Add rdp-vuln-ms12-020.nse.

CHANGELOG

@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
+  for two Remote Desktop vulnerabilities, including one allowing
+  remote code execution, that were fixed in the MS12-020 advisory.
+
 o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
   "Unexpected probespec2ascii type encountered" [David Fifield]
 

scripts/rdp-vuln-ms12-020.nse

@@ -0,0 +1,217 @@
+description = [[
+Checks if a machine is vulnerable to ms12-020 RDP vulnerability.
+
+Microsoft bulletin ms12-020 patches two vulnerabilities.
+CVE-2012-0152 which addresses a DoS vulnerability inside Terminal Server,
+and CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol.
+Both are part of Remote Desktop Services.
+
+Script works by checking for a CVE-2012-0152 vulnerability.
+Patched and unpatched system differ in the results from which
+we can conclude if the service is vulnerable or not.
+
+The way this works follows:
+1. send one user request
+ - server replies with user id (let's call it A) and channel for that user
+2. send another user request
+ - server replies with another user id (let's call it B) and another channel
+3. send channel join request with requesting user set to A and requesting channel set to B
+ - if server replies with success message , we conclude that the server is vulnerable
+ - if we do not get the success message , the server is patched
+4. in case the server is vulnerable, send a channel join request with requesting user set to B and requesting channel set to B to prevent the chance of BSoD
+5. The end
+
+For details on packet containts, please see links mentioned in the comments.
+
+References:
+http://technet.microsoft.com/en-us/security/bulletin/ms12-020
+http://support.microsoft.com/kb/2621440
+http://zerodayinitiative.com/advisories/ZDI-12-044/
+http://aluigi.org/adv/termdd_1-adv.txt
+
+Original check by by Worawit Wang (sleepya)
+]]
+-- @usage
+-- nmap -sV --script=rdp-ms12-020 -p 3389 <target>
+-- @output
+-- PORT     STATE SERVICE        VERSION
+-- 3389/tcp open  ms-wbt-server?
+-- | rdp-ms12-020:
+-- |   VULNERABLE:
+-- |   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2012-0152
+-- |     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
+-- |     Description:
+-- |               Remote Desktop Protocol vulnerability that could allow remote attackers to cause Denial Of Service agains on the targeted system.
+-- |
+-- |     Disclosure date: 2012-03-13
+-- |     References:
+-- |       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
+-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
+-- |
+-- |   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2012-0002
+-- |     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
+-- |     Description:
+-- |               Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
+-- |
+-- |     Disclosure date: 2012-03-13
+-- |     References:
+-- |       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
+-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
+
+author = "Aleksandar Nikolic, based on python script by sleepya"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive", "vuln"}
+
+require "shortport"
+require "stdnse"
+require "vulns"
+
+portrule = shortport.port_or_service({3389},{"ms-wbt-server"})
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local status, err,response
+
+	-- see http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx for more info
+	local connectionRequestStr = "0300" -- TPKT Header version 03, reserved 0
+						.. "000b" -- Length
+						.. "06"   -- X.224 Data TPDU length
+						.. "e0"	  -- X.224 Type (Connection request)
+						.. "0000" -- dst reference
+						.. "0000" -- src reference
+						.. "00" -- class and options
+	local connectionRequest = bin.pack("H",connectionRequestStr)
+
+	-- see http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
+	local connectInitialStr = "03000065" -- TPKT Header
+				.. "02f080" -- Data TPDU, EOT
+				.. "7f655b" -- Connect-Initial
+				.. "040101" -- callingDomainSelector
+				.. "040101" -- calledDomainSelector
+				.. "0101ff" -- upwardFlag
+				.. "3019" -- targetParams + size
+					..  "020122" -- maxChannelIds
+					..	"020120" -- maxUserIds
+					..	"020100" -- maxTokenIds
+					..	"020101" -- numPriorities
+					..	"020100" -- minThroughput
+					..	"020101" -- maxHeight
+					..	"0202ffff" -- maxMCSPDUSize
+					..	"020102" -- protocolVersion
+				.. "3018" -- minParams + size
+					.. "020101" -- maxChannelIds
+					.. "020101" -- maxUserIds
+					.. "020101" -- maxTokenIds
+					.. "020101" -- numPriorities
+					.. "020100" -- minThroughput
+					.. "020101" -- maxHeight
+					.. "0201ff" -- maxMCSPDUSize
+					.. "020102" -- protocolVersion
+				.. "3019" -- maxParams + size
+					.. "0201ff" -- maxChannelIds
+					.. "0201ff" -- maxUserIds
+					.. "0201ff" -- maxTokenIds
+					.. "020101" -- numPriorities
+					.. "020100" -- minThroughput
+					.. "020101" -- maxHeight
+					.. "0202ffff" -- maxMCSPDUSize
+					.. "020102" -- protocolVersion
+				.. "0400" -- userData
+	local connectInitial = bin.pack("H",connectInitialStr)
+
+	-- see http://msdn.microsoft.com/en-us/library/cc240835%28v=prot.10%29.aspx
+	local userRequestStr = "0300" -- header
+						.. "0008" -- length
+						.. "02f080" -- X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
+						.. "28" -- PER encoded PDU contents
+	local userRequest = bin.pack("H",userRequestStr)
+
+	local user1,user2
+	local pos
+
+	local rdp_vuln_0152  = {
+		title = "MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability",
+		IDS = {CVE = 'CVE-2012-0152'},
+		risk_factor = "Medium",
+		scores = {
+		  CVSSv2 = "4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)",
+		},
+		description = [[
+		Remote Desktop Protocol vulnerability that could allow remote attackers to cause Denial Of Service agains on the targeted system.
+		]],
+		references = {
+		  'http://technet.microsoft.com/en-us/security/bulletin/ms12-020',
+		},
+		dates = {
+		  disclosure = {year = '2012', month = '03', day = '13'},
+		},
+		exploit_results = {},
+	}
+
+	local rdp_vuln_0002 = {
+		title = "MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability",
+		IDS = {CVE = 'CVE-2012-0002'},
+		risk_factor = "High",
+		scores = {
+		  CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
+		},
+		description = [[
+		Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
+		]],
+		references = {
+		  'http://technet.microsoft.com/en-us/security/bulletin/ms12-020',
+		},
+		dates = {
+		  disclosure = {year = '2012', month = '03', day = '13'},
+		},
+		exploit_results = {},
+	}
+
+	local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	rdp_vuln_0152.state = vulns.STATE.NOT_VULN
+	rdp_vuln_0002.state = vulns.STATE.NOT_VULN
+
+	socket:connect(host.ip, port)
+	status, err = socket:send(connectionRequest)
+
+	status, response = socket:receive_bytes(0)
+	if response ~= bin.pack("H","0300000b06d00000123400") then
+		--probably not rdp at all
+		return report:make_output(rdp_vuln_0152,rdp_vuln_0002)
+	end
+	status, err = socket:send(connectInitial)
+	status, err = socket:send(userRequest)  -- send attach user request
+	status, response = socket:receive_bytes(0) -- recieve attach user confirm
+	pos,user1 = bin.unpack(">S",response:sub(10,11)) -- user_channel-1001 - see http://msdn.microsoft.com/en-us/library/cc240918%28v=prot.10%29.aspx
+
+	status, err = socket:send(userRequest) -- send another attach user request
+	status, response = socket:receive_bytes(0) -- recieve another attach user confirm
+	pos,user2 = bin.unpack(">S",response:sub(10,11)) -- second user's channel - 1001
+	user2 = user2+1001 -- second user's channel
+	data4 = bin.pack(">SS",user1,user2)
+	data5 = bin.pack("H","0300000c02f08038") -- channel join request TPDU
+	channelJoinRequest = data5 .. data4
+	status, err = socket:send(channelJoinRequest) -- bogus channel join request user1 requests channel of user2
+	status, response = socket:receive_bytes(0)
+	if response:sub(8,9) == bin.pack("H","3e00") then
+		-- 3e00 indicates a successfull join
+		-- see http://msdn.microsoft.com/en-us/library/cc240911%28v=prot.10%29.aspx
+		-- service is vulnerable
+		-- send a valid request to prevent the BSoD
+		data4 = bin.pack(">SS",user2-1001,user2)
+		channelJoinRequest = data5 .. data4 -- valid join request
+		status, err = socket:send(channelJoinRequest)
+		status, response = socket:receive_bytes(0)
+		socket:close()
+		rdp_vuln_0152.state = vulns.STATE.VULN
+		rdp_vuln_0002.state = vulns.STATE.VULN
+		return report:make_output(rdp_vuln_0152,rdp_vuln_0002)
+	end
+	--service is not vulnerable
+	socket:close()
+	return report:make_output(rdp_vuln_0152,rdp_vuln_0002)
+end

scripts/script.db

@@ -248,6 +248,7 @@ Entry { filename = "pptp-version.nse", categories = { "version", } }
 Entry { filename = "qscan.nse", categories = { "discovery", "safe", } }
 Entry { filename = "quake3-info.nse", categories = { "default", "discovery", "safe", "version", } }
 Entry { filename = "quake3-master-getservers.nse", categories = { "default", "discovery", "safe", } }
+Entry { filename = "rdp-vuln-ms12-020.nse", categories = { "vuln", } }
 Entry { filename = "realvnc-auth-bypass.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "redis-brute.nse", categories = { "brute", "intrusive", } }
 Entry { filename = "redis-info.nse", categories = { "discovery", "safe", } }