wormable windows CVE-2019-1181, CVE-2019-1182

4 New Wormable WINDOWS Flaws Discovered

Microsoft RDP Patches: CVS(s); CVE-2019-1181 | CVE-2019-1182

Windows Systems affected: Windows 7 SP1 + Windows Server 2008 R2 SP1 + Windows Server 2012 + Windows 8.1 + Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.

Systems not affected: Windows XP, Windows Server 2003, and Windows Server 2008

Contact us for more details on how Volico can protect your business against remote desktop vulnerabilities. 

• Call: 888 865 4261
Chat with a member of our team to discuss which solution best fits your needs.
• Emails us at [email protected]

Overview of the Vulnerabilities

Just as the uproar and panic-to-patch mode of the recent BlueKeep remote desktop vulnerability was starting to die down, two brand new Remote Desktop vulnerabilities were discovered and could have a deep impact on your organization.

All remote command execution vulnerabilities are essentially “wormable”. Wormable is a new buzzword that simply means software that is able to to perform lateral execution and has control to perform further executions on a target and therefore has the means to laterally pivot itself to deploy a propagating piece of its own code that spreads deeper into the network and ecosystem of the machines until the network is fully infected with the malcode.

Like BlueKeep, the attackers issue different specially crafted packets an attacker to manipulate values. The difference is now the attack is crafted to bypass the authentication on the RDP service and giving the attacker access to remote command execution (full remote control to execute commands).

This causes a memory corruption bug and creates an open channel using Remote Code Execution for the attacker to issue whichever command they please.

A new set of patches have been rolled out for RDP that include remote code execution (RCE) vulnerabilities. They, as all remote command execution exploits do, have the power to literally pivot and propagate the second stage of attack – making it ‘wormable’. This means Ransomware could have been attached to these payloads encrypting your entire organization’s hard drives until you pay the criminals.

The following CVS(s);

CVE-2019-1181 [PATCH AVAILABLE]
CVE-2019-1182 [PATCH AVAILABLE]

have been issued by Microsoft and the mainstream patch has been delivered and rolled out within a few hours. We reversed the patch to see how these exploits work.

Mitigation Using Volico

The Volico endpoint security includes a multi-layered approach for malware prevention and attacks like the above.

Sophisticated exploits simply bypass most anti-exploit/anti-worm/anti-malware endpoint protection systems for many reasons, but the above would have been caught by Volico’s endpoint protection via stack-monitoring. Once detected, our endpoint protection would then take the session and push it through pre and post-execution inspection (future-exp and past-exp) in order to determine its goal.

The Volico endpoint protection system would place the above session in a pre-execution inspection extract mode and then examines the malcodes intent and command and control communicators to determine what would have happened if exploited further.

The session replay would then utilize our proprietary machine-learning algorithm to detect files that fit a malware profile globally. Once the algorithm detects its original source it’s then placed under the known APT and protected worldwide.

Malcode that is able to move beyond this detection engine technique is then pushed through our DBAF (dynamic behavioral analysis filter) that looks for
known malicious behavior like illicit changes to registry settings or file encryption operations. Using the dynamic behavioral analysis is especially effective for blocking file-less exploits like the above and for blocking never-before-seen ransomware.

This provides the capability to track malicious behavior across individual systems as attackers’ progress through a kill chain for full attack lifecycle detection.

Volico endpoint solutions also integrate with threat intelligence feeds to correlate internal behavior with the tactics, techniques, and procedures (TTPs) used by exploit or malware it detects in order to keep up with sophisticated attacks.

Deeper Overview of the Vulnerability

Looking into the patches rolled out by Microsoft, it was discovered that an RCE (remote command execution) existed in the RDP/Terminal server stack during the request_to_cooperate() function call of the RDP stack allowing attackers without credentials to execute arbitrary commands on remote servers without authentication.

The server only checks for a 52-byte trust on size during the request-to-cooperate callback from the server and ignores the content allowing a targets request for corporate a special payload id generated, unpacked and then delivered to the session.

In order to keep things stable and not trigger any canaries or trigger any stack smash protection items the attacker must craft the responding packet to eq the bytes at exactly ’52’ to match the header correctly or the RDP protocol will kill our active session.

Deeper reversing the patch showed that once the 52-trust was sent, anything was possible by the attacker.

A remote attacker can craft a payload, encode it and deliver it during the handshake of the normal RDP build-up sequence and deliver this payload to skip authentication and execute commands of their choice on the target.

Once the remote server unpacks the above string, a use-after-free vulnerability is opened that tricks the RDP stack to use a new kind of return object programming (ROP) technique to skip over the authentication requirement function and allows the attacker remote command execution on the machine.

Share this blog