Windows Remote Desktop vulnerability Esteemaudit(CVE-2017-9073 patch brief analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201787246
Type myhack58
Reporter 佚名
Modified 2017-06-22T00:00:00


In the last month, we have for the equation of the tissue is the leakage of ESTEEMAUDIT vulnerability, wrote a brief analysis, and until we found this exploit only applies to join the Windows domain the computer front, we are trying to reproduce this issue, but relatively speaking, writing the patch is still quite simple. The following figure shows the detected and blocked ESTEEMAUDIT attack when the display of the source code and“Exploit Attempt Blocked”dialog box.

Our patch is simple: we first went to check from a remote Smart Card data received by the ESTEEMAUDIT Analog is greater than 80h, which is gpkcsp. dll in the target buffer size. If the received data is large, and the use of ESTEEMAUDIT, then we first warned our local running 0patch Agent pop-up alerts, and then the received data size is reduced to 80h, to prevent buffer overflow. Through in the original code introduced in 4 machine instructions, you can effectively prevent attacks and does not interrupt those legitimate functions.


And in about a month after Microsoft announced ESTEEMAUDIT and other vulnerabilities of the official update, and said it would provide customers with more support. This is very good, because the official vendor update was to fix vulnerabilities the preferred method, the goal is for those also did not fix the problem in the repair of the premise for possible services, or in the security update the time difference for some customer organizations to provide the critical vulnerabilities of the protection.

Of course, we have Microsoft how to fix this vulnerability is very interested in, and its repair programme with us. Enter IDA Pro and BinDiff, after a few minutes, and we can parallel to compare the two.!

On the left the fixed code and the right of the vulnerable code, Microsoft patches in exactly the same position also introduces the same check. Our solution the main difference is that, although we will receive the data is cut to the effective length, but if the data is too long, it will still produce the error, and give up the connection.

It is very justified, because the official patch is supposed to provide Troubleshooting information, Microsoft should try to use minimal code to close vulnerabilities.

[1] [2] next