Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/vlad/rdp_bluekeep'

Browse source 
* origin/topic/vlad/rdp_bluekeep:
  RDP: Update existing baselines with new client_channels field
  RDP: Add parsing and logging of channels requested by the client. Can determine capabilities requested by the client, as well as attacks such as CVE-2019-0708
This commit is contained in:
Jon Siwek 2019-05-28 11:32:16 -07:00
commit 7bc9a3934d
13 changed files with 152 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,4 +1,11 @@
2.6-345 | 2019-05-28 11:32:16 -0700
* RDP: Add parsing and logging of channels requested by the client. (Vlad Grigorescu)
Can determine capabilities requested by the client, as well as attacks such
as CVE-2019-0708.
2.6-342 | 2019-05-28 10:48:37 -0700
* GH-168: Improve type-checking for table/set list assignment. (Zeke Medley and Jon Siwek, Corelight)

3
NEWS
View file

@ -79,6 +79,9 @@ New Functionality
- The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
also allowed when specifying patterns used in signature files.
- Add a new "client_channels" field to rdp.log based on data parsed from
the Client Network Data (TS_UD_CS_NET) packet.
Changed Functionality
---------------------

2
VERSION
View file

@ -1 +1 @@
2.6-342
2.6-345

2
doc

@ -1 +1 @@
Subproject commit 3db2ff8fa65f5acb3f7807a0302d5c81db1e2227
Subproject commit e38523b0edf6dd1373b116bb46e16f89420e0e70

32
scripts/base/init-bare.zeek
View file

@ -4275,6 +4275,38 @@ export {
ec_flags: RDP::EarlyCapabilityFlags &optional;
dig_product_id: string &optional;
};
## Name and flags for a single channel requested by the client.
type RDP::ClientChannelDef: record {
## A unique name for the channel
name: string;
## Absence of this flag indicates that this channel is
## a placeholder and that the server MUST NOT set it up.
initialized: bool;
## Unused, must be ignored by the server.
encrypt_rdp: bool;
## Unused, must be ignored by the server.
encrypt_sc: bool;
## Unused, must be ignored by the server.
encrypt_cs: bool;
## Channel data must be sent with high MCS priority.
pri_high: bool;
## Channel data must be sent with medium MCS priority.
pri_med: bool;
## Channel data must be sent with low MCS priority.
pri_low: bool;
## Virtual channel data must be compressed if RDP data is being compressed.
compress_rdp: bool;
## Virtual channel data must be compressed.
compress: bool;
## Ignored by the server.
show_protocol: bool;
## Channel must be persistent across remote control transactions.
persistent: bool;
};
## The list of channels requested by the client.
type RDP::ClientChannelList: vector of ClientChannelDef;
}
@load base/bif/plugins/Bro_SNMP.types.bif

14
scripts/base/protocols/rdp/main.zeek
View file

@ -23,6 +23,8 @@ export {
result: string &log &optional;
## Security protocol chosen by the server.
security_protocol: string &log &optional;
## The channels requested by the client
client_channels: vector of string &log &optional;
## Keyboard layout (language) of the client machine.
keyboard_layout: string &log &optional;
@ -189,6 +191,18 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
}
event rdp_client_network_data(c: connection, channels: ClientChannelList)
{
set_session(c);
if ( ! c$rdp?$client_channels )
c$rdp$client_channels = vector();
for ( i in channels )
# Remove the NULs at the end
c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
}
event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
{
set_session(c);

9
src/analyzer/protocol/rdp/events.bif
View file

@ -26,6 +26,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
## data: The data contained in the client core data structure.
event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
## Generated for Client Network Data (TS_UD_CS_NET) packets
##
## c: The connection record for the underlying transport-layer session/flow.
##
## channels: The channels that were requested
event rdp_client_network_data%(c: connection, channels: RDP::ClientChannelList%);
## Generated for MCS server responses.
##
## c: The connection record for the underlying transport-layer session/flow.
@ -58,4 +65,4 @@ event rdp_server_certificate%(c: connection, cert_type: count, permanently_issue
## c: The connection record for the underlying transport-layer session/flow.
##
## security_protocol: The security protocol being used for the session.
event rdp_begin_encryption%(c: connection, security_protocol: count%);
event rdp_begin_encryption%(c: connection, security_protocol: count%);

43
src/analyzer/protocol/rdp/rdp-analyzer.pac
View file

@ -101,6 +101,44 @@ refine flow RDP_Flow += {
return true;
%}
function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
%{
if ( ! rdp_client_network_data )
return false;
if ( ${cnetwork.channel_def_array}->size() )
{
VectorVal* channels = new VectorVal(BifType::Vector::RDP::ClientChannelList);
for ( uint i = 0; i < ${cnetwork.channel_def_array}->size(); ++i )
{
RecordVal* channel_def = new RecordVal(BifType::Record::RDP::ClientChannelDef);
channel_def->Assign(0, bytestring_to_val(${cnetwork.channel_def_array[i].name}));
channel_def->Assign(1, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_INITIALIZED}));
channel_def->Assign(2, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_RDP}));
channel_def->Assign(3, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_SC}));
channel_def->Assign(4, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_ENCRYPT_CS}));
channel_def->Assign(5, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_HIGH}));
channel_def->Assign(6, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_MED}));
channel_def->Assign(7, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_PRI_LOW}));
channel_def->Assign(8, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS_RDP}));
channel_def->Assign(9, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_COMPRESS}));
channel_def->Assign(10, val_mgr->GetBool(${cnetwork.channel_def_array[i].CHANNEL_OPTION_SHOW_PROTOCOL}));
channel_def->Assign(11, val_mgr->GetBool(${cnetwork.channel_def_array[i].REMOTE_CONTROL_PERSISTENT}));
channels->Assign(channels->Size(), channel_def);
}
BifEvent::generate_rdp_client_network_data(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
channels);
}
return true;
%}
function proc_rdp_server_security(ssd: Server_Security_Data): bool
%{
connection()->bro_analyzer()->ProtocolConfirmation();
@ -165,6 +203,10 @@ refine typeattr Client_Core_Data += &let {
proc: bool = $context.flow.proc_rdp_client_core_data(this);
};
refine typeattr Client_Network_Data += &let {
proc: bool = $context.flow.proc_rdp_client_network_data(this);
};
refine typeattr GCC_Server_Create_Response += &let {
proc: bool = $context.flow.proc_rdp_gcc_server_create_response(this);
};
@ -180,3 +222,4 @@ refine typeattr Server_Certificate += &let {
refine typeattr X509_Cert_Data += &let {
proc: bool = $context.flow.proc_x509_cert_data(this);
};

24
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -53,7 +53,7 @@ type Data_Block = record {
block: case header.type of {
0xc001 -> client_core: Client_Core_Data;
#0xc002 -> client_security: Client_Security_Data;
#0xc003 -> client_network: Client_Network_Data;
0xc003 -> client_network: Client_Network_Data;
#0xc004 -> client_cluster: Client_Cluster_Data;
#0xc005 -> client_monitor: Client_Monitor_Data;
#0xc006 -> client_msgchannel: Client_MsgChannel_Data;
@ -220,6 +220,28 @@ type Client_Core_Data = record {
SUPPORT_HEARTBEAT_PDU: bool = early_capability_flags & 0x0400;
} &byteorder=littleendian;
type Client_Network_Data = record {
channel_count: uint32;
channel_def_array: Client_Channel_Def[channel_count];
} &byteorder=littleendian;
type Client_Channel_Def = record {
name: bytestring &length=8;
options: uint32;
} &let {
REMOTE_CONTROL_PERSISTENT: bool = options & 0x00100000;
CHANNEL_OPTION_SHOW_PROTOCOL: bool = options & 0x00200000;
CHANNEL_OPTION_COMPRESS: bool = options & 0x00400000;
CHANNEL_OPTION_COMPRESS_RDP: bool = options & 0x00800000;
CHANNEL_OPTION_PRI_LOW: bool = options & 0x02000000;
CHANNEL_OPTION_PRI_MED: bool = options & 0x04000000;
CHANNEL_OPTION_PRI_HIGH: bool = options & 0x08000000;
CHANNEL_OPTION_ENCRYPT_CS: bool = options & 0x10000000;
CHANNEL_OPTION_ENCRYPT_SC: bool = options & 0x20000000;
CHANNEL_OPTION_ENCRYPT_RDP: bool = options & 0x40000000;
CHANNEL_OPTION_INITIALIZED: bool = options & 0x80000000;
} &byteorder=littleendian;
######################################################################
# Server MCS
######################################################################

3
src/analyzer/protocol/rdp/types.bif
View file

@ -3,3 +3,6 @@ module RDP;
type EarlyCapabilityFlags: record;
type ClientCoreData: record;
type ClientChannelList: vector;
type ClientChannelDef: record;

12
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-proprietary-encryption/rdp.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2016-07-13-16-16-47
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string string string string string count count string string count bool string string
1193369795.014346 CHhAvVGS1DHFjwGM9 172.21.128.16 1311 10.226.24.52 3389 FTBCO\\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - - 0 - - -
1193369797.582740 ClEkJM2Vm5giqnMf4h 172.21.128.16 1312 10.226.24.52 3389 FTBCO\\A70 Success RDP English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T High 128bit
#close 2016-07-13-16-16-48
#open 2019-05-28-14-29-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol client_channels keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string vector[string] string string string string count count string string count bool string string
1193369795.014346 CHhAvVGS1DHFjwGM9 172.21.128.16 1311 10.226.24.52 3389 FTBCO\\A70 SSL_NOT_ALLOWED_BY_SERVER - - - - - - - - - - 0 - - -
1193369797.582740 ClEkJM2Vm5giqnMf4h 172.21.128.16 1312 10.226.24.52 3389 FTBCO\\A70 Success RDP rdpdr,rdpsnd,drdynvc,cliprdr English - United States RDP 6.0 FROG-POND (empty) 1152 864 32bit RSA 1 T High 128bit
#close 2019-05-28-14-29-19

12
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-to-ssl/rdp.log
View file

@ -3,9 +3,9 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2016-07-13-16-16-48
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string string string string string count count string string count bool string string
1297551041.284715 CHhAvVGS1DHFjwGM9 192.168.1.200 49206 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - 0 - - -
1297551078.958821 ClEkJM2Vm5giqnMf4h 192.168.1.200 49207 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - 0 - - -
#close 2016-07-13-16-16-48
#open 2019-05-28-14-29-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol client_channels keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string vector[string] string string string string count count string string count bool string string
1297551041.284715 CHhAvVGS1DHFjwGM9 192.168.1.200 49206 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - - 0 - - -
1297551078.958821 ClEkJM2Vm5giqnMf4h 192.168.1.200 49207 192.168.1.150 3389 AWAKECODI encrypted HYBRID - - - - - - - - - 0 - - -
#close 2019-05-28-14-29-20

10
testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/rdp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty)
#unset_field -
#path rdp
#open 2016-07-13-16-16-49
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string string string string string count count string string count bool string string
1423755598.202845 CHhAvVGS1DHFjwGM9 192.168.1.1 54990 192.168.1.2 3389 JOHN-PC Success RDP English - United States RDP 8.1 JOHN-PC-LAPTOP 3c571ed0-3415-474b-ae94-74e151b 1920 1080 16bit X.509 2 F Client compatible 128bit
#close 2016-07-13-16-16-49
#open 2019-05-28-14-29-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p cookie result security_protocol client_channels keyboard_layout client_build client_name client_dig_product_id desktop_width desktop_height requested_color_depth cert_type cert_count cert_permanent encryption_level encryption_method
#types time string addr port addr port string string string vector[string] string string string string count count string string count bool string string
1423755598.202845 CHhAvVGS1DHFjwGM9 192.168.1.1 54990 192.168.1.2 3389 JOHN-PC Success RDP rdpdr,rdpsnd,cliprdr,drdynvc English - United States RDP 8.1 JOHN-PC-LAPTOP 3c571ed0-3415-474b-ae94-74e151b 1920 1080 16bit X.509 2 F Client compatible 128bit
#close 2019-05-28-14-29-20