Together we analyze this just to fix the RDP vulnerability, CVE-2019-0708-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2019-5/201952221409502. png)

Write in front of words
At Microsoft in May this year of the vulnerability Update Security Bulletin, reference was made to a Remote Desktop Protocol RDP for vulnerabilities. The reason we’re here specifically for this vulnerability analysis, is because of this vulnerability the update relates to Windows XP and other Windows operating system, and it is well known, Windows XP has been for many years without ever updating. So why is Microsoft this time to fix for this high-risk vulnerability? Don’t worry, we now take a look!
According to Microsoft released security Bulletin, this is a very strict certification of security vulnerability, it will cause the attacker on the target device to achieve remote code execution, and implanted worms and other malicious software. This also means that, once the target tissue which are infected, the entire network system to the other is not subject to the security protection of computer equipment will also be“spared”of. In this security Bulletin, Microsoft mentioned the famous Internet Worm“WannaCry”in. In 2017 in March, the Microsoft fix for the malware-related vulnerabilities MS17-010, but prior to that, many attackers are using“WannaCry”for network attacks.
In view of the vulnerability of the security threat level high risk vulnerability, the attacker is likely to be in this period of time to develop the appropriate exploits to use the tool, the McAfee Advanced Threat Research team but also on the vulnerability and associated threat scenarios conducted in-depth analysis, we recommend that the majority of users as soon as possible to fix vulnerabilities CVE-2019-0708 the.

AffectedOS
Windows 2003Windows XP 7Windows Server 2008Windows Server 2008 R2

The RDP Protocol
Remote Desktop Protocol RDP, Remote Desktop Protocol is a multi-channel multi-channel Protocol can help users, client, or“local computer”with the Microsoft Terminal Services Computer, the server or the“remote computer”the establishment of a communication connection. Currently, the market most of the Windows are installed with Remote Desktop Protocol. Otheroperating systemis also related to client software, such as Linux, FreeBSD, and Mac OS X, and so on. The Protocol is the International Telecommunication Union published an international standard multi-channel conferencing Protocol T. 120 is an extension. The RDP Protocol in Terminal Services after the launch there have been four versions, namely 4. Of 0, 5.0, and 5.1, and 5.2 in. In General, the version according to the version of windows determined. From the client’s point of view, 5. X version provide the functionality the difference is not very large, relative to the 4. 0 version which provides a user with a password and log in directly, the client driver resource mapping, and client audio playback, up to 24-bit color display and FIPS compliant encryption level of the connection. In addition, from 4. 0 Protocol began to become available customers a carbonyl function are: high, medium, low three kinds of the data encryption level, the client to customize the initial login environment, the client printer mapping, client LPT port mapping client com port mapping, clipboard mapping, customer login, personalized settings(including the keyboard, display screen size, etc.). Version 7.0: this is the latest version, only support Windows Server 2008 R2 or Windows 7 and above versions.

Vulnerability overview
A worm virus can infected the network within the system to self-replicate and spread, and the infected on the remote host to run automatically, without requiring the user to any additional interaction. If a malicious software is the main attack vector is the network, then it should be classified as worms.
Remote Desktop Protocol RDP to define the communication between the two sides in a virtual channel between the data communication mode, to support the client to establish point to point connections. This virtual channel is a bidirectional data channel can be extended RDP function. Windows Server 2000 in RDP v5. 1 defines 32 types of static virtual channel（SVC）, but due to the which involved also to a large number of dynamic virtual channel DVC, so the available number of channels and types will be subject to certain restrictions. SVC is in the beginning of the session created in the session before the termination remain the same, but DVC is different, because it is according to the user needs to create and delete.

Vulnerability analysis
Vulnerability CVE-2019-0708 related to the RDP drive with. sys in _IcaBindVirtualChannels and _IcaRebindVirtualChannels it. We can see from the following figure to see the system initialize the RDP connection sequence, and security mechanisms to enable completion before the channel is established, this leads to a vulnerability, CVE-2019-0708 the can of worms, because it can be done by opening port 3389 in the destination within the network system to achieve self-replication and propagation.
! [](/Article/UploadPic/2019-5/201952221409676. png)
First give you a brief introduction“MS_T120”this static virtual channel, which the RDP channel number is 31, in the GCC session initiation sequence. This is a Microsoft internal use of the channel name, and the client through a SVC to a request to establish connection, does not display on the“MS_T120”this use of the channel information.
The following figure shows the GCC of the session Initialization Sequence of the channel request information, we can see which does not relate to any on MS_T120 channel information.
! [](/Article/UploadPic/2019-5/201952221409844. png)
But in the GCC session initialization process, the client provides the channel name is not on the server side white list, so an attacker will be able to set another one named“MS_T120”SVC channel rather than before the number to 31 of the legitimate channel to make the target system heap memory corruption, or to achieve remote code execution.
The following figure shows the GCC of the session initialization process of the abnormal channel request“MS_T120”channel number 4: the
! [](/Article/UploadPic/2019-5/2019522214010337. png)
MS_T120 channel management relates to the Assembly, we in the following figure for the label. MS_T120 the reference channel will be in the rdpwsx. the dll is created, the heap memory will be in rdpwp. sys allocated memory pool. When MS_T120 the reference channel in the channel number of the non-31 of the scenario is established, it will happen heap memory crash.
! [](/Article/UploadPic/2019-5/2019522214010223. png)
The following figure shows the Microsoft of the vulnerability fix the situation, Microsoft in with. sys _IcaBindVirtualChannels and _IcaRebindVirtualChannels function in the client connection request section for the channel name“MS_T120”detection code, and to ensure that the channel with the channel sequence 31 for binding.

[1] [2] next