MS16-007 CVE-2016-0019 Windows RDP Security Bypass

Timeline :

Vulnerability discovered and reported to the vendor by Gal Goldshtein and Viktor Minin of Citadel
Patched by the vendor through MS16-007 the 2016-01-12
Details of the vulnerability provided by Michael Schierl @mihi42 the 2016-01-12

PoC provided by :

Michael Schierl

Reference(s) :

CVE-2016-0019
MS16-007

Affected version(s) :

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 version 1511 for 32-bit Systems
Windows 10 version 1511 for x64-based Systems

Tested on :

Windows 10 for x64-based Systems with Microsoft Remote Desktop for Mac version 8.0.26

Description :

A security feature bypass vulnerability exists in Windows Remote Desktop Protocol (RDP) that is caused when Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have no passwords set.

Demo :

- On the target Windows 10
Create a local user without password
Grant the created user RDP
- On the client
Add "enablecredsspsupport:i:0" in the ".RDP" file
Connect to the target with the username and without password

Luxembourg Critical Remote Management Applications Attack Surface

MS12-020 patch is now out since a month with associate DoS PoC’s available for pen tester’s and other populations how have not equivalent ethic. Lot of articles, blog posts have been written around CVE-2012-0002, a vulnerability discovered by Luigi Auriemma in May 2011, reported to ZDI in August 2011 and disclosed in a coordinated manner in March 2012.

One of these MS12-020 related articles was written by Dan Kaminsky, “RDP and the Critical Server Attack Surface“. This blog post fact to remember that some applications are more critical than others due to they’re roles and they’re expositions to Internet.

Dan has scan around 300 million IPs, who are representing around 8.3% of the Internet, and 415 thousands showed an open RDP (3389/TCP), a ratio of 0,14%. By extrapolation Dan has arrived to around 5 million RDP endpoints on the Internet. Hopefully for the Internet community (should I say for the sysadmins ?), despite the efforts by security researches (most on freenode #ms12-020), MS12-020 has “only” lead to a DoS exploit. Potentially 5 million BSoD’s (Blue Screen of Death), it is a blessing in disguise ?

In his article Dan Kaminsky has also remember us that other critical server attack surfaces are existing on Internet, such as TCP/IP, HTTP, SSL, SSH, DNS or SMTP, and that all these applications are playing potential essential roles for business.

I have done the same study for the Luxembourg landscape with around 550 000 IP addresses, but before giving my results I would like to explain you what is Luxembourg 🙂

If you don’t know, Luxembourg has the higher GDP in Europe and is classified in the top 3 of the list of countries by GDP per capita (Wikipedia source). Also more than 90% of population is using Internet and 82% of the population connect to Internet daily. Luxembourg became the geography with the highest ratio of malicious email activity in February 2012 regarding Symantec Intelligence Report.

Also Luxembourg has a total balance sheet of Euro 776 billion in credit institutions and the Luxembourg banking sector comprised 143 credit institutions from over 20 different countries (pwc Luxembourg source). All of these credit institutions are under the CSSF (Commission de Surveillance du Secteur Financier) surveillance and most of them are delegating their IT management to PSF (Professionals of the Financial Sector), also known as “Primary IT systems operators” and “Secondary IT systems and network operators“.

In conclusion most of the IP addresses assigned to Luxembourg have a potential high asset value for bad guys. Luxembourg IP addresses ranges assigned for Internet broadband access, have surely a bigger return on investment compared to other countries in case phishing or malware campaigns. Also IP addresses ranges assigned to professionals of the financial sector are surely hosting e-banking or fund transactions infrastructures, a prime target for cyber crime.

So, what are the results for Luxembourg, a country how normally should have a less ratio of exposition than others du to the fact that an IP address has a higher asset value than 300 million addresses arbitrary scanned. I have only focus on applications equivalent to RDP, these applications are known as “Remote Access Services” (RDP, ssh, telnet, VNC, PCAnywhere, Citrix, etc.).

In “2012 Verizon Data Breach Report“, “Remote Access Services” are noted “as continuing their rise in prevalence, as hacking vector, accounting for 88% of all breaches leveraging hacking techniques – more than any other vector“. Remote services accessible from the entire Internet, combined non patched applications, with default, weak, or stolen credentials continue to plague organizations. Scripted attacks seeking victims with known remote access ports, followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.

Do you remember, Dan Kaminsky had discovered a ratio of 0,14% of open RDP on 300 million IPs. In Luxembourg, this ratio is 0,26%, twice Dan ratio. For ssh the ratio of open port is 0,79%, for telnet the ratio is 0,31% (still open telnet despite best practices ?), for VNC the ratio is 0,06% and for PCAnywhere the ratio is 0,02% (still open PCAnywhere despite the leaked source code ?).

Shouldn’t Luxembourg have a less ratios of open ports for “Remote Access Services” ? I think YES. But why are these ratios so important ? Surely because Security has fail in his mission, surely because Security is still understood as technical game and not as an insurance to protect the value of assets. Also maybe the cause could be that Internet is growing to fast and that the Internet grow speed don’t give the time to learn from errors. Internet maybe distort the reality, the memory and the time.

Just to remember a small list of vulnerabilities or backdoor’s how have target these critical remote server surfaces :

2012 :

  • SSH : cisco-sa-20120328-ssh – Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • RDP : CVE-2012-0002 – Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
  • PCAnywhere : OSVDB-79412 – PCAnywhere 12.5.0 build 463 Denial of Service
2011 :
  • Telnet : CVE-2011-4862 – FreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • FTP : OSVDB-73573 – vsftpd-2.3.4 backdoor
  • SSH : EBD-ID-17462 – OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
2010 :
  • SMTP : CVE-2010-4344 – Exim4 <= 4.69 string_format Function Heap Buffer Overflow
  • FTP : OSVDB-69562 –  ProFTPD 1.3.3c compromised source remote root Trojan
  • FTP : CVE-2010-3867 – ProFTPD IAC Remote Root Exploit
  • FTP : OSVDB-62134 – Easy FTP Server v1.7.0.11 Multiple Commands Remote Buffer Overflow Exploit (Post Auth)
2009 :
  • FTP : CVE-2009-3023 – Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
2008 :
  • DNS : CVE-2008-1447 – Remote DNS Cache Poisoning Flaw Exploit
  • SSH : CVE-2008-0166 – Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
Etc. Etc.

MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo

Timeline :

Vulnerability found by Luigi Auriemma the 2011-05-16
Vulnerability reported by Luigi Auriemma to ZDI
Vulnerability reported to the vendor by ZDI the 2011-08-24
Coordinated public release of the vulnerability the 2012-03-13
Metasploit PoC provided the 2012-03-19
Details of the vulnerability published by Luigi Auriemma the 2012-05-16

PoC provided by :

Luigi Auriemma
Daniel Godas-Lopez
Alex Ionescu
jduck

Reference(s) :

CVE-2012-0002
MS12-020
ZDI-12-044
OSVDB-80004

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 SP2
Windows 7 for 32 and Windows 7 32 SP1
Windows 7 for x64 and Windows 7 for x64 SP1
Windows Server 2008 R2 x64 and Windows Server 2008 R2 x64 SP1

Tested on Windows XP Pro SP3

Description :

This module exploits the MS12-020 RDP vulnerability originally discovered and reported by Luigi Auriemma. The flaw can be found in the way the T.125 ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Commands :

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
SET RHOST 192.168.178.22
exploit