Pruebas de DoS mediante RDP y análisis forense del tráfico
Fecha: 20 de mayo del 2015 Clase: CCNA Security
Escenario
Este
escenario se realizó con equipos reales, un router Cisco 2801 como firewall
ZBF, una máquina corriendo Kali linux,
y
la herramienta Metasploit, y un server Windows 2008.
Se realizó el
port forwarding de los puertos TCP 3389 y 80 para acceder desde “el exterior” a
los respectivos servicios.
1.- Test inicial
Se prueba
conectividad con ping y se ejecuta una sesión de nmap para detectar los puertos
abiertos en el objetivo.
2.- Se ejecuta el script para detectar vulnerabilidades en el RDP
D:\nmap>nmap 200.0.0.1
--script=rdp-vuln-ms12-020.nse (test de vulnerabilidad de cpa 7 del
puerto RDP)
Starting Nmap 6.40 (
http://nmap.org ) at 2015-05-21 11:41Hora est. de
SudamÚrica E.
Nmap scan report for 200.0.0.1
---resumido---
3389/tcp open ms-wbt-server
| rdp-vuln-ms12-020:
|
VULNERABLE:
|
MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|
State: VULNERABLE
|
IDs: CVE:CVE-2012-0152
|
Risk factor: Medium CVSSv2: 4.3
(MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|
Description:
| Remote Desktop Protocol
vulnerability that could allow remote attack
ers to cause
a denial of service.
|
|
Disclosure date: 2012-03-13
|
References:
|
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
|
MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
|
IDs: CVE:CVE-2012-0002
|
Risk factor: High CVSSv2: 9.3
(HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|
Description:
| Remote Desktop Protocol
vulnerability that could allow remote attack
ers to
execute arbitrary code on the targeted system.
|
|
Disclosure date: 2012-03-13
|
References:
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
---resumido---
Nmap done: 1 IP address (1 host up)
scanned in 3.66 seconds
3.- Ataque DoS
Se ejecuta
metasploit seleccionando el tipo de ataque y configurando la IP del objetivo.
4.- Verificamos en el server RDP
5.- Tráfico involucrado (ver info
sobre el exploit al final del documento)
La captura de
tráfico de realizó luego del static NAT, entre el firewall y el server, por lo
que vemos que la IP destino
es 192.168.1.10,
la IP real del server.
6.- Detalle de la trama #9, que es la que ejecuta puntualmente el
ataque
Frame 9: 276 bytes on wire (2208 bits),
276 bytes captured (2208 bits) on interface 0
Ethernet II,
Src: 00:25:45:1e:73:4c (00:25:45:1e:73:4c), Dst: 00:1e:8c:1e:24:f7
(00:1e:8c:1e:24:f7)
Internet
Protocol Version 4, Src: 200.0.0.10 (200.0.0.10), Dst: 192.168.1.10 (192.168.1.10)
Transmission
Control Protocol, Src Port: 50033 (50033), Dst
Port: 3389 (3389), Seq: 1, Ack: 1, Len: 210
TPKT,
Version: 3, Length: 19
ISO 8073 COTP
Connection-Oriented Transport Protocol
[Malformed
Packet: T.125]
[Expert Info (Error/Malformed): Malformed
Packet (Exception occurred)]
[Message: Malformed Packet (Exception
occurred)]
[Severity level: Error]
[Group: Malformed]
TPKT,
Version: 3, Length: 106
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
[Malformed
Packet: T.124]
[Expert Info (Error/Malformed): Malformed
Packet (Exception occurred)]
[Message: Malformed Packet (Exception
occurred)]
[Severity level: Error]
[Group: Malformed]
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 8
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT,
Version: 3, Length: 12
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
TPKT, Version:
3, Length: 9
ISO 8073 COTP
Connection-Oriented Transport Protocol
MULTIPOINT-COMMUNICATION-SERVICE
T.125
7.- Reacción en el firewall
Al tratarse
de un ataque de layer 7, el firewall statefull tipo ZBF no registra ninguna
anomalía, podrían registrarse
alarmas
en el IPS, pero las firmas instaladas no soportan el ataque.
Firewall#show policy-map type inspect zone-pair
session
Zone-pair: segura-insegura
Service-policy inspect :
policy1
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: saliente (match-any)
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
1 packets, 42 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: insegura-segura
Service-policy inspect :
policy2
Class-map: ccp-cls-policy2-1 (match-all)
Match: class-map match-any NetBios
Match: protocol netbios-dgm
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol netbios-ssn
0 packets, 0 bytes
30 second rate 0 bps
Match: access-group name NetBios
Inspect
Class-map: entrante (match-any)
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: ICMP (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: RDP (match-any)
Match: access-group name RDP
4 packets, 144 bytes
30 second rate 0 bps
Inspect
Half-open Sessions (sesión del ataque,
luego del RST, hubo varios SYN, ver tramas #34 a 37)
Session 6437AF0C (200.0.0.10:40883)=>(192.168.1.10:3389) tcp SIS_OPENING
Created 00:00:28, Last heard 00:00:21
Bytes sent (initiator:responder) [0:0]
Established Sessions (sesión de monitoreo, se interrumpió al momento del ataque)
Session 6437AF0C (200.0.0.110:49397)=>(192.168.1.10:3389) tcp SIS_OPEN
Created 00:00:07, Last heard 00:00:06
Bytes sent (initiator:responder)
[47:19]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Firewall#
8.- Cambios en el port 3389 para mitigar el ataque
Hasta que el
parche contra los ataques RDP sean instalados, debería cerrarse el puerto en
forma preventiva.
Se intentó
hacerlo de dos maneras: mediante el ZBF y mediante NAT, ambas pruebas arrojaron
resultados diferentes.
8.1.- Método ZBF
Esto
descartará todos los paquetes que lleguen al port 3389.
Firewall#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
Firewall(config)#policy-map type inspect policy2
Firewall(config-pmap)#class type inspect RDP
Firewall(config-pmap-c)#no inspect
Firewall(config-pmap-c)#drop
Firewall(config-pmap-c)#exit
Firewall(config-pmap)#exit
Firewall(config)#
8.2.- Por qué el puerto 3389 figura “filtered” en vez de NO figurar ?
Porque todos
los puertos del router (los no “nateados” hacia la LAN) se responden con un
RST, ACK, los puertos
“nateados” no
se responden con RST, ACK, por lo tanto ese puerto se considera filtrado.
Puede verse
el puerto 21 (FTP, tramas #3 y #14), que no está “nateado” hacia el server,
devuelve respuestas RTS y ACK,
y el 3389 no tiene
las mismas respuestas RST, ACK, por lo que es un puerto que no exiista, sino
que descarta las respuestas
al
ser filtrado ahora por la política del firewall ZBF.
8.3.- Método NAT
Se quita el
NAT de la configuración del firewall ZBF.
Firewall(config)#no ip nat inside source static tcp
192.168.1.10 3389 200.0.0.1 3389 extendable
8.4.- Test post-cambios NAT
Verificamos
que ahora el router devuelve RST,ACK para el port 3389
al no tenerlo en su configuración,
por
lo tanto el nmap no lo detecta.
9.- Aplicación del parche
Una vez
aplicado el parche, activado el inspect en la policy y reconfigurado el static
NAT, el ataque no se hace efectivo,
y
el scan devuelve lo siguiente:
D:\nmap>nmap 200.0.0.1
--script=rdp-vuln-ms12-020.nse
Starting Nmap 6.40 (
http://nmap.org ) at 2015-05-21 12:05Hora est. de
SudamÚrica E.
Nmap scan report for 200.0.0.1
---resumido---
3389/tcp open ms-wbt-server (no devuelve ningún
resultado del script)
---resumido---
Nmap done: 1
IP address (1 host up) scanned in 4.06 seconds
10.- Mas info sobre el ataque:
https://technet.microsoft.com/en-us/library/security/ms12-020.aspx
https://www.exploit-db.com/exploits/18606/
11.- Bug description
The Remote
Desktop Protocol is used by the "Terminal Services / Remote
Desktop
Services" and works at kernel level on port 3389.
There is an
use-after-free vulnerability located in the handling of the
maxChannelIds
field of the T.125 ConnectMCSPDU packet (offset 0x2c of
the
provided proof-of-concept) when set to a value minor/equal than 5.
The problem
happens during the disconnection of the user started with
RDPWD!NM_Disconnect while the effect of the possible code execution
is
visible
in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on
Windows
7/2008) after termdd!IcaGetPreviousSdLink returns an
invalid
memory
pointer, the following dump is taken from Windows 2003 Server:
f761887c 8bff mov edi,edi
f761887e 55 push ebp
f761887f 8bec mov ebp,esp
f7618881 56 push esi
f7618882 57 push edi
f7618883 8b7d08 mov
edi,dword ptr [ebp+8]
f7618886 8d47ec lea
eax,[edi-14h]
f7618889 50 push eax
f761888a eb09 jmp termdd!IcaBufferAlloc+0x19
(f7618895)
f761888c 8b4618 mov
eax,dword ptr [esi+18h] ; we are here
f761888f 833800 cmp
dword ptr [eax],0 ; or here
f7618892 7527 jne termdd!IcaBufferAlloc+0x3f
(f76188bb) ; must jump
f7618894 56 push esi
f7618895 e878290000 call
termdd!IcaGetPreviousSdLink (f761b212) ; the new ESI is returned by this function
f761889a 8bf0 mov esi,eax
f761889c 85f6 test esi,esi
f761889e 75ec jne termdd!IcaBufferAlloc+0x10
(f761888c)
f76188a0 ff751c push
dword ptr [ebp+1Ch]
f76188a3 ff7518 push
dword ptr [ebp+18h]
f76188a6 ff7514 push
dword ptr [ebp+14h]
f76188a9 ff7510 push
dword ptr [ebp+10h]
f76188ac ff750c push
dword ptr [ebp+0Ch]
f76188af 57 push edi
f76188b0 e8b9fcffff call
termdd!IcaBufferAllocInternal (f761856e)
f76188b5 5f pop edi
f76188b6 5e pop esi
f76188b7 5d pop ebp
f76188b8 c21800 ret
18h
f76188bb 33c0 xor eax,eax
f76188bd 53 push
ebx
f76188be 8d7e10 lea
edi,[esi+10h]
f76188c1 40 inc eax
f76188c2 f00fc107 lock xadd dword ptr [edi],eax
f76188c6 ff751c push
dword ptr [ebp+1Ch]
f76188c9 8b4618 mov
eax,dword ptr [esi+18h] ; the same value of
before
f76188cc ff7518 push
dword ptr [ebp+18h]
f76188cf ff7514 push dword ptr [ebp+14h]
f76188d2 ff7510 push dword ptr [ebp+10h]
f76188d5 ff750c push dword ptr [ebp+0Ch]
f76188d8 ff761c push dword ptr [esi+1Ch]
f76188db ff10 call dword ptr [eax] ; code execution
f76188dd 8bd8 mov ebx,eax
f76188df 83c8ff or eax,0FFFFFFFFh
f76188e2 f00fc107 lock xadd dword ptr [edi],eax
f76188e6 7506 jne termdd!IcaBufferAlloc+0x72
(f76188ee)
f76188e8 56 push esi
f76188e9 e8382f0000 call
termdd!_IcaUnloadSd (f761b826)
f76188ee 8bc3 mov eax,ebx
f76188f0 5b pop ebx
f76188f1 ebc2 jmp termdd!IcaBufferAlloc+0x39
(f76188b5)
eax=040b0402
ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240
eip=f762888c
esp=b832f9d8 ebp=b832f9e0 iopl=0
nv up ei pl nz na po nc
cs=0008 ss=0010
ds=0023 es=0023 fs=0030
gs=0000 efl=00010202
termdd!IcaBufferAlloc+0x10:
f762888c 8b4618 mov eax,dword ptr
[esi+18h] ds:0023:040b041a=????????
ChildEBP RetAddr
b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10
b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26
b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29
b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14
b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16
b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27
b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70
b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23
b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86
b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112
b8b39b08 b89ac786 RDPWD!WDWConnect+0x368
b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94
b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227
b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35
b8b39bac f762ca10 termdd!_IcaCallStack+0x55
b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414
b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e
b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a
b8b39c50 808ed4eb nt!IofCallDriver+0x45
b8b39c64 808ee28d nt!NtWriteFile+0x2943
b8b39d00 808e6dbc nt!NtWriteFile+0x36e5
b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a
b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14
On Windows
2003 that zone of the memory pointed by ESI+18 using the
provided
proof-of-concept is ever in the range 040b02??-040b04??.
The
exploitability depends by the possibility of controlling ESI or the
content
pointed by it (maybe via a form of heap spraying?), indeed in
my
quick tests this zone sometimes is allocated and others it isn't.
Note that on
the post-Vista Windows versions (like 7 and 2008) "seems"
necessary
to have "Allow connections from computers running any version
of
Remote Desktop" for being vulnerable.
Anyway I'm
not totally sure about this so-called limitation because it
looks
like dependent by my proof-of-concept only.
The provided
proof-of-concept uses the BER integer values set at 32bit
(big endian) in case they could be useful for easier
debugging.
12.- Additional details about the protocol
http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
13.- Fix
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
(2015)
I see dead packets…
Rosario,
Argentina