hacking microsoft remote desktop services for fun and profit
DESCRIPTION
Hacking Microsoft Remote Desktop Services for Fun and Profit. Alisa Esage. Who am I?. Reverse engineer since … Founder, CEO, Esage Lab operating in Russia cyber incident response, software security auditing, technical training (soon) MALWAS.com Co-founder, sponsor, {ne й ron } - PowerPoint PPT PresentationTRANSCRIPT
Hacking Microsoft Remote Desktop Services for Fun and Profit
Alisa Esage
Who am I?
• Reverse engineer since … • Founder, CEO, Esage Lab– operating in Russia – cyber incident response, software security
auditing, technical training– (soon) MALWAS.com
• Co-founder, sponsor, {neйron}– Moscow’s hackerspace
• Ex malware analyst, major AV vendor
Why %subj?
• Trending: professional cyber robbery based on remote desktop access– Illicit money transfers via a remote banking application– An attacker wants to operate within the active user’s
session, while not intercepting with the user• VNC module for Zeus– Costs $$$ – Based on GPL uVNC
• What about Microsoft Terminal Services?
Microsoft Terminal Services
• A powerful remote access technology • Available since NT4• Two fundamental applications:– Remote Desktop– Remote Assistance
Remote Desktop
• Allows users to log in remotely• Pre-installed in almost any Windows• Stable, easy, powerful, clients exists for any OS• Full-featured only on Servers• Restricted on Workstations • only one user at a time can be logged in, either at
the console or remotely
Remote Assistance
• Allows to share a console user’s desktop with an authorized helper
• Allows to “interact” (control) • Msra.exe (sessmgr.exe previously)– User-initiated assistance
• Via tickets• Dynamic port
– Offered assistance • msra.exe /offerra• RPC request to port 135• Domain environment only
Challenges
1. Allow multiple user sessions2. Allow concurrent terminal session for the
active console user3. Bypass logon auth
4. Monitor/control the console session
Basic assumptions
• We already have code execution on the target– Too many RCE exploits in the wild today to consider it a
challenge• We already have local admin privilege on the target– Never been a problem for malware developers (says ex
AV employee)– Plenty of buggy system-level software to develop an
EoP exploit• Speaking about architecture, I am meaning
Windows 7, if not stated otherwise
State of the %subj
• Previous research– Remote Desktop functionality enhancement patches
for workstation users– Cw2k, Remko Weijnen and others– Limited OS support– No auth bypass, no control over the console session
• Malware based on Remote Desktop Services– Just launch the service, then login via an added user
account
Key modules: Terminal Services
• Termsrv.dll – service binary, RPC provider– hosted by svchost.exe
• Termdd.sys– core device driver, network listener– wrapped by icaapi.dll
• End-user executables– msra.exe – remote assistance– mstsc.exe – RDP client
Key modules: RDP protocol stack
• Rdpwd.sys– Tunnel remote user’s mouse and keyboard– Wrapped by rdpwsx.dll – Configured by rdpcfgex.dll
• Rdpdd.dll – Graphics redirection to the remote user
• Tdtcp.sys– Package RDP data into TCP/IP
CHALLENGES #1-2
Allow multiple user sessions; allow concurrent terminal session for the active console user
Remote Desktop connection details
• Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack
• New smss.exe and csrss.exe are spawned• Per-session win32k.sys window manager• Winlogon.exe to display logon prompt• On successful logon, userinit.exe and
explorer.exe are started (or their registry-defined substitutes)
Solution
• Surprise: Terminal Services module is full-featured on ALL Windows!
• Feature restrictions are caused by explicit version checks:
Winlogon.exe: IsProfessionalTerminalServer() { GetVersionExW() … }Termsrv.dll XP: gbServer, g_bPersonalTSTermsrv.dll Vista+: CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()
Solution (contd.)
• So we fool Windows into thinking that she is a server
• Inline patching in real-time (no file modifications):– Hook GetVersionExW() in the context of
winlogon.exe to return the proper value– Set global variables in termsrv.dll– Some more patches in termsrv.dll
Solution (contd.)
• Configure the terminal server
SYSTEM\\CurrentControlSet\\Control\\Terminal Server:fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1
\\Licensing Core:EnableConcurrentSessions = 0
\\WinStations\\RDP-Tcp:fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon: AllowMultipleTSSessions = 1
SYSTEM\\CurrentControlSet\\Control\\Lsa:LimitBlankPasswordUse = 0
Solution (contd.)
• Add local users to “Remote Desktop Users” groupGetGroupNameBySid(L"S-1-5-32-555");NetLocalGroupAddMembers();
• Allow Terminal Services through the firewall WindowsFirewallPortAdd(...3389...);
• Done
CHALLENGE #3Bypass logon auth
Solution
• Msv1_0.dll (Microsoft Authentication Package)• LsaApLogonUserEx2():
call MsvpPasswordValidate(x,x,x,x,x,x,x)test al, aljz @@STATUS_WRONG_PASSWORD
• Patch it!
CHALLENGE #4Monitor/control console session
Solution #1
• Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library)
• API is documented!IRDPSRAPISharingSession, IRDPSRAPIViewer m_pRdpSession = new RDPSession();m_pRdpSession.OnAttendeeConnected += new
_IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected);
m_pRdpSession.Open();
• Available since Vista only, so we are not happy yet…
Shadow.exe
• Exists in all Windows since NT4!• Only works for Server targets– Must be launched from within a terminal session
• Needs target user’s permission to connect
Connection request details
Shadow.exe:WinStationShadow() @winsta.dll RpcShadow() @termsrv.dll
termsrv.dll:CShadowTarget::ShadowTargetWorker() CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() CDefaultSessionArbitrationHelper::GetRequestDialogObject()…
ShadowTargetWorker(): cmp [ebp+var_528], IDYES jz short @@OK_DOSHADOWmov esi, 0D00A002Ahjmp @@ACCESS_DENIED
Solution #2
• We’ve already tuned a workstation into a server!– So shadow.exe just works
• Patch the dialog box that requests user’s permission:
Hook MessageBoxTimeoutW() @csrss.exe:
If (!wcsncmp(MsgText + i, GetComputerNameW()…)) { // don't display the dialog box
M_FREE(Text);return IDYES; }
So…
• 2 hooks + 3-4 inline patches – vs. xxx xxx KB of custom heavy code
• Seemingly complicated problems may have trivial solutions
• Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess
PoC limitations
• Requires Local Administrator privilege• Auth bypass trick fails on Vista SP0 only• Shadow.exe trick fails on Vista• Auth bypass affects local logon
THANK YOUQuestions?