wvu
commented
5 years ago Looking into this. Will report back with fix or notes.
Closed cnotin closed 5 years ago
wvu
commented
5 years ago Looking into this. Will report back with fix or notes.
wvu
commented
5 years ago Can you retest with set VERBOSE true to verify that this is failing on reading the license response?
cnotin
commented
5 years ago Sorry I forgot to include the options or to mention it, but this is already a verbose output. Without it, the message is much shorter, and no hint of an error... I am not sure that msf fails on reading the license, but using the rdesktop fork I can assure you that this issue is present with this server (and others which trigger the same error). Actually I found these particular server and I was curious to see how this module would handle them.
wvu
commented
5 years ago Ah, gotcha, you're right. But that would indicate there's a read failure on the font list PDU. The license packet actually passes, since apparently I don't know how to use my eyes.
Please see if #12152 fixes the issues.
cnotin
commented
5 years ago Ok for #12152 :)
However, I have noticed that it continues to fail against other hosts (which also return license errors in other tools). Sorry for missing it first but it fails at a different step ("sending patch check payloads" instead of "sending client font list PDU" that you fixed):
[*] a.b.c.d:3389 - Verifying RDP protocol...
[*] a.b.c.d:3389 - Attempting to connect using TLS security
[*] a.b.c.d:3389 - Server requests TLS
[*] a.b.c.d:3389 - Sending erect domain request
[*] a.b.c.d:3389 - Sending client info PDU
[*] a.b.c.d:3389 - Received License packet
[*] a.b.c.d:3389 - Sending client confirm active PDU
[*] a.b.c.d:3389 - Sending client synchronize PDU
[*] a.b.c.d:3389 - Sending client control cooperate PDU
[*] a.b.c.d:3389 - Sending client control request control PDU
[*] a.b.c.d:3389 - Sending client input sychronize PDU
[*] a.b.c.d:3389 - Sending client font list PDU
[*] a.b.c.d:3389 - Sending patch check payloads
[-] a.b.c.d:3389 - Unexpected error: EOFError
/var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:203:in `get_once'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:210:in `block in check_for_patch'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:201:in `check_for_patch'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:322:in `check_rdp_vuln'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:93:in `check_host'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:65:in `run_host'
/root/tools/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/root/tools/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] a.b.c.d:3389 - The target service is running, but could not be validated.Suggested and tested fix:
diff --git a/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb b/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
index 844719754b..d4a4a93c68 100644
--- a/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
+++ b/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
@@ -207,7 +207,11 @@ class MetasploitModule < Msf::Auxiliary
rdp_send(x64_packet)
# Quick check for the Ultimatum PDU
- res = sock.get_once(-1, 1)
+ begin
+ res = sock.get_once(-1, 1)
+ rescue EOFError
+ raise RdpCommunicationError
+ end
return Exploit::CheckCode::Vulnerable if res && res.include?(["0300000902f0802180"].pack("H*"))
# Slow check for Ultimatum PDU. If it doesn't respond in a timelyHowever the output is different with this:
[*] a.b.c.d:3389 - Verifying RDP protocol...
[*] a.b.c.d:3389 - Attempting to connect using TLS security
[*] a.b.c.d:3389 - Server requests TLS
[*] a.b.c.d:3389 - Sending erect domain request
[*] a.b.c.d:3389 - Sending client info PDU
[*] a.b.c.d:3389 - Received License packet
[*] a.b.c.d:3389 - Sending client confirm active PDU
[*] a.b.c.d:3389 - Sending client synchronize PDU
[*] a.b.c.d:3389 - Sending client control cooperate PDU
[*] a.b.c.d:3389 - Sending client control request control PDU
[*] a.b.c.d:3389 - Sending client input sychronize PDU
[*] a.b.c.d:3389 - Sending client font list PDU
[*] a.b.c.d:3389 - Sending patch check payloads
[-] a.b.c.d:3389 - Error communicating RDP protocol.
[*] a.b.c.d:3389 - Cannot reliably check exploitability."The target service is running, but could not be validated" VS "Cannot reliably check exploitability" I don't know what's best...
wvu
commented
5 years ago If the server doesn't respond to the patch check, it's assumed to be likely patched (see slow check below).
Steps to reproduce
Run the scanner/rdp/cve_2019_0708_bluekeep scanner module against an RDP server which returns a license error. Here are similar issues and ways of discovering such servers: https://github.com/zerosum0x0/CVE-2019-0708/issues/16 https://github.com/robertdavidgraham/rdpscan/issues/25
Expected behavior
The module gracefully handles the error and report the host as not vulnerable.
Current behavior
I get the following error:
System stuff
Metasploit version
I use the latest MSF version from Git (metasploit v5.0.39-dev-6bd7f6cb4a)
I installed Metasploit with:
OS
Kali