dejablue DejaBlue - Multiple pre-auth RCE vulnerabilities in RDP in every version of Windows including modern Windows

[Kevin Beaumont 111]

CVE-2019-1181:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 

CVE-2019-1182:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 

CVE-2019-1222: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1222

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 

CVE-2019-1223: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223

Unauthenticated denial of service with RDP. All versions.

CVE-2019-1224:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224

Unauthenticated disclosure of memory. 

CVE-2019-1225: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225

authenticated disclosure of memory  

CVE-2019-1226: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226

Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 

Exploits

There are no known public exploits for these issues. Microsoft have built some private exploits. 

Severity

It appears these are a collection of many different and serious vulnerabilities. BlueKeep was one vulnerability in near legacy versions of Windows; these are different vulnerabilities in modern Windows.

Mitigations

- Enable NLA and leave it enabled for all external and internal systems. This raises exploitation requirements to needing credentials for some of the issues  

- Some of these vulnerabilities are not exploitable on Windows 7 and 2008 if you haven’t enabled RDP 8+, aka RemoteFX (rich experiences) and the like.  These are available by default in later versions of Windows. 

Wormable?

Microsoft say yes: https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/

DejaBlue

Funny name by @Michael Norris  .

[Nicholas L 7]

And the exploit watch begins again.

[Kevin Beaumont 111]

3 minutes ago, Nicholas L said:

And the exploit watch begins again.

I’m getting my money worth out of my honeypots. 

[Nicholas L 7]

22 minutes ago, Kevin Beaumont said:

I’m getting my money worth out of my honeypots. 

Yeah I jumped on that bandwagon after you first mentioned it. Has been good call so far.

[Kevin Beaumont 111]

I renamed it to please @MalwareTech 😂

[Kevin Beaumont 111]

I think it’s possible several of the vulns are remotely exploitable pre-auth with NLA enabled, as it appears like Windows processes RemoteFX in RDP8+ over UDP packets w/o authentication. Might be wrong. RDP over UDP is a feature btw. 

[Kevin Beaumont 111]

I’ve made a private thread for industry members to discuss how to develop detection for this:

 

[Ryne Hanson 0]

20 hours ago, Nicholas L said:

Yeah I jumped on that bandwagon after you first mentioned it. Has been good call so far.

Any good resources on setting something like this up that you would recommend?

[Kevin Beaumont 111]

I haven't documented anything properly for honeypot, I just had a Twitter thread while building it one day.  I just basically spun up Windows PCs without patches, firewalled them to only RDP, installed SIEM solution and Sysmon and wait for them to be exploited.

[Ryne Hanson 0]

Sounds simple enough.  Last questions so the thread doesn't get too hijacked: Would you recommend setting up specific honeypots looking for individual things or using a few machines to collect all different types of attacks?  Is it a question more of what resources you have or is one method generally accepted over another?

[Nicholas L 7]

42 minutes ago, Ryne Hanson said:

Sounds simple enough.  Last questions so the thread doesn't get too hijacked: Would you recommend setting up specific honeypots looking for individual things or using a few machines to collect all different types of attacks?  Is it a question more of what resources you have or is one method generally accepted over another?

Imho, having a honeypot that is open to too many things generates an insane amount of noise. Of course if your monitoring/triage can deal with that, its not a concern. However, for me, it seems to make getting full understanding of what is going on a more difficult task.

[Nicholas L 7]

https://twitter.com/MalwareTechBlog/status/1162034211672358914?s=20https://twitter.com/MalwareTechBlog/status/1162034211672358914?s

Edited August 15, 2019 by Nicholas L

[Kevin Beaumont 111]

Tencent say they have working RCE on Windows 7 and 10:

Update: I should learn to read. 

Edited August 17, 2019 by Kevin Beaumont

[Steve Walsh 0]

Because the August Patch is 1GB in size and a chunk of the estate I work on is win 7 and 2008 using Symantec (Symantec apparently need a new agent with the 22nd as proposed date for the Sha 1 issue ) we are putting a lot of faith in NLA as a compensating control. Has anyone seen anything more Iron clad about exploiting Deja Blue with NLA enabled?? 

[Kevin Beaumont 111]

There’s no confirmation about the NLA thing yet. But personally I would judge NLA as a good enough mitigation for now, assuming you don’t have RDP available via internet. 

[Steve Walsh 0]

59 minutes ago, Kevin Beaumont said:

There’s no confirmation about the NLA thing yet. But personally I would judge NLA as a good enough motivation for now, assuming you don’t have RDP available via internet. 

Ya definitely no external to internal RDP as much as  I've been told anyway.... Always on VPNs etc.... Good few mitigations .... I just feel twitchy about RDP based on Microsoft's language and the CVSS score.... That and you can never be 100% about anything

[MalwareTech 5]

9 hours ago, Kevin Beaumont said:

Tencent say they have working RCE on Windows 7 and 10:

The post don't say RCE, it says "stable", which people have assumed to mean stable RCE, but the video looks like a DoS (crash) PoC to me. They connect to RDP before running the PoC, then when run the RDP connection terminates and no shell is spawned (indicative of a crash). They could simply be meaning stable as in the PoC is reliable, because even crash PoC can be unreliable on hard to trigger vulnerabilities. 

Edited August 17, 2019 by MalwareTech

[Kevin Beaumont 111]

Ugh, yep, you’re right. Also - yay. 

[Kevin Beaumont 111]

@MalwareTech's analysis of the patch is up: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

Quote

I set the uncompressedSize field to 1 – 0x2000 (0xFFFFE001‬), so that when 0x2000 is added it will loop around to 1. Then I set the compressed data to contain the letter ‘A’ repeated 0x200 times, which should result in the heap buffer being overflowed by 0x1FF bytes.

lols

[james mckinlay 116]

from another group - haven't verified - can delete if BS

 

Edited August 21, 2019 by james mckinlay
in a rush

[Kevin Beaumont 111]

Yeah I’m not sure what that one is trying to show, doesn’t look like RCE. 

[Tor Åge Takvam 1]

Hi guys.

Is there any safe-ish way of scanning for the dejablue vuln? Nmap NSE scripts or something?

[james mckinlay 116]

30 minutes ago, Tor Åge Takvam said:

Hi guys.

Is there any safe-ish way of scanning for the dejablue vuln? Nmap NSE scripts or something?

WSUS report 🙂 MBSA reports 🙂

Uptime reports - if its windows and has an uptime > 10 days its vulnerable 🙂 🙂

Edited August 22, 2019 by james mckinlay

[Kevin Beaumont 111]

Yeah there’s no automated tooling yet (Linux tools etc).

[Tor Åge Takvam 1]

5 hours ago, james mckinlay said:

WSUS report 🙂 MBSA reports 🙂

Uptime reports - if its windows and has an uptime > 10 days its vulnerable 🙂 🙂

That actually requires customers to have full control over all their assets 🤣

 

3 hours ago, Kevin Beaumont said:

Yeah there’s no automated tooling yet (Linux tools etc).

Ok. Thanks!

The only thing I`ve come up with untill now is WMI / WinRM queries for KB

[james mckinlay 116]

2 minutes ago, Tor Åge Takvam said:

The only thing I`ve come up with untill now is WMI / WinRM queries for KB

systeminfo | findstr "KB"  also works and can be pointed at remote machines

[Steve Walsh 0]

https://support.microsoft.com/en-ie/help/4512474/windows-10-update-kb4512474

We were 60% covered on our windows 10 estate when I read the above on Wednesday.... There looks to be a bug in original patch. VB6 compatibility issue.....

[Kevin Beaumont 111]

That's an unrelated patch fixing other issues - not a security patch.

[Steve Walsh 0]

It was part of the August patch updates. Not related to the RDP vulnerability. But the issue came with the patch. So if you were quick off the mark, it hurt you a bit https://www.ghacks.net/2019/08/15/visual-basic-issues-in-windows-august-2019-updates/

[Kevin Beaumont 111]

18 minutes ago, Steve Walsh said:

It was part of the August patch updates. Not related to the RDP vulnerability. But the issue came with the patch. So if you were quick off the mark, it hurt you a bit https://www.ghacks.net/2019/08/15/visual-basic-issues-in-windows-august-2019-updates/

Oh I get you.  Yeah, I wouldn't rush out patching for this, just patch as usual process.

[Kevin Beaumont 111]

There’s a public write up for triggering this vulnerability now (not RCE). 

https://www.coresecurity.com/blog/dejablue-vulnerabilities-windows-7-windows-10-cve-2019-1181-and-cve-2019-1182

@MalwareTech