Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Recommended Posts

CVE-2019-1181:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 

CVE-2019-1182:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 

CVE-2019-1222: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1222

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 

CVE-2019-1223: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223

Unauthenticated denial of service with RDP. All versions.

CVE-2019-1224:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224

Unauthenticated disclosure of memory. 

CVE-2019-1225: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225

authenticated disclosure of memory  

CVE-2019-1226: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 

Exploits

There are no known public exploits for these issues. Microsoft have built some private exploits. 

Severity

It appears these are a collection of many different and serious vulnerabilities. BlueKeep was one vulnerability in near legacy versions of Windows; these are different vulnerabilities in modern Windows.

Mitigations

- Enable NLA and leave it enabled for all external and internal systems. This raises exploitation requirements to needing credentials for some of the issues  

- Some of these vulnerabilities are not exploitable on Windows 7 and 2008 if you haven’t enabled RDP 8+, aka RemoteFX (rich experiences) and the like.  These are available by default in later versions of Windows. 

Wormable?

Microsoft say yes: https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/

DejaBlue

Funny name by @Michael Norris  .

  • Like 2
  • Thanks 1

Share this post


Link to post
3 minutes ago, Nicholas L said:

And the exploit watch begins again.
GEu4.gif.c8bd7897b715acf964f4d691b20085dc.gif

I’m getting my money worth out of my honeypots. 

Share this post


Link to post
22 minutes ago, Kevin Beaumont said:

I’m getting my money worth out of my honeypots. 

Yeah I jumped on that bandwagon after you first mentioned it. Has been good call so far.

Share this post


Link to post

I think it’s possible several of the vulns are remotely exploitable pre-auth with NLA enabled, as it appears like Windows processes RemoteFX in RDP8+ over UDP packets w/o authentication. Might be wrong. RDP over UDP is a feature btw. 

Share this post


Link to post

I’ve made a private thread for industry members to discuss how to develop detection for this:

 

Share this post


Link to post
20 hours ago, Nicholas L said:

Yeah I jumped on that bandwagon after you first mentioned it. Has been good call so far.

Any good resources on setting something like this up that you would recommend?

Share this post


Link to post

I haven't documented anything properly for honeypot, I just had a Twitter thread while building it one day.  I just basically spun up Windows PCs without patches, firewalled them to only RDP, installed SIEM solution and Sysmon and wait for them to be exploited.

Share this post


Link to post

Sounds simple enough.  Last questions so the thread doesn't get too hijacked: Would you recommend setting up specific honeypots looking for individual things or using a few machines to collect all different types of attacks?  Is it a question more of what resources you have or is one method generally accepted over another?

Share this post


Link to post
42 minutes ago, Ryne Hanson said:

Sounds simple enough.  Last questions so the thread doesn't get too hijacked: Would you recommend setting up specific honeypots looking for individual things or using a few machines to collect all different types of attacks?  Is it a question more of what resources you have or is one method generally accepted over another?

Imho, having a honeypot that is open to too many things generates an insane amount of noise. Of course if your monitoring/triage can deal with that, its not a concern. However, for me, it seems to make getting full understanding of what is going on a more difficult task.

Share this post


Link to post
Posted (edited)

Tencent say they have working RCE on Windows 7 and 10:

Update: I should learn to read. 
Edited by Kevin Beaumont

Share this post


Link to post

Because the August Patch is 1GB in size and a chunk of the estate I work on is win 7 and 2008 using Symantec (Symantec apparently need a new agent with the 22nd as proposed date for the Sha 1 issue ) we are putting a lot of faith in NLA as a compensating control. Has anyone seen anything more Iron clad about exploiting Deja Blue with NLA enabled?? 

Share this post


Link to post

There’s no confirmation about the NLA thing yet. But personally I would judge NLA as a good enough mitigation for now, assuming you don’t have RDP available via internet. 

Share this post


Link to post
59 minutes ago, Kevin Beaumont said:

There’s no confirmation about the NLA thing yet. But personally I would judge NLA as a good enough motivation for now, assuming you don’t have RDP available via internet. 

Ya definitely no external to internal RDP as much as  I've been told anyway.... Always on VPNs etc.... Good few mitigations .... I just feel twitchy about RDP based on Microsoft's language and the CVSS score.... That and you can never be 100% about anything

Share this post


Link to post
Posted (edited)
9 hours ago, Kevin Beaumont said:

Tencent say they have working RCE on Windows 7 and 10:

The post don't say RCE, it says "stable", which people have assumed to mean stable RCE, but the video looks like a DoS (crash) PoC to me. They connect to RDP before running the PoC, then when run the RDP connection terminates and no shell is spawned (indicative of a crash). They could simply be meaning stable as in the PoC is reliable, because even crash PoC can be unreliable on hard to trigger vulnerabilities. 

Edited by MalwareTech

Share this post


Link to post

@MalwareTech's analysis of the patch is up: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

Quote

I set the uncompressedSize field to 1 – 0x2000 (0xFFFFE001‬), so that when 0x2000 is added it will loop around to 1. Then I set the compressed data to contain the letter ‘A’ repeated 0x200 times, which should result in the heap buffer being overflowed by 0x1FF bytes.

lols

  • Thanks 1

Share this post


Link to post
Posted (edited)

from another group - haven't verified - can delete if BS

 

Edited by james mckinlay
in a rush
  • Like 1

Share this post


Link to post

Yeah I’m not sure what that one is trying to show, doesn’t look like RCE. 

Share this post


Link to post
Posted (edited)
30 minutes ago, Tor Åge Takvam said:

Hi guys.

Is there any safe-ish way of scanning for the dejablue vuln? Nmap NSE scripts or something?

WSUS report 🙂 MBSA reports 🙂

Uptime reports - if its windows and has an uptime > 10 days its vulnerable 🙂 🙂

Edited by james mckinlay
  • Like 1

Share this post


Link to post

Yeah there’s no automated tooling yet (Linux tools etc).

Share this post


Link to post
5 hours ago, james mckinlay said:

WSUS report 🙂 MBSA reports 🙂

Uptime reports - if its windows and has an uptime > 10 days its vulnerable 🙂 🙂

That actually requires customers to have full control over all their assets 🤣

 

3 hours ago, Kevin Beaumont said:

Yeah there’s no automated tooling yet (Linux tools etc).

Ok. Thanks!

The only thing I`ve come up with untill now is WMI / WinRM queries for KB

Share this post


Link to post
2 minutes ago, Tor Åge Takvam said:

The only thing I`ve come up with untill now is WMI / WinRM queries for KB

systeminfo | findstr "KB"  also works and can be pointed at remote machines

  • Like 2

Share this post


Link to post

That's an unrelated patch fixing other issues - not a security patch.

Share this post


Link to post
18 minutes ago, Steve Walsh said:

It was part of the August patch updates. Not related to the RDP vulnerability. But the issue came with the patch. So if you were quick off the mark, it hurt you a bit https://www.ghacks.net/2019/08/15/visual-basic-issues-in-windows-august-2019-updates/

Oh I get you.  Yeah, I wouldn't rush out patching for this, just patch as usual process.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

  • Similar Content

    • By Kevin Beaumont
      CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.
      Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

      The scanning traffic is taking place across the whole internet it appears, spray and pray style.
      The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:
      Timeline
      May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

      June 4th 2019 - Vendor updates advisory to correct impacted versions
      August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.
      August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.
      August 17th 2019 - Another exploit, checks if vulnerable before exploit.
      August 21nd 2019 - Exploitation seen in wild.
    • By Tim Corless
      Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
      Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! 
      According to shodan and some google dorks, there are quite a lot still vulnerable
       
    • By Kevin Beaumont
      CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 
      I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

       
      Timeline
      24th April 2019 - Vendor advisory.
      14th August 2019 - TLP Rainbow post.
      20th August 2019 - exploit posted publicly.
      22nd August 2019 - exploitation in wild.
      Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    • By Kevin Beaumont
      No details on this yet, expect them on Tuesday. Should be pretty funny. 
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy