Presentation from RECon 2011

1. Hacking Microsoft Remote Desktop Services for Fun and Profit Alisa Esage

2. Who am I? Reverse engineer since … Founder, CEO, Esage Lab operating in Russia cyber incident response, software security auditing, technical training (soon) MALWAS.com Co-founder, sponsor, {neйron} Moscow’s hackerspace Ex malware analyst, major AV vendor

3. Why %subj? Trending: professional cyber robbery based on remote desktop access Illicit money transfers via a remote banking application An attacker wants to operate within the active user’s session, while not intercepting with the user VNC module for Zeus Costs $$$ Based on GPL uVNC What about Microsoft Terminal Services?

4. Microsoft Terminal Services A powerful remote access technology Available since NT4 Two fundamental applications: Remote Desktop Remote Assistance

6. Challenges Allow multiple user sessions Allow concurrent terminal session for the active console user Bypass logon auth Monitor/control the console session

7. Basic assumptions We already have code execution on the target Too many RCE exploits in the wild today to consider it a challenge We already have local admin privilege on the target Never been a problem for malware developers (says ex AV employee) Plenty of buggy system-level software to develop an EoP exploit Speaking about architecture, I am meaning Windows 7, if not stated otherwise

8. State of the %subj Previous research Remote Desktop functionality enhancement patches for workstation users Cw2k, RemkoWeijnenand others Limited OS support No auth bypass, no control over the console session Malware based on Remote Desktop Services Just launch the service, then login via an added user account

9. Key modules: Terminal Services Termsrv.dll service binary, RPC provider hosted by svchost.exe Termdd.sys core device driver, network listener wrapped by icaapi.dll End-user executables msra.exe – remote assistance mstsc.exe – RDP client

10. Key modules: RDP protocol stack Rdpwd.sys Tunnel remote user’s mouse and keyboard Wrapped by rdpwsx.dll Configured by rdpcfgex.dll Rdpdd.dll Graphics redirection to the remote user Tdtcp.sys Package RDP data into TCP/IP

11. ChallengeS#1-2 Allow multiple user sessions; allow concurrent terminal session for the active console user

12. Remote Desktop connection details Termdd.sys accepts a network connection on port 3389, creates a per-connection instance of RDP protocol stack New smss.exe and csrss.exe are spawned Per-session win32k.sys window manager Winlogon.exe to display logon prompt On successful logon, userinit.exe and explorer.exe are started (or their registry-defined substitutes)

13. Solution Surprise: Terminal Services module is full-featured on ALL Windows! Feature restrictions are caused by explicit version checks: Winlogon.exe: IsProfessionalTerminalServer() { GetVersionExW() … } Termsrv.dll XP: gbServer, g_bPersonalTS Termsrv.dll Vista+: CSessionArbitrationHelper::IsSingleSessionPerUserEnabled()

14. Solution (contd.) So we fool Windows into thinking that she is a server Inline patching in real-time (no file modifications): Hook GetVersionExW() in the context of winlogon.exe to return the proper value Set global variables in termsrv.dll Some more patches in termsrv.dll

15. Solution (contd.) Configure the terminal server SYSTEMCurrentControlSetControlTerminal Server: fDenyTSConnections = 0, TSAppCompat = 0, TSEnabled = 1 Licensing Core: EnableConcurrentSessions = 0 WinStationsRDP-Tcp: fEnableWinStation = 1, MaxInstanceCount = 0xFFFFFFFF SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon: AllowMultipleTSSessions = 1 SYSTEMCurrentControlSetControlLsa: LimitBlankPasswordUse = 0

16. Solution (contd.) Add local users to “Remote Desktop Users” group GetGroupNameBySid(L"S-1-5-32-555"); NetLocalGroupAddMembers(); Allow Terminal Services through the firewall WindowsFirewallPortAdd(...3389...); Done

17. Challenge #3 Bypass logon auth

18. Solution Msv1_0.dll (Microsoft Authentication Package) LsaApLogonUserEx2(): call MsvpPasswordValidate(x,x,x,x,x,x,x) test al, al jz@@STATUS_WRONG_PASSWORD Patch it!

19. Challenge #4 Monitor/control console session

20. Solution #1 Remote Assistance (msra.exe) relies upon rdpencom.dll (RdpComApi 1.0 Type Library) API is documented! IRDPSRAPISharingSession, IRDPSRAPIViewer m_pRdpSession = new RDPSession(); m_pRdpSession.OnAttendeeConnected += new _IRDPSessionEvents_OnAttendeeConnectedEventHandler(OnAttendeeConnected); m_pRdpSession.Open(); Available since Vista only, so we are not happy yet…

21. Shadow.exe Exists in all Windows since NT4! Only works for Server targets Must be launched from within a terminal session Needs target user’s permission to connect

22. Connection request details Shadow.exe: WinStationShadow() @winsta.dll RpcShadow() @termsrv.dll termsrv.dll: CShadowTarget::ShadowTargetWorker()CDefaultSessionArbitrationHelper::Sessions_SendRequestToSession() CDefaultSessionArbitrationHelper::GetRequestDialogObject() … ShadowTargetWorker(): cmp [ebp+var_528], IDYES jz short @@OK_DOSHADOW movesi, 0D00A002Ah jmp @@ACCESS_DENIED

23. Solution #2 We’ve already tuned a workstation into a server! So shadow.exe just works Patch the dialog box that requests user’s permission: Hook MessageBoxTimeoutW() @csrss.exe: If (!wcsncmp(MsgText+ i, GetComputerNameW()…)) { // don't display the dialog box M_FREE(Text); return IDYES; }

24. So… 2 hooks + 3-4 inline patches vs. xxx xxx KB of custom heavy code Seemingly complicated problems may have trivial solutions Operating systems have plenty of code and functionality which can be re-used for offensive purpose with minimum mess

25. PoC limitations Requires Local Administrator privilege Auth bypass trick fails on Vista SP0 only Shadow.exe trick fails on Vista Auth bypass affects local logon

26. THANK YOU Questions?