search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.79k stars 13.9k forks source link

CVE-2019-0708 / BlueKeep scanner: cannot scan Windows 7 hosts which only support TLS 1.0 for RDP (when improved TLS patch is missing) #12213

Closed cnotin closed 5 years ago

cnotin commented 5 years ago

Steps to reproduce

  1. use latest Metasploit from source (or from Kali, same)
  2. use Windows 7 (pro) and do not install any update
  3. launch scanner : 
    use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set rhosts ...
set verbose true
run

Expected behavior

The target is vulnerable.

As confirmed by the modified rdesktop scanner:

[!] Target is VULNERABLE!!!

Current behavior

[*] 192.168.4.9:3389      - Verifying RDP protocol...
[*] 192.168.4.9:3389      - Attempting to connect using TLS security
[-] 192.168.4.9:3389      - Unexpected error: SSL_connect returned=1 errno=0 state=error: unsupported protocol
/root/tools/metasploit-framework/lib/msf/core/exploit/rdp.rb:970:in `connect'
/root/tools/metasploit-framework/lib/msf/core/exploit/rdp.rb:970:in `swap_sock_plain_to_ssl'
/root/tools/metasploit-framework/lib/msf/core/exploit/rdp.rb:171:in `rdp_negotiate_security'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:219:in `check_rdp_vuln'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:98:in `check_host'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:61:in `run_host'
/root/tools/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/root/tools/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] 192.168.4.9:3389      - The target service is running, but could not be validated.
[*] 192.168.4.9:3389      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In Wireshark I see that Metasploit tries to negotiate TLS 1.2 whereas the server only supports TLS 1.0. This is normal as Windows 7, without any update, only supports TLS 1.0. Cf. https://support.microsoft.com/fr-fr/help/3080079/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind

System stuff

Metasploit version

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > version
Framework: 5.0.42-dev-015651dd08
Console  : 5.0.42-dev-015651dd08

I installed Metasploit with:

Source

OS

Kali

cnotin commented 5 years ago

I tried to change: https://github.com/rapid7/metasploit-framework/blob/015651dd088a0d9932d4ddb5386cd73c0f689d28/lib/msf/core/exploit/rdp.rb#L967 With:

    ctx = OpenSSL::SSL::SSLContext.new(TLSv1)

It fixes the issues, however, in Wireshark I see that now only TLS1.0 is supported in the Client Hello which downgrades us to it (with no paramter, I see in Client Hello that TLS 1.2 and even TLS 1.3 are supported).

OpenSSL has a feature to define the minimum accepted level with SSL_CTX_set_min_proto_version (https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_min_proto_version.html) but it was added only with OpenSSL 1.1.0 I don't know how to express otherwise to OpenSSL that we accept everything up to the latest version, while still accepting TLS 1.0

cnotin commented 5 years ago

Here is a suggested patch, thanks to min_version https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-min_version-3D