Nmap Development mailing list archives
[NSE][PR] Address exception and decoding issue in rdp-enum-encryption #1611
From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 28 May 2019 08:25:17 -0500
All, I'm tossing this email at the list as an FYI for a PR that should help folks who are auditing their networks for the recent RDP vuln (CVE-2019-0708). It doesn't add support for checking for the vulnerability but it should improve the results when scanning against Windows XP as well as clarify that CredSSP is NLA. Address exception and decoding issue in rdp-enum-encryption #1611 https://github.com/nmap/nmap/pull/1611 Here's the description in the PR (sorry for the formatting): This PR addresses a few bugs in RDP protocol parsing in scripts/rdp-enum-encryption.nse and nselib/rdp.lua. It should also address the following issue: Feature Request: rdp-enum-encryption should check if NLA is required #174 - https://github.com/nmap/nmap/issues/174 Exception vs Windows XPThere was an exception caused by rdp-enum-encryption.nse attempting to unpack data that doesn't exist. This was noticed when running the script against Windows XP SP3 which doesn't return a certain layer in the protocol during the initial negotiation packet exchange.
Testing sudo nmap -sSVC -p 3389 --script=rdp-enum-encryption -vvvv -d2 <target> Before fix <snip> NSE: rdp-enum-encryption M:559f23dc78f8 against 192.168.200.196:3389 threw an error! .../local/bin/../share/nmap/scripts/rdp-enum-encryption.nse:74: bad argument #2 to 'unpack' (data string too short) stack traceback: [C]: in function 'string.unpack' .../local/bin/../share/nmap/scripts/rdp-enum-encryption.nse:74: in upvalue 'enum_protocols' .../local/bin/../share/nmap/scripts/rdp-enum-encryption.nse:152: in function <.../local/bin/../share/nmap/scripts/rdp-enum-encryption.nse:149> (...tail calls...) <snip> PORT STATE SERVICE REASON VERSION 3389/tcp open ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services After fix PORT STATE SERVICE REASON VERSION 3389/tcp open ms-wbt-server syn-ack ttl 128 Microsoft Terminal Services | rdp-enum-encryption: | Security layer | CredSSP: Unknown | Native RDP: Unknown | SSL: Unknown | RDP Encryption level: Unknown | 128-bit RC4: SUCCESS |_ FIPS 140-1: FAILURE Incorrectly decoding ServerDataThe existing code was incorrectly decoding the ServerData section of the ConferenceCreateResponse packet. This was due to assuming a certain block was a fixed size. This broke when certain optional fields were included. The impact was that certain encryption level options were not being detected. This primarily impacted Windows XP.
The fix was adding decoding of the type and lengths for the sections in ServerData. Before fix Technically, before the fix this section was empty due to the first bug fixed above. But after fixing that bug here is what the output looked like. 3389/tcp open ms-wbt-server syn-ack ttl 128 | rdp-enum-encryption: | RDP Encryption level: Unknown | 128-bit RC4: SUCCESS |_ FIPS 140-1: FAILURE After fix PORT STATE SERVICE REASON 3389/tcp open ms-wbt-server syn-ack ttl 128 | rdp-enum-encryption: | Security layer | CredSSP: Unknown | Native RDP: Unknown | SSL: Unknown | RDP Encryption level: Client Compatible | 40-bit RC4: SUCCESS | 56-bit RC4: SUCCESS | 128-bit RC4: SUCCESS |_ FIPS 140-1: FAILURE Added output- Now that ServerData is being decoded we can determine which RDP protocol is being advertised. When detected this will now show up in the RDP Protocol Version: section. Since the library doesn't currently support TLS negotiation this will be missing for hosts that require TLS until this feature is added. The same applies for CredSSP.
- In the Security layer section of the output - CredSSP has been changed to CredSSP (NLA) to clarify that this is NLA for those who are using the script to audit networks for things like CVE-2019-0708. - CredSSP with Early User Auth and RDSTLS have been added. Output Windows XP SP3 3389/tcp open ms-wbt-server syn-ack ttl 128 | rdp-enum-encryption: | Security layer | CredSSP (NLA): Unknown | CredSSP with Early User Auth: Unknown | Native RDP: Unknown | RDSTLS: Unknown | SSL: Unknown | RDP Encryption level: Client Compatible | 40-bit RC4: SUCCESS | 56-bit RC4: SUCCESS | 128-bit RC4: SUCCESS | FIPS 140-1: FAILURE |_ RDP Protocol Version: RDP 5.x, 6.x, 7.x, or 8.x server Windows 2008 with NLA optional and configured for client compatible ciphers 3389/tcp open ms-wbt-server syn-ack ttl 128 | rdp-enum-encryption: | Security layer | CredSSP (NLA): SUCCESS | CredSSP with Early User Auth: SUCCESS | Native RDP: SUCCESS | RDSTLS: SUCCESS | SSL: SUCCESS | RDP Encryption level: Client Compatible | 40-bit RC4: SUCCESS | 56-bit RC4: SUCCESS | 128-bit RC4: SUCCESS | FIPS 140-1: SUCCESS |_ RDP Protocol Version: RDP 5.x, 6.x, 7.x, or 8.x server Windows 2019 3389/tcp open ms-wbt-server syn-ack ttl 128 | rdp-enum-encryption: | Security layer | CredSSP (NLA): SUCCESS | CredSSP with Early User Auth: SUCCESS | Native RDP: FAILED (HYBRID_REQUIRED_BY_SERVER) | RDSTLS: SUCCESS |_ SSL: FAILED (HYBRID_REQUIRED_BY_SERVER) _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE][PR] Address exception and decoding issue in rdp-enum-encryption #1611 Tom Sellers (May 28)