RDP: Add parsing and logging of channels requested by the client. Can determine capabilities requested by the client, as well as attacks such as CVE-2019-0708

2025-10-08 01:28:20 +00:00 · 2019-05-28 09:25:50 -05:00 · 2019-05-28 09:25:50 -05:00 · 8eb14fcb83
commit 8eb14fcb83
parent d886f40728
6 changed files with 126 additions and 1 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -4261,6 +4261,39 @@ export {
 		ec_flags:               RDP::EarlyCapabilityFlags &optional;
 		dig_product_id:         string &optional;
 	};
+
+	## Name and flags for a single channel requested by the client.
+	type RDP::ClientChannelDef: record {
+		## A unique name for the channel
+		name: 	        string;
+		## Absence of this flag indicates that this channel is
+                ## a placeholder and that the server MUST NOT set it
+                ## up.
+		initialized:    bool;
+		## Unused, must be ignored by the server.
+		encrypt_rdp:    bool;
+		## Unused, must be ignored by the server.
+		encrypt_sc:     bool;
+		## Unused, must be ignored by the server.
+		encrypt_cs:     bool;
+		## Channel data must be sent with high MCS priority.
+		pri_high:       bool;
+		## Channel data must be sent with medium MCS priority.
+		pri_med:        bool;
+		## Channel data must be sent with low MCS priority.
+		pri_low:        bool;
+		## Virtual channel data must be compressed if RDP data is being compressed.
+		compress_rdp:   bool;
+		## Virtual channel data must be compressed.
+		compress:       bool;
+		## Ignored by the server.
+		show_protocol:  bool;
+		## Channel must be persistent across remote control transactions.
+		persistent:     bool;
+	};
+
+	## The list of channels requested by the client.
+	type RDP::ClientChannelList: vector of ClientChannelDef;
 }

@load base/bif/plugins/Bro_SNMP.types.bif
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -23,6 +23,8 @@ export {
 		result:                string  &log &optional;
 		## Security protocol chosen by the server.
 		security_protocol:     string &log &optional;
+		## The channels requested by the client
+		client_channels: vector of string &log &optional;

 		## Keyboard layout (language) of the client machine.
 		keyboard_layout:       string  &log &optional;
@ -189,6 +191,21 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 		c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
 	}

+event rdp_client_network_data(c: connection, channels: ClientChannelList)
+	{
+	set_session(c);
+	if ( ! c$rdp?$client_channels )
+		{
+		c$rdp$client_channels = vector();
+		}
+
+	for (i in channels) {
+		# Remove the NULs at the end
+		c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
+		}
+
+	}
+
 event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
 	{
 	set_session(c);