Windows Deployment Services TFTP Server Remote Code Execution Vulnerability

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(122927);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id("CVE-2019-0603");
  script_bugtraq_id(107229);
  script_xref(name:"ZDI", value:"ZDI-19-276");

  script_name(english:"Windows Deployment Services TFTP Server Remote Code Execution Vulnerability");
  script_summary(english:"Checks TFTP server response");

  script_set_attribute(attribute:"synopsis", value:
"A TFTP service running on the remote host is affected by a remote
code execution vulnerability.");

  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in the way that Windows
Deployment Services TFTP Server handles objects in memory. An remote
attacker can exploit this, via a specially crafted request, to
execute arbitrary code with elevated permissions on a target system.");

  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0603
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ae99134e");
  script_set_attribute(attribute:"solution", value:
"Install appropriate security updates listed at the See Also link.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0603");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tftpd_detect.nasl", "os_fingerprint.nasl");
  script_require_udp_ports(69);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("byte_func.inc");
include("tftp_func.inc");

#
# WDS TFTP server should only run on Windows
#
os = get_kb_item('Host/OS');
if (os && 'windows' >!< tolower(os))
  audit(AUDIT_OS_NOT, 'Windows');

#
# Make sure tftpd is detected
#
port = get_service(svc:'tftp', ipproto:'udp', exit_on_fail:TRUE);

soc = open_sock_udp(port);
if(! soc) audit(AUDIT_SOCK_FAIL, port, 'UDP');

sport = get_source_port(soc);
if (! sport)
{
  close(soc);
  exit(1, 'Failed to get source port.');
}

# This file seems to be WDS-specific.
file = "boot\x64\wdsnbp.com";

# Send a read request with options
blksize = 50000;
winsize = 65535;
req = mkword(TFTP_RRQ) + file + '\x00' + 'octet\x00' +
  'BLKSIZE\x00' + blksize + '\x00' + 'windowsize\x00'+ winsize + '\x00';

filter='udp and src host ' + get_host_ip() +
  ' and dst port ' +  sport +
  ' and udp[8:1]=0x00';

cap = send_capture(socket:soc, data:req, pcap_filter:filter, timeout:5);
close(soc);
if(isnull(cap))
  audit(AUDIT_RESP_NOT, port, 'a TFTP read request', 'UDP');

res = get_udp_element(udp:cap, element:'data');

if(strlen(res) < 4)
  audit(AUDIT_RESP_BAD, port, 'a TFTP read request. Response is too short', 'UDP');

opcode = getword(blob:res, pos:0);

# Server sends back negotiated options
#
# The requested wdsnbp.com file exists on the tftp server.
# This file seems to be WDS-specific, so it's likely a WDS tftp server.
if(opcode == TFTP_OACK)
{
  # Attempt to reject the options to prevent server retransmission
  dport = get_udp_element(udp:cap, element:'uh_sport');
  if(dport)
  {
    req = mkword(TFTP_ERROR) + mkword(8) + 'error 8\x00\x00';
    psoc = open_priv_sock_udp(dport:dport,sport:sport);
    if(psoc)
    {
      send(socket:psoc, data:req);
      close(psoc); 
    }
  }

  blksize = NULL;
  winsize = NULL;

  # Server is not allowed to send back options not requested
  # by the client.
  opts = split(substr(res, 2), sep:'\x00', keep:FALSE);
  for(i = 0; i < 2; i++)
  {
    if(opts[i*2] && opts[i*2 + 1])
    {
      if(tolower(opts[i*2]) == 'blksize')
        blksize = uint(opts[i*2 + 1]);
      else if(tolower(opts[i*2]) == 'windowsize')
        winsize = uint(opts[i*2 + 1]);
    }
  }

  if(! blksize || ! winsize)
    exit(1, 'Failed to get block size or window size.');

  # Vulnerable
  if(winsize == 64 && blksize > 1482)
    security_report_v4(port: port, severity: SECURITY_HOLE, proto: 'udp');
  # Patched
  else
    audit(AUDIT_LISTEN_NOT_VULN, 'TFTP server', port, '', 'UDP');
}
# Server sends back an error opcode.
#
# Because we requested the wdsnbp.com file, non-WDS tftp servers
# will likely return a 'file not found' error.
else if (opcode == TFTP_ERROR)
{
  exit(1, 'The service listening on UDP port ' + port + 
    ' returned an error opcode. It may not be a Windows Deployment Services TFTP server.'); 
}
else
{
  audit(AUDIT_RESP_BAD, port, 'a TFTP read request. Unexpected opcode ' + opcode + ' in the response', 'UDP');
}