NSA Arsenal: CVE-2017-9073 EsteemAudit analysis-vulnerability warning-the black bar safety net

In April, one named“shadow broker,”the organization publish a part of them from the NSA to steal the exploit tool, mainly for the windows operating system. One of the most famous is the ransomware WanaCryp0t use / exploit"EternalBlue"in. Another is the release to use the tool for the CVE-2017-9073 called"EsteemAudit", is a Windows 2003 and Windows XP on RDP(Remote Desktop Protocol, Remote Desktop Protocol)the use of tools." EsteemAudit"the use of the vulnerability of theoperating systemMicrosoft are no longer supported(as of 2014 end of XP support ending in 2015 to 2003 Support), so Microsoft’s official and not released this vulnerability patch.
EsteemAudit overview
RDP remote use the tool named"EsteemAudit"in. The use of inter-chunk heap overflow method. Windows Smart card module gpkcsp. dll allocated the named key_set, the size of 0x24a8 of the data structure. In key_set has a named key_data data structure of the size to 0x80, this memory space is used to store smart card-related information. In the adjacent memory space in the storage with two key_object pointer. However, in gpkcsp! MyCPAcquireContext calling a memory Copy Function memcpy, in the absence of border checks in the case of a copy of a piece of the user can completely control the data to the key_data, if the attacker control of this block of memory is greater than 0x80, then the adjacent memory pointer key_object will be the user’s malicious data coverage. EsteemAudit of code through the deployment of a piece 0xb2-7 The size of the memory, use the code in memcpy to copy malicious data to the key_data, then key_object will be covered for 0x080190dc this address. This address just in the gpkcsp. the dll’s data segment, then EsteemAudit will be at this address the deployment of malicious data. the Trojan sends the user to control the data placed into the global variable, the address is 0x080190d8, then the function gpkcsp! ReleaseProvider will release the C++object call [vatble+8], then we control the EIP. Eventually, through the use of SharedUserData technology use syscall to call syscall id is 0x8f function VirtualProtect to modify the shellcode to memory the Execute permission, then call the shellcode first stage is complete.
Description
RDP remote code execution vulnerability a lot, but fortunately in NT4/Win98, no exploit code is publicly released. However, in 2017 year 4 on, the shadow broker released out from the NSA to steal tools included with Windows XP and Windows 2003 operating system on the RDP remote code execution vulnerability using a tool EsteemAudit it. In this article, we will first introduce the RDP Protocol of the internal mechanisms, followed by analysis of EsteemAudit. exe itself. Next, we will analyze the RDP Protocol in the user mode and kernel mode is how it works, the inter-chunk heap overflow is how it happened, how the use of inter-chunk heap overflow in the vulnerability of theoperating systemup to execution of shellcode is. Eventually we will introduce in the absence of the patch of the case how to defend this vulnerability.
Architecture and components
Terminal Services architecture is mainly divided into four parts:
multi-user kernel
Remote Desktop client
Terminal Services Licensing service
Session Directory Services
! [](/Article/UploadPic/2017-6/20176514543950. png? www. myhack58. com)
The following table is a Terminal Services component and description
! [](/Article/UploadPic/2017-6/20176514543200. png? www. myhack58. com)
Nicolas Collignon in the paper Tunneling TCP over RDP description of the various components.
In kernel mode, the relevant component in the rdpwd. sys, responsible for the MCS(Multipoint Communication Service)Protocol stack. RDP PDU(Protocol Data Unit, Protocol data unit)in this module to be decrypted and parsed.
In user mode, the winlogon component is responsible for client authentication. For example, if a client requests a smart card authentication, winlogon. exe will run the smart card module and client interaction.
The RDP Protocol
Through the Remote Desktop service of a brief introduction, we can gain insight into the RDP Protocol is EsteemAudit use contain a vulnerability module. In MSDN there are some RDP documentation https://msdn. microsoft. com/en-us/library/jj712081. aspx. [MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting describes the RDP Protocol of the basic situation, [MS-RDPESC]: Remote Desktop Protocol: Smart Card Virtual Channel Extension description the RDP Protocol with some extensions. There is some documentation for the specified extension module is described, for example, [MS-RDPESC]: Remote Desktop Protocol: Smart Card Virtual Channel Extension. In OSSIR 2010, Aurélien Bordes in his topic lists all the RDP extension.
In order to in-depth analysis, we read the following document:
[MS-RDPBCGR] – the Remote Desktop Protocol: Basic Connectivity and Graphics Remoting
[MS-RDPESC] – the Remote Desktop Protocol: Smart Card Virtual Channel Extension
[MS-RDPEFS] – the Remote Desktop Protocol: File System Virtual Channel Extension
[MS-RPCE] – Remote Procedure Call Protocol Extensions.
MS-RDPBCGR based on the ITU(International Telecommunication Union, International Telecommunication Union)T. 120 series protocols. T. 120 contains a lot of other standards, such as the use of X. 224 standard used to illustrate the Transport Layer Protocol of how to interact. X. 224 standard describes we see the request PDU and Confirm PDU the need to use any kind of encryption method for RDP data packet encryption.
Next put the example, an X. 224 request encryptionMethods flag will be set to 0x00000012, on behalf of the client request using 128-bit RC4 encryption[128BIT_ENCRYPTION_FLAG 0x00000002]
! [](/Article/UploadPic/2017-6/20176514544127. png? www. myhack58. com)
! [](/Article/UploadPic/2017-6/20176514544141. png? www. myhack58. com)
Services end in X. 224 confirm PDU, set the encryptionMethod flag 0x00000002(128-bit RC4)to confirm the use of 128-bit RC4 encryption.

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] next