Jarrod Johnson
Ixia Security Researcher

Game of Vulnerabilities: Bluekeep

May 29, 2019 by Jarrod Johnson

If you have been following what’s happening in the field of computer security, or perhaps even if you just try to keep up with the more important threats, then you’ve probably heard of the recent vulnerability that’s surfaced from the most recent Microsoft Patch Tuesday. CVE-2019-0708 or more affectionately known as “Bluekeep” is an unauthenticated remote code execution vulnerability in Windows Remote Desktop Services. This is known as Terminal Services on older Microsoft platforms. An attacker can essentially send the “correct” message sequence to a vulnerable system from a remote connection to an open RDP port and exploit the target machine. The nature of this vulnerability means that it is possible to craft the exploit in a way that will allow it to spread automatically to more unprotected vulnerable systems. 

State of the Attack

When this patch originally dropped and news broke, both security researchers and the internet went to work. Several security-focused companies tried to re-create working proof of concepts (PoCs) to protect the public, and slowly but surely, more detailed information started to come out on the details of the attack, as well false information and fake PoCs. In the very beginning, Github and other web sites became littered with ‘Bluekeep’ or ‘CVE-2019-0708’ PoCs. We can personally attest to having investigated at least half a dozen, most of which were not even remotely related to the current vulnerability being described by Microsoft. Some sources reported to have a working PoC that requested payment to disclose. One did on the surface look to be targeting the correct protocol and have the correct communication sequence, only to show upon further investigation it was a much older vulnerability that has already been patched. 

Eventually, some signatures and then public scanners started to surface with the ability to confirm whether or not the target system was vulnerable to the attack or not. Of course, with these new detectors, malicious weaponized versions not targeting the actual vulnerability have also surfaced, showing that attackers are definitely taking advantage of this initial disclosure time period to try to throw their own exploits into the mix. At the time of this publication, almost all in-the-wild traffic has been scanner- and detector-based, with no real exploited versions of this attack being detected.

Technical Details

This is a use-after-free vulnerability in the Remote Desktop Protocol (RDP).

Initial RDP communication

Let us examine the initial RDP communication in the above figure to give us an understanding of how this attack communication starts. First, we have a client-initiated X.224, which is used to make a request for a connection to the server, followed by a confirmation of this connection.

Before diving into the vulnerability itself, we need to explain that the next messages, the "MCS Connect Initial and GCC Create" request, within the Basic Settings Exchange contains virtual channels creation information, security-related information, and other supported RDP client capabilities parameters. There’s an 8-byte, null-byte terminated field called “channelName_N” that is used to specify the name of the channel.

Specifically, the vulnerability occurs when receiving the MCS Connect Initial and GCC Create packet. If the channel name “MS_T120\x00” is provided in the “channelName_N” field, a field that is not supposed to allow a duplicate MS_T120 name (Microsoft already created by default), and the attacker sends crafted data to this channel, a use-after-free condition can be triggered in the windows kernel. 

Recommendations & Conclusion

As the implications of a successful attack are quite severe with Bluekeep, it is imperative that all defensive measures be taken as quickly as possible. It is only a matter of time until a fully working, weaponized exploit is detected in the wild and is widely adopted. Microsoft even thought it prudent to go back and patch Windows XP, which is well past its End of Life term, because they know how critical this vulnerability is. There are several measures you can take to protect yourself from this attack.  

  • Apply the Microsoft Patch as soon as possible
  • Download and apply any vendor-based patches for security devices on your network
  • Disable the RDP protocol and port completely or specifically limit how it’s being used
  • Any connection with a MS_T120 Channel Bind Attempt can be considered malicious or at least suspicious and blocked

Of course, the security researchers on the Ixia Application and Threat Intelligence (ATI) team already have you covered. We have verified this vulnerability against each of the Microsoft-reported vulnerable systems. We have observed the attack resulting in a Windows BSOD, as the vulnerability is in the kernel driver, termdd.sys. We have created a strike that emulates the behavior of this attack, and it will allow our customers to run a non-weaponized version against their network security to see if it can detect Bluekeep.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.