Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor #11932

Merged
merged 12 commits into from Jun 15, 2019

Conversation

Projects
None yet
5 participants
@TomSellers
Copy link
Contributor

commented Jun 2, 2019

This PR makes changes to the BlueKeep ( CVE-2019-0708 ) auxiliary scanner module which:

  • Adds TLS support which should enable checking servers which require TLS to connect.
  • Documents most of the binary blobs which should enable easier improvements such as setting user names, hostnames, and IPs.
  • UPDATED - Implements user control of username, hostname, domain name, and IP address. This should reduce the ability to fingerprint this module and allow testers to better blend in with the target network.
  • Refactors the code to remove duplication and prepare for possible migration of code to a RDP library.

Known issues

  1. FIXED - If Server 2008 is configured to only allow RDP Security this will fail to fall back. I know the root cause and will address tonight or tomorrow.
  2. FIXED - This PR doesn't yet change the username, hostname, or IP. I may go ahead an add it in this PR depending on the feedback and the time I have available to work on this PR.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • scanner/rdp/cve_2019_0708_bluekeep
  • Set RHOSTS as needed
  • Set VERBOSE as needed
  • Verify the correct vulnerability state is output when run
  • Verify the thing does not do what it should not

Testing output

Windows XP SP3, UNpatched, RDP Security

[*] 192.168.50.137:3389   - Verifying RDP protocol...
[*] 192.168.50.137:3389   - Server requests RDP Security
[*] 192.168.50.137:3389   - Sending erect domain request
[*] 192.168.50.137:3389   - Sending security exchange PDU
[*] 192.168.50.137:3389   - Sending client info PDU
[*] 192.168.50.137:3389   - Received License packet
[*] 192.168.50.137:3389   - Received Server Demand packet
[*] 192.168.50.137:3389   - Sending client confirm active PDU
[*] 192.168.50.137:3389   - Sending client synchronize PDU
[*] 192.168.50.137:3389   - Sending client control cooperate PDU
[*] 192.168.50.137:3389   - Sending client control request control PDU
[*] 192.168.50.137:3389   - Sending client persistent key list PDU
[*] 192.168.50.137:3389   - Sending client font list PDU
[+] 192.168.50.137:3389   - The target is vulnerable.                 <-----------
[*] 192.168.50.137:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows XP SP3, patched, RDP Security

[*] 192.168.50.196:3389   - Verifying RDP protocol...
[*] 192.168.50.196:3389   - Server requests RDP Security
[*] 192.168.50.196:3389   - Sending erect domain request
[*] 192.168.50.196:3389   - Sending security exchange PDU
[*] 192.168.50.196:3389   - Sending client info PDU
[*] 192.168.50.196:3389   - Received License packet
[*] 192.168.50.196:3389   - Received Server Demand packet
[*] 192.168.50.196:3389   - Sending client confirm active PDU
[*] 192.168.50.196:3389   - Sending client synchronize PDU
[*] 192.168.50.196:3389   - Sending client control cooperate PDU
[*] 192.168.50.196:3389   - Sending client control request control PDU
[*] 192.168.50.196:3389   - Sending client persistent key list PDU
[*] 192.168.50.196:3389   - Sending client font list PDU
[*] 192.168.50.196:3389   - The target is not exploitable.                 <-----------
[*] 192.168.50.196:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2008 Service Pack 2, UNpatched, Security Layer: RDP Security

This is a bug that I'll fix before it lands FIXED

[*] 192.168.50.129:3389   - Verifying RDP protocol...
[*] 192.168.50.129:3389   - Server requests NLA security which mitigates this vulnerability.
[*] 192.168.50.129:3389   - The target is not exploitable.
[*] 192.168.50.129:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2008 Service Pack 2, UNpatched, Security Layer: Negotiate

[*] 192.168.50.129:3389   - Verifying RDP protocol...
[*] 192.168.50.129:3389   - Server requests TLS                 <-----------
[*] 192.168.50.129:3389   - Sending erect domain request
[*] 192.168.50.129:3389   - Sending client info PDU
[*] 192.168.50.129:3389   - Received License packet
[*] 192.168.50.129:3389   - Received Server Demand packet
[*] 192.168.50.129:3389   - Sending client confirm active PDU
[*] 192.168.50.129:3389   - Sending client synchronize PDU
[*] 192.168.50.129:3389   - Sending client control cooperate PDU
[*] 192.168.50.129:3389   - Sending client control request control PDU
[*] 192.168.50.129:3389   - Sending client persistent key list PDU
[*] 192.168.50.129:3389   - Sending client font list PDU
[+] 192.168.50.129:3389   - The target is vulnerable.                 <-----------
[*] 192.168.50.129:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2008 Service Pack 2, UNpatched, Security Layer: SSL (TLS 1.0)

[*] 192.168.50.129:3389   - Verifying RDP protocol...
[*] 192.168.50.129:3389   - Server requests TLS                 <-----------
[*] 192.168.50.129:3389   - Sending erect domain request
[*] 192.168.50.129:3389   - Sending client info PDU
[*] 192.168.50.129:3389   - Received License packet
[*] 192.168.50.129:3389   - Received Server Demand packet
[*] 192.168.50.129:3389   - Sending client confirm active PDU
[*] 192.168.50.129:3389   - Sending client synchronize PDU
[*] 192.168.50.129:3389   - Sending client control cooperate PDU
[*] 192.168.50.129:3389   - Sending client control request control PDU
[*] 192.168.50.129:3389   - Sending client persistent key list PDU
[*] 192.168.50.129:3389   - Sending client font list PDU
[+] 192.168.50.129:3389   - The target is vulnerable.                 <-----------
[*] 192.168.50.129:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2008 Service Pack 2, UNpatched, NLA required

[*] 192.168.50.129:3389   - Verifying RDP protocol...
[*] 192.168.50.129:3389   - Server requests NLA security which mitigates this vulnerability.                <-----------
[*] 192.168.50.129:3389   - The target is not exploitable.                <-----------
[*] 192.168.50.129:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2016, NLA OPTIONAL (TLS)

[*] 192.168.50.143:3389   - Verifying RDP protocol...
[*] 192.168.50.143:3389   - Server requests TLS                <-----------
[*] 192.168.50.143:3389   - Sending erect domain request
[*] 192.168.50.143:3389   - Sending client info PDU
[*] 192.168.50.143:3389   - Received License packet
[*] 192.168.50.143:3389   - Received Server Demand packet
[*] 192.168.50.143:3389   - Sending client confirm active PDU
[*] 192.168.50.143:3389   - Sending client synchronize PDU
[*] 192.168.50.143:3389   - Sending client control cooperate PDU
[*] 192.168.50.143:3389   - Sending client control request control PDU
[*] 192.168.50.143:3389   - Sending client persistent key list PDU
[*] 192.168.50.143:3389   - Sending client font list PDU
[*] 192.168.50.143:3389   - The target is not exploitable.                <-----------
[*] 192.168.50.143:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2016, NLA REQUIRED

[*] 192.168.50.143:3389   - Verifying RDP protocol...
[*] 192.168.50.143:3389   - Server requests NLA security which mitigates this vulnerability.                <-----------
[*] 192.168.50.143:3389   - The target is not exploitable.                <-----------
[*] 192.168.50.143:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2019, NLA OPTIONAL (TLS)

[*] 192.168.50.105:3389   - Verifying RDP protocol...
[*] 192.168.50.105:3389   - Server requests TLS              <-----------
[*] 192.168.50.105:3389   - Sending erect domain request
[*] 192.168.50.105:3389   - Sending client info PDU
[*] 192.168.50.105:3389   - Received License packet
[*] 192.168.50.105:3389   - Received Server Demand packet
[*] 192.168.50.105:3389   - Sending client confirm active PDU
[*] 192.168.50.105:3389   - Sending client synchronize PDU
[*] 192.168.50.105:3389   - Sending client control cooperate PDU
[*] 192.168.50.105:3389   - Sending client control request control PDU
[*] 192.168.50.105:3389   - Sending client persistent key list PDU
[*] 192.168.50.105:3389   - Sending client font list PDU
[*] 192.168.50.105:3389   - The target is not exploitable.              <-----------
[*] 192.168.50.105:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Windows Server 2019, NLA REQUIRED

[*] 192.168.50.105:3389   - Verifying RDP protocol...
[*] 192.168.50.105:3389   - Server requests NLA security which mitigates this vulnerability.              <-----------
[*] 192.168.50.105:3389   - The target is not exploitable.              <-----------
[*] 192.168.50.105:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@TomSellers

This comment has been minimized.

Copy link
Contributor Author

commented Jun 2, 2019

@wvu-r7 FYI

@TomSellers TomSellers changed the title Bluekeep: add TLS, refactor Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor Jun 2, 2019

@wvu-r7 wvu-r7 changed the title Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor [WIP] Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor Jun 2, 2019

@tsellers-r7

This comment has been minimized.

Copy link

commented Jun 2, 2019

I tried to move anything that looked like a candidate for a RDP library to the end.

@TomSellers

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

I've addressed the bug where the code wouldn't correctly renegotiate if the target was configured to force RDP Standard Security.

Windows Server 2008 Service Pack 2, UNpatched, Security Layer: RDP Security

[*] 192.168.50.129:3389   - Verifying RDP protocol...
[*] 192.168.50.129:3389   - Attempting to connect using TLS security
[*] 192.168.50.129:3389   - Attempt to connect with TLS failed with error: SSL_NOT_ALLOWED_BY_SERVER             <-----------
[*] 192.168.50.129:3389   - Attempting to connect using Standard RDP security             <-----------
[*] 192.168.50.129:3389   - Server requests RDP Security
[*] 192.168.50.129:3389   - Sending erect domain request
[*] 192.168.50.129:3389   - Sending security exchange PDU
[*] 192.168.50.129:3389   - Sending client info PDU
[*] 192.168.50.129:3389   - Received License packet
[*] 192.168.50.129:3389   - Received Server Demand packet
[*] 192.168.50.129:3389   - Sending client confirm active PDU
[*] 192.168.50.129:3389   - Sending client synchronize PDU
[*] 192.168.50.129:3389   - Sending client control cooperate PDU
[*] 192.168.50.129:3389   - Sending client control request control PDU
[*] 192.168.50.129:3389   - Sending client persistent key list PDU
[*] 192.168.50.129:3389   - Sending client font list PDU
[+] 192.168.50.129:3389   - The target is vulnerable.             <-----------
[*] 192.168.50.129:3389   - Scanned 1 of 1 hosts (100% complete)

There is a change in the output as well that indicates when dealing with Windows XP which doesn't return a full Negotiation Response packet.

Windows XP SP3, UNpatched, RDP Security

[*] 192.168.50.137:3389   - Verifying RDP protocol...
[*] 192.168.50.137:3389   - Attempting to connect using TLS security
[*] 192.168.50.137:3389   - Attempt to connect with TLS failed but looks like the target is Windows XP            <-----------
[*] 192.168.50.137:3389   - Attempting to connect using Standard RDP security            <-----------
[*] 192.168.50.137:3389   - Server requests RDP Security
[*] 192.168.50.137:3389   - Sending erect domain request
[*] 192.168.50.137:3389   - Sending security exchange PDU
[*] 192.168.50.137:3389   - Sending client info PDU
[*] 192.168.50.137:3389   - Received License packet
[*] 192.168.50.137:3389   - Received Server Demand packet
[*] 192.168.50.137:3389   - Sending client confirm active PDU
[*] 192.168.50.137:3389   - Sending client synchronize PDU
[*] 192.168.50.137:3389   - Sending client control cooperate PDU
[*] 192.168.50.137:3389   - Sending client control request control PDU
[*] 192.168.50.137:3389   - Sending client persistent key list PDU
[*] 192.168.50.137:3389   - Sending client font list PDU
[+] 192.168.50.137:3389   - The target is vulnerable.            <-----------
[*] 192.168.50.137:3389   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@wvu-r7 wvu-r7 self-assigned this Jun 4, 2019

TomSellers added some commits Jun 4, 2019

@zerosum0x0

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

@TomSellers You might want to also add something similar to this fix I did to receive one full TPKT at a time.

RiskSense-Ops@59e815f

@tsellers-r7

This comment has been minimized.

Copy link

commented Jun 4, 2019

@TomSellers You might want to also add something similar to this fix I did to receive one full TPKT at a time.

RiskSense-Ops@59e815f

Thanks for the heads up on this. It breaks a bit on the fast path PDUs which aren't wrapped in TPKT but I can address that.

TomSellers added some commits Jun 11, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 11, 2019

Hey, @tsellers-r7. Did you need any help working on this?

@TomSellers

This comment has been minimized.

Copy link
Contributor Author

commented Jun 11, 2019

@wvu-r7 - Thanks, I've been traveling and unable to work on it. Just pushed some changes to allow users to configure username, client name, etc. I need to retest against my lab. If you have any feedback I'm probably ready for it. Thanks much

@TomSellers TomSellers changed the title [WIP] Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor Bluekeep (CVE-2019-0708): add TLS, document blobs, refactor Jun 12, 2019

@TomSellers

This comment has been minimized.

Copy link
Contributor Author

commented Jun 12, 2019

I've implemented user control of username, hostname, domain name, and IP address. This should reduce the ability to fingerprint this module and allow testers to better blend in with the target network.

The client random value used during RDP Security is now a random value.

TomSellers and others added some commits Jun 12, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

msf5 > use bluekeep

Matching Modules
================

   #  Name                                          Disclosure Date  Rank    Check  Description
   -  ----                                          ---------------  ----    -----  -----------
   0  auxiliary/scanner/rdp/cve_2019_0708_bluekeep  2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check


[*] Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts 192.168.56.101,105
rhosts => 192.168.56.101,105
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > options

Module options (auxiliary/scanner/rdp/cve_2019_0708_bluekeep):

   Name             Current Setting     Required  Description
   ----             ---------------     --------  -----------
   RDP_CLIENT_IP    192.168.0.100       yes       The client IPv4 address to report during connect
   RDP_CLIENT_NAME  rdesktop            no        The client computer name to report during connect, UNSET = random
   RDP_DOMAIN                           no        The client domain name to report during connect
   RDP_USER                             no        The username to report during connect, UNSET = random
   RHOSTS           192.168.56.101,105  yes       The target address range or CIDR identifier
   RPORT            3389                yes       The target port (TCP)
   THREADS          1                   yes       The number of concurrent threads

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] 192.168.56.101:3389   - Verifying RDP protocol...
[*] 192.168.56.101:3389   - Attempting to connect using TLS security
[*] 192.168.56.101:3389   - Server requests TLS
[*] 192.168.56.101:3389   - Sending erect domain request
[*] 192.168.56.101:3389   - Sending client info PDU
[*] 192.168.56.101:3389   - Received License packet
[*] 192.168.56.101:3389   - Waiting for Server Demand packet
[*] 192.168.56.101:3389   - Received Server Demand packet
[*] 192.168.56.101:3389   - Sending client confirm active PDU
[*] 192.168.56.101:3389   - Sending client synchronize PDU
[*] 192.168.56.101:3389   - Sending client control cooperate PDU
[*] 192.168.56.101:3389   - Sending client control request control PDU
[*] 192.168.56.101:3389   - Sending client input sychronize PDU
[*] 192.168.56.101:3389   - Sending client font list PDU
[*] 192.168.56.101:3389   - Sending patch check payloads
[*] 192.168.56.101:3389   - The target is not exploitable.
[*] 192.168.56.101,105:3389 - Scanned 1 of 2 hosts (50% complete)
[*] 192.168.56.105:3389   - Verifying RDP protocol...
[*] 192.168.56.105:3389   - Attempting to connect using TLS security
[*] 192.168.56.105:3389   - Server requests TLS
[*] 192.168.56.105:3389   - Sending erect domain request
[*] 192.168.56.105:3389   - Sending client info PDU
[*] 192.168.56.105:3389   - Received License packet
[*] 192.168.56.105:3389   - Waiting for Server Demand packet
[*] 192.168.56.105:3389   - Received Server Demand packet
[*] 192.168.56.105:3389   - Sending client confirm active PDU
[*] 192.168.56.105:3389   - Sending client synchronize PDU
[*] 192.168.56.105:3389   - Sending client control cooperate PDU
[*] 192.168.56.105:3389   - Sending client control request control PDU
[*] 192.168.56.105:3389   - Sending client input sychronize PDU
[*] 192.168.56.105:3389   - Sending client font list PDU
[*] 192.168.56.105:3389   - Sending patch check payloads
[+] 192.168.56.105:3389   - The target is vulnerable.
[*] 192.168.56.101,105:3389 - Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) >
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

Release Notes

TLS support and documented packets have been added to the BlueKeep scanner module (CVE-2019-0708).

wvu-r7 added a commit to wvu-r7/metasploit-framework that referenced this pull request Jun 15, 2019

@wvu-r7 wvu-r7 merged commit 3d8b474 into rapid7:master Jun 15, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@TomSellers TomSellers deleted the TomSellers:bluekeep_enable_tls_refactor branch Jun 15, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.