Author: Khanh Nguyen Yen, Software Engineer, OPSWAT
Introduction
What is BlueKeep?
BlueKeep is a critical remote code execution vulnerability that exists in Remote Desktop Services (formerly known as Terminal Services), one of Microsoft's Remote Desktop Protocol (RDP). BlueKeep allows a remote user to execute functions similar to those of terminal-based environments where multiple terminals (clients) can be connected to a single host (server) to attack systems.
Background
By default, Remote Desktop connections use RDP over port 3389/TCP to communicate with a remote server. The RDP protocol supports static virtual channels, which are intended to be used as communication links for various RDP components and user extensions. Microsoft creates two channels by default: MS_T120 (used by RDP itself) and CTXTW (used in Citrix ICA). Clients are not expected to create these channels over the network. Instead, the Windows RDP system initializes these channels internally when a connection is established.
Channels are created using termdd!IcaCreateChannel(), which first checks whether the specified channel exists. If not, RDP allocates a channel structure to create it. A pointer to the ChannelControlStructure is stored within a ChannelPointerTable, like this:
Where is the Vulnerability?
A use-after-free vulnerability exists in the Microsoft Windows RDP kernel driver, termdd.sys. If a channel with the name MS_T120 is created in Slot 11, the default channel MS_T120 at Slot0x1F (31) is also opened, because termdd!IcaFindChannelByName() is called and returns a pointer for MS_T120 ChannelControlStructure at both slots. If an attacker then sends crafted data to channel MS_T120, termdd.sys attempts to respond with an error message, then closes the channel. This frees the MS_T120 structure and clears the pointer at user-controlled Slot 11 in ChannelPointerTable. However, the same pointer at default Slot 0x1F isn’t cleared. Subsequently, when the connection is terminated, RDPWD!SignalBrokenConnection() tries to access a freed structure through the pointer at Slot0x1F. This leads to a use-after-free condition [1].
By establishing an RDP connection with the target server while opening an MS_T120 channel, an unauthenticated attacker can send crafted data that enables them to execute arbitrary code with Administrative (system-level) privileges [2].
BlueKeep was reported as CVE-2019-0708 [3].
More information about this vulnerability is available at https://metadefender.opswat.com/vulnerabilities#!/CVE-2019-0708
Potential Effects
Is it a Big Deal?
An attacker can exploit the BlueKeep vulnerability to spread malware through a victim's machine without requiring any user interaction. This means that malware exploiting this vulnerability could distribute cryptocurrency digging malware, bank trojans or other malicious code that can propagate from one vulnerable computer to another, similar to the way WannaCry did in 2017 [4].
An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system. After successfully sending specially crafted malware packets to an un-patched Windows operating system that has RDP enabled, the attacker could perform a number of actions with full user rights, such as:
- Adding new user accounts to the Administration group, to access confidential resources.
- Installing malicious programs, executing ransomware on the victim’s data and demanding a ransom from the victim.
- Viewing, changing, or deleting arbitrary data.
Does it Affect Me?
BlueKeep is present in the following NT-based versions of Microsoft Windows did not install the monthly update released on May 14th, 2019: Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008.
How Does OPSWAT Detect BlueKeep?
OPSWAT technologies can monitor all endpoints in an organization, including those that have this vulnerability.
An analysis was performed to understand the cause of the vulnerability and how to detect this type of RDP attack. The vulnerable binary can be typically found at C:\Windows\System32\drivers\termdd.sys.
MetaDefender Access can detect devices that have the BlueKeep vulnerability and can provide remediation instructions. This vulnerability affects any version of Microsoft Windows listed above that does not update to the latest patch or the KB4499175 security update patch [5].
MetaDefender Drive is a durable USB drive that can be used to scan file vulnerabilities in an air-gapped environment.
MetaDefender Core with file-based vulnerability assessment technology can detect vulnerabilities in binary files on endpoints.
How to Exploit It?
The exploit code for this vulnerability can be found at Exploit Database [6], as a module of the Metasploit framework of Rapid7 [7].
Exploit demo:
- Attacker machine: Kali Linux.
- Victim machine: Windows 7 SP1 x64 Enterprise on Oracle VirtualBox.
- Network: Local Area Network.
Remediation
It is strongly recommended that you always keep Windows up-to-date, especially security-related updates (KB). More information can be found in customer-guidance-for-cve-2019-0708 [3].
In addition, network administrators should also consider:
- Blocking TCP Port 3389 and disabling unused RDP services.
- Enabling network-level authentication in RDP services, to prevent attackers from performing remote code execution without valid credentials.
References
[1] https://cwe.mitre.org/data/definitions/416.html
[3] https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708
[4] https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[5] https://support.microsoft.com/en-us/help/4499175/windows-7-update-kb4499175
[6] https://www.exploit-db.com/exploits/47120
[7] http://www.metasploit.com/
