false positives: Windows Server 2012 & 2016

[meagercreek]

It seems that a license handling error which was fixed at some point in the original rdesktop (possibly here: https://sourceforge.net/p/rdesktop/mailman/message/31932290/ ) is spoiling the vulnerability check against newer systems which are not affected by this vulnerability:

• true positive (Windows 7):

  ...
  [ ] [10.192.99.137]:3389 - STARTTLS starting TLS ...
  [ ] [10.192.99.137]:3389 - subject = ***
  [+] [10.192.99.137]:3389 - connection established: using SSL
  [+] [10.192.99.137]:3389 - version = v4.8
  [+] [10.192.99.137]:3389 - Sending MS_T120 check packet
  10.192.99.137 - VULNERABLE - got appid

• false positive (Windows Server 2016):

  ...
  [ ] [10.221.128.60]:3389 - STARTTLS starting TLS ...
  [ ] [10.221.128.60]:3389 - subject = ***
  [+] [10.221.128.60]:3389 - connection established: using SSL
  [+] [10.221.128.60]:3389 - version = v7.8
  [ ] [10.221.128.60]:3389 - License error alert from server: Invalid client
  10.221.128.60 - VULNERABLE - got appid

The false positive is missing the part "Sending MS_T120 check packet", i.e. that special request might not have been sent at all but instead the return code from the licensing error could be what triggers the detection result. The original scanner by zerosum0x0 shows the same behaviour.

PS: Thank you for the fast fix on issue #8.

[ruudhanegraaf]

Just came here to report the same issue. Using the console option circumvents it in zero's fork. https://github.com/zerosum0x0/CVE-2019-0708/issues/16#issue-459354642

I'm a Windows guy however, so I'd prefer to use rdpscan. :-)

Have been using it for a couple of weeks now. Your work is much appreciated. :-)

[cnotin]

I confirm the issue and its reason!

[notwhy]

same question , please fix it.