
  • Windows 2000 ?
  • Windows XP x86
  • Windows XP x64
  • Windows Vista x86
  • Windows Vista x64
  • Windows Server 2008 x86
  • Windows Server 2008 x64
  • Windows 7 x86
  • Windows 7 x64
  • Windows Server 2008 R2 x86
  • Windows Server 2008 R2 x64

@zerosum0x0 zerosum0x0 changed the title CVE-2018-0708 "BlueKeep" auxiliary scanner module CVE-2019-0708 "BlueKeep" auxiliary scanner module May 22, 2019

@cbrnrd
Copy link
Contributor

left a comment

Pretty good from what I can see, but I have yet to test it. Also a name change suggestion: cve_2019_0708.rb --> (bluekeep.rb || cve_2019_0708_bluekeep.rb)

Show resolved Hide resolved modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated
Show resolved Hide resolved modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated
Show resolved Hide resolved modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated
Show resolved Hide resolved modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated
Show resolved Hide resolved modules/auxiliary/scanner/rdp/cve_2019_0708.rb Outdated

zerosum0x0 added some commits May 22, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

(TL;DR: 4b786e2 works great against 7 and XP. I'll circle back to test your latest commits. Is NLA supported?)

Thanks @zerosum0x0! I know this was no small undertaking. Several of us are testing this, and it's looking great so far!

Is there a way to detect and report if the target uses Network Level Authentication, even if it's just to report CheckCode::Detected? For that matter, do we yet know if NLA mitigates the vuln?

Win7 SP1 x86 (6.1.7601, 32-bit)

With RDP disabled:

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - Cannot reliably check exploitability.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is vulnerable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708) > run

Unpatched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.205:3389  - 192.168.199.205:3389 - The target is not exploitable.
[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (with NLA):

[*] 192.168.199.205:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win7 SP1 x64 (6.1.7601, 64-bit)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is vulnerable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Unpatched, with RDP enabled (with NLA):

[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.220.128:3389  - 192.168.220.128:3389 - The target is not exploitable.
[*] 192.168.220.128:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP2 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

WinXP SP3 x86

Unpatched, with RDP enabled (without NLA):

[+] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is vulnerable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched, with RDP enabled (without NLA):

[*] 192.168.199.169:3389  - 192.168.199.169:3389 - The target is not exploitable.
[*] 192.168.199.169:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win2k3 x64 (Standard, 5.2.3790)

Unpatched, with RDP enabled (without NLA):

[+] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is vulnerable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)

Patched, with RDP enabled (without NLA):

[*] 192.168.220.140:3389  - 192.168.220.140:3389 - The target is not exploitable.
[*] 192.168.220.140:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@cbrnrd

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

Win10 Pro 1809, RDP Enabled

[-] 192.168.1.4:3389      - Error communicating RDP protocol.
[*] 192.168.1.4:3389      - 192.168.1.4:3389 - Cannot reliably check exploitability.
[*] 192.168.1.4:3389      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@zerosum0x0

This comment has been minimized.

Copy link
Contributor Author

commented May 22, 2019

@asoto-r7 NLA is a 100% confirmed mitigation. We don't have any specific checks for it atm but is something we have discussed to do. Looks like adding detected should be easy enough.

We've also discussed adding authenticated NLA scanning, but that is a different beast entirely. And there are already authenticated scanners which can check driver versions.

@cnotin

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

All tests without NLA or patch:

Windows 2008x64:

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.142:3389  - 192.168.134.142:3389 - The target is vulnerable.
[*] 192.168.134.142:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Windows 2008x64 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.144:3389  - 192.168.134.144:3389 - The target is vulnerable.
[*] 192.168.134.144:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2008x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.194:3389  - 192.168.134.194:3389 - The target is vulnerable.
[*] 192.168.134.194:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

All tests without NLA or patch:

Windows 2003x64 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.195:3389  - 192.168.134.195:3389 - The target is vulnerable.
[*] 192.168.134.195:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.190:3389  - 192.168.134.190:3389 - The target is vulnerable.
[*] 192.168.134.190:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > 

Win 2003x86 R2 SP2

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.181:3389  - 192.168.134.181:3389 - The target is vulnerable.
[*] 192.168.134.181:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP0

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.175:3389  - 192.168.134.175:3389 - The target is vulnerable.
[*] 192.168.134.175:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Win 2003x86 SP1

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 192.168.134.176:3389  - 192.168.134.176:3389 - The target is vulnerable.
[*] 192.168.134.176:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 22, 2019

Windows Server 2003 Enterprise SP2 x86 (5.2.3790)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[+] 172.16.191.171:3389   - 172.16.191.171:3389 - The target is vulnerable.
[*] 172.16.191.171:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows 2000 Server SP4 (5.0.2195)

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 172.16.191.123:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@blockchainguard

This comment has been minimized.

Copy link

commented May 23, 2019

  • Error communicating RDP protocol.
@zerosum0x0

This comment has been minimized.

Copy link
Contributor Author

commented May 23, 2019

I cleaned up parts of the exception nesting and check codes to make the output more useful when scanning large ranges.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.1.238:3389    - The target service is running, but could not be validated.
[*] Scanned 1 of 5 hosts (20% complete)
[*] 192.168.4.20:3389     - The target service is not running, or refused our connection.
[*] Scanned 2 of 5 hosts (40% complete)
[+] 192.168.1.161:3389    - The target is vulnerable.
[*] Scanned 3 of 5 hosts (60% complete)
[*] 192.168.1.72:3389     - The target is not exploitable.
[*] Scanned 4 of 5 hosts (80% complete)
[*] 192.168.1.12:3389     - Cannot reliably check exploitability.
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed

In order:

  1. The target service is running, but could not be validated. Seen with NLA enabled, or service is not RDP
  2. The target service is not running, or refused our connection. Nonexistent host/closed port (connect timeout)
  3. The target is vulnerable. Unpatched
  4. The target is not exploitable. Patched
  5. Cannot reliably check exploitability. Something went haywire during RDP comms (generally, this will be like Windows 8+... not sure if we can differentiate this vs. general failure)

I'm happy with it if there isn't any TODO outstanding or suggestions for status codes?

zerosum0x0 and others added some commits May 23, 2019

@cnotin

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

With the latest version in this PR, I have the following error for a few machines:
/root/tools/msf_modules/auxiliary/cve_2019_0708.rb:521: warning: in a**b, b may be too big

The error is in rsa_encrypt.
Here are the numbers for different machines:

Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 813730072
Bignum: 29515630589904128245223976570842015727304113738300535931626442982409229123905
Rsexp: 820009571

The numbers stay the same for each run for the same machine

'References' =>
[
[ 'CVE', '2019-0708' ],
[ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]

This comment has been minimized.

Copy link
@RootUp

RootUp May 24, 2019

Contributor

Probably this may help too.
[ 'URL', 'https://wazehell.io/2019/05/22/cve-2019-0708-technical-analysis-rdp-rce/' ]

@jagotu

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

@asoto-r7

When I try patching, both Vista targets are still reported vulnerable. Honestly, I trust the scanner more than the patch at this point, but it's an anomaly to be sure:

I tried it with Windows Vista (x64, SP2, Retail) before installing KB4499180 and after installing it, and in both cases it correctly reported the state. (Vulnerable before, not vulnerable after).

So, I couldn't reproduce your report that it falsely reports Vista as exploitable after patching. Are you sure you used it against the correct machines? I'm still fairly certain false positives shouldn't happen, only false negatives if anything.

@zerosum0x0

This comment has been minimized.

Copy link
Contributor Author

commented May 24, 2019

@asoto-r7 The patch should give a new version of C:\Windows\System32\drivers\termdd.sys. What are the timestamps/shasum on it for you?

edit: From @jagotu

termdd_patched.sys
SHA1: 657630b0a635bd7a5e8d844856e0eeb7ebf9dd16
FileVersion: 6.0.6003.20514 (vistasp2_ldr.190418-1808)

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

@zeroSteiner, @asoto-r7, @busterb: PR posted and linked above. Please ensure no regressions. Should be zero functional difference.

wvu-r7 and others added some commits May 24, 2019

Merge pull request #4 from wvu-r7/pr/11869
Add metadata and style fixes
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Good, still working. Positive test against Windows Server 2008 R2 x64 and negative test against Win10.

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.105:3389   - Verifying RDP protocol...
[*] 192.168.56.105:3389   - header: 010c len 12
[*] 192.168.56.105:3389   - header: 030c len 20
[*] 192.168.56.105:3389   - header: 020c len 428
[*] 192.168.56.105:3389   - security header
[*] 192.168.56.105:3389   - modulus_old 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2
[*] 192.168.56.105:3389   - RSA magic: RSA1
[*] 192.168.56.105:3389   - RSA bitlen: 256
[*] 192.168.56.105:3389   - modulus_new 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_MODULUS: 070646f12a4dcf23b3744a6d8397134a7e50eef17782c1555157b543b2a72a192da56770d62c2fa0b191b4b7d8e2de49c533a4a1389ee7a47ef23e3f0a6b38d2095e7efba7134163ea09f3e608eac1660ed6b81d3c8c8260e34bfc1a13414705e9a20de7dc6963d87d60ce3f4a4859beaf3c0ae7f87df41badcae7539c7591ee8f72b23b37c339c5549c1ffd50d5fa8b39afd11a5a6899caf802bc7001fbda4e82ad7c820f8dda61872c3db6bd992edab9982a0d6b53a60360f90a87a9d6ca700d03ad790589b02fb0595527cb94074f1d88f397d3c62587938980c46e3f9f1dd77625d84fb506356fa805782a0c7ef0e050fd8db57919a4188f48758d48e8df
[*] 192.168.56.105:3389   - SERVER_EXPONENT: 01000100
[*] 192.168.56.105:3389   - SERVER_RANDOM: 92957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178cf7de0a0d5f98245
[*] 192.168.56.105:3389   - Sending security exchange PDU
[*] 192.168.56.105:3389   - Encrypted client random: 0e22dfc8f4cae4934eaff236ac596a44990246757527f5b643653fb431205cbbdb8fba05603a2f5c372407bf56ca61bfbaeef6c6bac4cc854d00b9ee1f87d4d3352eef95671b29d4ecf57402941e69739fb3796bdf5fa0c09263d3dc04c2bb76ee54d17d779fb8ca84db87f49beb9d2c88982c151e27e4322df20ec9cdb8f22e8b4f950b5bb3b22f4c605ae971ba5cce4b1238ff7c15838b0e5c75b4f212beb730c0b18b353ab34256482ef674b0bd9537066f406c7f76fcc464522b4076d487c769ade6673bab978481a291f4d245b5655e19557b18461abc3679323ae645c11d51b7d0dda555363e7a715504592f581287efc0a8b82f35472f41f76f651662
[*] 192.168.56.105:3389   - PreMasterSecret = 41414141414141414141414141414141414141414141414192957d69d675e9dab53dd2bb4be41f38ef2a9742c959d178
[*] 192.168.56.105:3389   - MasterSecret = f504ace0b9f8cccfcd32cc376c650b31149f51f7c41154622f32f2f5eb8588f54bdfbfc6d3c70ac0bd9bccc45013a703
[*] 192.168.56.105:3389   - sessionKeyBlob = 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - macKey = 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - initialClientDecryptKey128 = 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - initialClientEncryptKey128 = def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_ENC_KEY: def7e8037014a95a6a19e7dc6aff1bd2
[*] 192.168.56.105:3389   - RC4_DEC_KEY: 2b82536effb68f4fea39a11ebdc49d20
[*] 192.168.56.105:3389   - HMAC_KEY: 2c9eed346966a8276de132facb2d5e94
[*] 192.168.56.105:3389   - SESS_BLOB: 2c9eed346966a8276de132facb2d5e942d8f5752c11af87554793d0b39a76ffe3c2510004090e009b935d0f8dd64a82b
[*] 192.168.56.105:3389   - Sending encrypted client info PDU
[*] 192.168.56.105:3389   - Received License packet: 0300002202f08068000103eb701480020000ff031000070000000200000004000000
[*] 192.168.56.105:3389   - Received Server Demand packet: 030001c502f08068000103eb7081b60800000011628713e0b81b1802bb064162e98b8bb4f3cb62d9a376335aa5172e8e4d8b38048b8476c6f9bf7b4a605b5f16b4893003cf0c421a7174b9132bc218eb8daec848731178ed22e6c7bfe64b21b0562a562482e0a0247260204c81e45c62a4b9a3abbb0e639470794439c3fe5b5d448937a2efeddb1cf5d46e04f27d7016e976402e3882643acbb05821b2acb012870b55c7a30eeb8656e98a28978c9b5f2db263b2e4acec47a4a029a72661107985ac8d5f537cc0e98c78e5db1d760d609f3e04a1fd83265d6d1029d43d7ea2e62b8b8c9acf1d0492f45026c48c075034206c2bf9befa8f7902e44fe9cab93e912987a177fecddf80a0217a586836277faf2e032933a7fb57815cba2793d640a7e5614f4b7d2b4354ce6fbd13f059570a9bd3451415522b2b342bfd1003c90279cf0c11ba0d8a61d271fcb924e68e736f1555268811cfae984a315e0ccd0c0462eb215fbdddd3abf6b584fa98ef70906505b738340b67fc2448f7d82ebc7239b6cad543ece14f549b96ef0fcad930cd155b68f4bf923d452a6a4c4eda5382948de04a81d1ccef054936727b274a42c6dff65dc7edb5624742086ae1531f045374f4091d357f
[*] 192.168.56.105:3389   - Sending client confirm active PDU
[*] 192.168.56.105:3389   - Sending client synchronize PDU
[*] 192.168.56.105:3389   - Sending client control cooperate PDU
[*] 192.168.56.105:3389   - Grea2t!
[*] 192.168.56.105:3389   - Sending client control request control PDU
[*] 192.168.56.105:3389   - Sending client persistent key list PDU
[*] 192.168.56.105:3389   - Sending client font list PDU
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.105:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.56.101
rhosts => 192.168.56.101
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.101:3389   - Verifying RDP protocol...
[-] 192.168.56.101:3389   - Error communicating RDP protocol.
[*] 192.168.56.101:3389   - Cannot reliably check exploitability.
[*] 192.168.56.101:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >
@wvu-r7

wvu-r7 approved these changes May 24, 2019

Copy link
Contributor

left a comment

:shipit:

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

(TL;DR: Good!)

Windows Server 2016 (x64)

Unpatched, with RDP enabled (no NLP):

[*] 192.168.220.139:3389  - Cannot reliably check exploitability.
[*] 192.168.220.139:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2016 is not supported, but does not crash, leave logs, or disrupt existing RDP connections.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

It's good to see CheckCode being used outside of exploits, btw.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

@zerosum0x0 @jagotu: It's absolutely not a blocker, but to update, my Vista environment refuses to patch. termdd is not being updated after applying KB4499180. The patch executes, says it installs successfully, doesn't ask to reboot (unlike other OSes), and doesn't touch termdd.sys. Even after multiple reboots, termdd.sys hasn't been updated:

C:\windows\system32\drivers\termdd.sys
SHA1: 986514517f05ccf4c0e0988f2aa2b464be459e19
FileVersion: 6.0.6000.16386
Timestamp: 11/2/2006 7:03 AM

That said, it sounds like the patch is applying correctly for you guys, and I'm happy to trust your testing. Especially if it means I don't have to argue with Vista. :-P

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

TL;DR: We've collectively tested the code, including the latest commits for any regressions, against a variety of hosts. I'm happy to get this landed, as soon as I'm done writing some documentation. Thanks everyone! 😄

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

@tsellers-r7

This comment has been minimized.

Copy link

commented May 24, 2019

Quoting @tsellers-r7:
@asoto-r7 Does it work against 2016 with NLA disabled?

No, sir. In my testing, it did not: #11869 (comment)

Yeah, I misread your comment so I deleted mine. Sorry about that.

@jagotu

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

@asoto-r7
Well, this is not necessarily related to the pull request, but based on the FileVersion... Are you sure you didn't install vista sp0 accidentally? The patch only works on sp2.

@jagotu: Oh, good call! I hadn't realized and apparently the patch still reports success on SP0. 😬

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

(TL;DR: Still good!)

Windows Server 2012 R2 (x64)

[*] 192.168.220.130:3389  - The target is not exploitable.
[*] 192.168.220.130:3389  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As with 2016, Windows Server 2012 is also not supported. The scanner does not crash, leave logs, or disrupt existing RDP connections. 👍

@asoto-r7 asoto-r7 merged commit 82debcb into rapid7:master May 24, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

asoto-r7 added a commit that referenced this pull request May 24, 2019

msjenkins-r7 added a commit that referenced this pull request May 24, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Module doc in fa70461. Thanks, everyone.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Release Notes

auxiliary/scanner/rdp/cve_2019_0708_bluekeep scans Windows workstations and servers against CVE-2019-0708 ("BlueKeep") to report the vulnerable state of Microsoft Windows targets running the Remote Desktop Protocol.

@zerosum0x0 zerosum0x0 deleted the RiskSense-Ops:bluekeep branch May 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.