1 / 27

Hacking Microsoft Remote Desktop Services for Fun and Profit

Hacking Microsoft Remote Desktop Services for Fun and Profit. Alisa Esage. Who am I?. Reverse engineer since … Founder, CEO, Esage Lab operating in Russia cyber incident response, software security auditing, technical training (soon) MALWAS.com Co-founder, sponsor, {ne й ron }

karena
Download Presentation

Hacking Microsoft Remote Desktop Services for Fun and Profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Microsoft Remote Desktop Services for Fun and Profit Alisa Esage

  2. Who am I? • Reverse engineer since … • Founder, CEO, Esage Lab • operating in Russia • cyber incident response, software security auditing, technical training • (soon) MALWAS.com • Co-founder, sponsor, {neйron} • Moscow’s hackerspace • Ex malware analyst, major AV vendor

  3. Why %subj? • Trending: professional cyber robbery based on remote desktop access • Illicit money transfers via a remote banking application • An attacker wants to operate within the active user’s session, while not intercepting with the user • VNC module for Zeus • Costs $$$ • Based on GPL uVNC • What about Microsoft Terminal Services?

  4. Microsoft Terminal Services • A powerful remote access technology • Available since NT4 • Two fundamental applications: • Remote Desktop • Remote Assistance

  5. Remote Desktop • Allows users to log in remotely • Pre-installed in almost any Windows • Stable, easy, powerful, clients exists for any OS • Full-featured only on Servers • Restricted on Workstations • only one user at a time can be logged in, either at the console or remotely

  6. Remote Assistance • Allows to share a console user’s desktop with an authorized helper • Allows to “interact” (control) • Msra.exe (sessmgr.exe previously) • User-initiated assistance • Via tickets • Dynamic port • Offered assistance • msra.exe /offerra • RPC request to port 135 • Domain environment only

  7. Challenges • Allow multiple user sessions • Allow concurrent terminal session for the active console user • Bypass logon auth • Monitor/control the console session

  8. Basic assumptions • We already have code execution on the target • Too many RCE exploits in the wild today to consider it a challenge • We already have local admin privilege on the target • Never been a problem for malware developers (says ex AV employee) • Plenty of buggy system-level software to develop an EoP exploit • Speaking about architecture, I am meaning Windows 7, if not stated otherwise

  9. State of the %subj • Previous research • Remote Desktop functionality enhancement patches for workstation users • Cw2k, RemkoWeijnen and others • Limited OS support • No auth bypass, no control over the console session • Malware based on Remote Desktop Services • Just launch the service, then login via an added user account

  10. Key modules: Terminal Services • Termsrv.dll • service binary, RPC provider • hosted by svchost.exe • Termdd.sys • core device driver, network listener • wrapped by icaapi.dll • End-user executables • msra.exe – remote assistance • mstsc.exe – RDP client

  11. Key modules: RDP protocol stack • Rdpwd.sys • Tunnel remote user’s mouse and keyboard • Wrapped by rdpwsx.dll • Configured by rdpcfgex.dll • Rdpdd.dll • Graphics redirection to the remote user • Tdtcp.sys • Package RDP data into TCP/IP

  12. Allow multiple user sessions; allow concurrent terminal session for the active console user ChallengeS #1-2

  13. Remote Desktop connection details • Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack • New smss.exe and csrss.exe are spawned • Per-session win32k.sys window manager • Winlogon.exe to display logon prompt • On successful logon, userinit.exe and explorer.exe are started (or their registry-defined substitutes)

  14. Solution • Surprise: Terminal Services module is full-featured on ALL Windows! • Feature restrictions are caused by explicit version checks: Winlogon.exe: IsProfessionalTerminalServer() { GetVersionExW() … } Termsrv.dll XP: gbServer, g_bPersonalTS Termsrv.dll Vista+: CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()

  15. Solution (contd.) • So we fool Windows into thinking that she is a server • Inline patching in real-time (no file modifications): • Hook GetVersionExW() in the context of winlogon.exe to return the proper value • Set global variables in termsrv.dll • Some more patches in termsrv.dll

  16. Solution (contd.) • Configure the terminal server SYSTEM\\CurrentControlSet\\Control\\Terminal Server: fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1 \\Licensing Core: EnableConcurrentSessions = 0 \\WinStations\\RDP-Tcp: fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon: AllowMultipleTSSessions = 1 SYSTEM\\CurrentControlSet\\Control\\Lsa: LimitBlankPasswordUse = 0

  17. Solution (contd.) • Add local users to “Remote Desktop Users” group GetGroupNameBySid(L"S-1-5-32-555"); NetLocalGroupAddMembers(); • Allow Terminal Services through the firewall WindowsFirewallPortAdd(...3389...); • Done

  18. Bypass logon auth Challenge #3

  19. Solution • Msv1_0.dll (Microsoft Authentication Package) • LsaApLogonUserEx2(): call MsvpPasswordValidate(x,x,x,x,x,x,x) test al, al jz @@STATUS_WRONG_PASSWORD • Patch it!

  20. Monitor/control console session Challenge #4

  21. Solution #1 • Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library) • API is documented! IRDPSRAPISharingSession, IRDPSRAPIViewer m_pRdpSession = new RDPSession(); m_pRdpSession.OnAttendeeConnected += new _IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected); m_pRdpSession.Open(); • Available since Vista only, so we are not happy yet…

  22. Shadow.exe • Exists in all Windows since NT4! • Only works for Server targets • Must be launched from within a terminal session • Needs target user’s permission to connect

  23. Connection request details Shadow.exe: WinStationShadow() @winsta.dll RpcShadow() @termsrv.dll termsrv.dll: CShadowTarget::ShadowTargetWorker() CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() CDefaultSessionArbitrationHelper::GetRequestDialogObject() … ShadowTargetWorker(): cmp [ebp+var_528], IDYES jz short @@OK_DOSHADOW movesi, 0D00A002Ah jmp @@ACCESS_DENIED

  24. Solution #2 • We’ve already tuned a workstation into a server! • So shadow.exe just works • Patch the dialog box that requests user’s permission: Hook MessageBoxTimeoutW() @csrss.exe: If (!wcsncmp(MsgText + i, GetComputerNameW()…)) { // don't display the dialog box M_FREE(Text); return IDYES; }

  25. So… • 2 hooks + 3-4 inline patches • vs. xxx xxx KB of custom heavy code • Seemingly complicated problems may have trivial solutions • Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess

  26. PoC limitations • Requires Local Administrator privilege • Auth bypass trick fails on Vista SP0 only • Shadow.exe trick fails on Vista • Auth bypass affects local logon

  27. Questions? THANK YOU

More Related