Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Download to read offline

Hacking Microsoft Remote Desktop Services for Fun and Profit

Download to read offline

Presentation from RECon 2011

Related Books

Free with a 30 day trial from Scribd

See all

Hacking Microsoft Remote Desktop Services for Fun and Profit

  1. 1. Hacking Microsoft Remote Desktop Services for Fun and Profit<br />Alisa Esage<br />
  2. 2. Who am I?<br />Reverse engineer since … <br />Founder, CEO, Esage Lab<br />operating in Russia<br />cyber incident response, software security auditing, technical training<br />(soon)<br />Co-founder, sponsor, {neйron}<br />Moscow’s hackerspace<br />Ex malware analyst, major AV vendor<br />
  3. 3. Why %subj?<br />Trending: professional cyber robbery based on remote desktop access<br />Illicit money transfers via a remote banking application<br />An attacker wants to operate within the active user’s session, while not intercepting with the user<br />VNC module for Zeus<br />Costs $$$ <br />Based on GPL uVNC<br />What about Microsoft Terminal Services?<br />
  4. 4. Microsoft Terminal Services<br />A powerful remote access technology <br />Available since NT4<br />Two fundamental applications:<br />Remote Desktop<br />Remote Assistance<br />
  5. 5. Remote Desktop<br />Allows users to log in remotely<br />Pre-installed in almost any Windows<br />Stable, easy, powerful, clients exists for any OS<br />Full-featured only on Servers<br />Restricted on Workstations <br /><ul><li>only one user at a time can be logged in, either at the console or remotely</li></li></ul><li>Remote Assistance<br />Allows to share a console user’s desktop with an authorized helper<br />Allows to “interact” (control) <br />Msra.exe (sessmgr.exe previously)<br />User-initiated assistance<br />Via tickets<br />Dynamic port<br />Offered assistance <br />msra.exe /offerra<br />RPC request to port 135<br />Domain environment only<br />
  6. 6. Challenges<br />Allow multiple user sessions<br />Allow concurrent terminal session for the active console user<br />Bypass logon auth<br />Monitor/control the console session<br />
  7. 7. Basic assumptions<br />We already have code execution on the target<br />Too many RCE exploits in the wild today to consider it a challenge<br />We already have local admin privilege on the target<br />Never been a problem for malware developers (says ex AV employee)<br />Plenty of buggy system-level software to develop an EoP exploit<br />Speaking about architecture, I am meaning Windows 7, if not stated otherwise<br />
  8. 8. State of the %subj<br />Previous research<br />Remote Desktop functionality enhancement patches for workstation users<br />Cw2k, RemkoWeijnenand others<br />Limited OS support<br />No auth bypass, no control over the console session<br />Malware based on Remote Desktop Services<br />Just launch the service, then login via an added user account<br />
  9. 9. Key modules: Terminal Services <br />Termsrv.dll <br />service binary, RPC provider<br />hosted by svchost.exe <br />Termdd.sys<br />core device driver, network listener<br />wrapped by icaapi.dll<br />End-user executables<br />msra.exe – remote assistance<br />mstsc.exe – RDP client<br />
  10. 10. Key modules: RDP protocol stack <br />Rdpwd.sys<br />Tunnel remote user’s mouse and keyboard<br />Wrapped by rdpwsx.dll<br />Configured by rdpcfgex.dll<br />Rdpdd.dll <br />Graphics redirection to the remote user<br />Tdtcp.sys<br />Package RDP data into TCP/IP<br />
  11. 11. ChallengeS#1-2<br />Allow multiple user sessions; allow concurrent terminal session for the active console user<br />
  12. 12. Remote Desktop connection details<br />Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack <br />New smss.exe and csrss.exe are spawned<br />Per-session win32k.sys window manager<br />Winlogon.exe to display logon prompt<br />On successful logon, userinit.exe and explorer.exe are started (or their registry-defined substitutes)<br />
  13. 13. Solution<br />Surprise: Terminal Services module is full-featured on ALL Windows!<br />Feature restrictions are caused by explicit version checks:<br />Winlogon.exe:<br />IsProfessionalTerminalServer() { GetVersionExW() … }<br />Termsrv.dll XP: <br />gbServer, g_bPersonalTS<br />Termsrv.dll Vista+:<br />CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()<br />
  14. 14. Solution (contd.)<br />So we fool Windows into thinking that she is a server<br />Inline patching in real-time (no file modifications):<br />Hook GetVersionExW() in the context of winlogon.exe to return the proper value<br />Set global variables in termsrv.dll<br />Some more patches in termsrv.dll<br />
  15. 15. Solution (contd.)<br />Configure the terminal server<br />SYSTEMCurrentControlSetControlTerminal Server:<br />fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1<br />Licensing Core:<br />EnableConcurrentSessions = 0<br />WinStationsRDP-Tcp:<br />fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF<br />SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon: <br />AllowMultipleTSSessions = 1<br />SYSTEMCurrentControlSetControlLsa:<br />LimitBlankPasswordUse = 0<br />
  16. 16. Solution (contd.)<br />Add local users to “Remote Desktop Users” group<br />GetGroupNameBySid(L"S-1-5-32-555");<br />NetLocalGroupAddMembers();<br />Allow Terminal Services through the firewall <br />WindowsFirewallPortAdd(...3389...);<br />Done<br />
  17. 17. Challenge #3<br />Bypass logon auth<br />
  18. 18. Solution<br />Msv1_0.dll (Microsoft Authentication Package)<br />LsaApLogonUserEx2():<br />call MsvpPasswordValidate(x,x,x,x,x,x,x)<br /> test al, al<br />jz@@STATUS_WRONG_PASSWORD<br />Patch it!<br />
  19. 19. Challenge #4<br />Monitor/control console session<br />
  20. 20. Solution #1<br />Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library)<br />API is documented!<br />IRDPSRAPISharingSession, IRDPSRAPIViewer<br /> <br />m_pRdpSession = new RDPSession();<br />m_pRdpSession.OnAttendeeConnected += new _IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected);<br />m_pRdpSession.Open();<br />Available since Vista only, so we are not happy yet…<br />
  21. 21. Shadow.exe<br />Exists in all Windows since NT4!<br />Only works for Server targets<br />Must be launched from within a terminal session<br />Needs target user’s permission to connect<br />
  22. 22. Connection request details<br />Shadow.exe:<br />WinStationShadow() @winsta.dll<br />RpcShadow() @termsrv.dll<br />termsrv.dll:<br />CShadowTarget::ShadowTargetWorker()CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() <br />CDefaultSessionArbitrationHelper::GetRequestDialogObject()<br />… <br />ShadowTargetWorker():<br />cmp [ebp+var_528], IDYES<br />jz short @@OK_DOSHADOW<br />movesi, 0D00A002Ah<br />jmp @@ACCESS_DENIED<br />
  23. 23. Solution #2<br />We’ve already tuned a workstation into a server!<br />So shadow.exe just works<br />Patch the dialog box that requests user’s permission:<br />Hook MessageBoxTimeoutW() @csrss.exe:<br />If (!wcsncmp(MsgText+ i, GetComputerNameW()…))<br />{ // don't display the dialog box<br /> M_FREE(Text);<br /> return IDYES; }<br />
  24. 24. So…<br />2 hooks + 3-4 inline patches <br />vs. xxx xxx KB of custom heavy code<br />Seemingly complicated problems may have trivial solutions<br />Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess<br />
  25. 25. PoC limitations<br />Requires Local Administrator privilege<br />Auth bypass trick fails on Vista SP0 only<br />Shadow.exe trick fails on Vista<br />Auth bypass affects local logon<br />
  26. 26. THANK YOU<br />Questions?<br />
  • adamasanogo14

    Mar. 16, 2019

    Nov. 27, 2017
  • ronellanda

    Jan. 14, 2017
  • ahtesham001

    Nov. 2, 2015
  • shangxu

    Apr. 6, 2015
  • luigimessina

    Jan. 22, 2014
  • dangducninh

    Aug. 27, 2013
  • ustczxf

    Mar. 15, 2012
  • jasonwho

    Mar. 14, 2012
  • kindle12

    Feb. 16, 2012
  • chisington

    Jan. 19, 2012

Presentation from RECon 2011


Total views


On Slideshare


From embeds


Number of embeds