Slides PDF

RDP: 从补丁到远程代码执⾏
阿左 @ Tencent KeenLab 2019.7.19

⺫录
1. RDP协议基础知识介绍
2. CVE-2019-0708补丁分析
3. 扫描器原理
4. 内核漏洞利⽤
5. Demo
6. 缓解策略
RDP协议基础知识介绍
Ø终端服务
ØR D P 组件及架构
Ø协议
⽼式终端服务
ØW i n d o w s X P
ØW i n d o w s S e r v e r 2 0 0 3
ØW i n d o w s 7
ØW i n d o w s S e r v e r 2 0 0 8 R 2
终端服务内核组件
终端服务用户态组件
icaapi.dll
Svchost.exe Use <\Device\Termdd>
终端服务 termsrv.dll
\pipe\Ctx_WinStation_API_service
rdpclip.exe rdpwsx.dll
termsrv.dll
剪切板支持
MCS/GCC 协议栈 …
<RDPSND> RPC 客户端wrapper
<MS_T120>
<CLIPRDR>
wtsapi32.dll
高级API
现代终端服务
ØW i n d o w s 8
ØW i n d o w s S e r v e r 2 0 1 2
ØW i n d o w s 1 0
Øt e r m i n p u t . s y s
ØR d p b a s e . d l l
ØR d p c o r e . d l l
ØR d p s e r v e r b a s e . d l l
RDP协议
客户端 X.224 连接请求数据报
RDP链接建⽴通信序列
MCS协议
多点通信协议(MCS): ⼀系列由ITU定义的通
信协议标准，包括T.120 T122 T125等

静态虚拟信道
在主TCP链接上实现了多个静态虚拟信道来交换数据，最多可以有31个静态虚拟信道
1003 I/O信道
1007 ⽤户信道
虚拟信道
* rdpdr (设备重定向)
* cliprdr (剪贴板重定向)
* disk (Disk Redirection)
* rail (RemoteApp)
* parallel (Parallel Port Redirection)
* drdynvc (动态虚拟信道)
* serial (Serial Port Redirection)
* audin (⾳频重定向)
* printer (Printer Redirection)
* alsa support
* CUPS support
* pulse support
* smartcard (Smartcard Redirection)
* tsmf (多媒体重定向)
* rdpsnd (声⾳重定向)
* alsa support
* alsa support
* pulse support
* pulse support
* ffmpeg support
CVE-2019-0708补丁分析
读⽂档
Client MCS Connect Initial PDU with GCC Conference Create Request
下断点
MS_T120
Ør d p w s x ! M C S C r e a t e D o m a i n
ØI c a a p i ! I c a C h a n n e l O p e n
ØI c a a p i ! _ I c a S t a c k O p e n
ØI c a a p i ! _ I c a O p e n
ØN t d l l ! N t C r e a t e F i l e
ØT e r m d d ! I c a C r e a t e
ØT e r m d d ! I c a C r e a t e C h a n n e l
当创建同名信道的时候会发⽣什么
MCSPortData
Rdpwd!HandleConnectInitial
IcaChannelInput
MCSPortData
触发漏洞
漏洞扫描器原理
内核漏洞利⽤
Ø代码执⾏前思考的问题
Ø如何加速利⽤程序开发
ØU a F 对象堆喷
Ø弹计算器
远程代码执⾏前需要思考的问题
Ø漏洞类型 : u s e a f t e r f r e e
Ø漏洞关联对象 I c a C h a n n e l , ⼤⼩ : 0 x 8 C
Ø怎么去占坑
Ø怎么去泄漏喷射的 s h e l l c o d e 在内核堆上的地址
Ø在内核控 E I P 以后怎么在⽤户态弹计算器
加速漏洞利⽤程序开发
FreeRDP 1178 C⽂件, 623000⾏ rdesktop 53 C⽂件,42934⾏

占坑
伪造锁
控EIP的前奏
⽞学堆喷
控EIP
弹计算器
Ø参考永恒之蓝 E X P
ØS h e l l c o d e 将会运⾏在内核模式 ( R i n g 0 ) 此时 I R Q L 是 D I S P A T C H _ L E V E L
Ø劫持系统调⽤是在⽤户态代码执⾏的常⽤⽅法 ( I R Q L 是 P A S S I V E _ L E V E L )
Ø多核系统可能需要⼀段时间才会在当前核调⽤到 s y s c a l l
ØS h e l l c o d e 应注意在被多次调⽤时不能多次劫持 s y s c a l l
Ø最后使⽤异步过程调⽤ ( A P C ) 在⽤户态实现任意代码执⾏ ( r i n g 3 )
修复伪造的IcaChannel对象
放弃治疗直接ret
It works! 才怪
永恒之蓝Win7 x86 shellcode适配XP
计算器
Demo
缓解策略
Ø1 . 3 . 1 . 2 S e c u r i t y - E n h a n c e d C o n n e c t i o n S e q u e n c e
ØT h e r e a r e t w o v a r i a t i o n s o f t h e S e c u r i t y - E n h a n c e d C o n n e c t i o n S e q u e n c e . T h e n e g o t i a t i o n -
based approach aims to provide backward-compatibility with previous RDP implementations,
while the Direct Approach favors more rigorous security over interoperability.
ØD i r e c t A p p r o a c h : I n s t e a d o f n e g o t i a t i n g a s e c u r i t y p a c k a g e , t h e c l i e n t a n d s e r v e r
immediately execute a predetermined security protocol (for example, the CredSSP Protocol)
prior to any RDP traffic being exchanged on the wire. This approach results in all RDP traffic
being secured using the hard-coded security package. However, it has the disadvantage of
not working with servers that expect the connection sequence to be initiated by an X.224
Connection Request PDU.

⺴络级别⾝份验证
CredSSP RDSTLS

Slides PDF

Uploaded by

Copyright:

Available Formats

You might also like

Slides PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Slides PDF

Uploaded by

Copyright:

Available Formats

RDP: 从补丁到远程代码执⾏

阿左 @ Tencent KeenLab 2019.7.19

Svchost.exe Use <\Device\Termdd>

客户端 X.224 连接请求数据报

信协议标准，包括T.120 T122 T125等

FreeRDP 1178 C⽂件, 623000⾏ rdesktop 53 C⽂件,42934⾏

based approach aims to provide backward-compatibility with previous RDP implementations,

Connection Request PDU.

You might also like