Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'security/topic/timw/154-rdp-timeout'

Browse source 
* security/topic/timw/154-rdp-timeout:
  RDP: Instantiate SSL analyzer instead of PIA
  RDP: add some enforcement to required values based on MS-RDPBCGR docs
This commit is contained in:
Tim Wojtulewicz 2023-04-11 15:23:42 -07:00
commit f812ce53cf
8 changed files with 38 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/analyzer/protocol/rdp/RDP.cc
View file

@ -13,7 +13,7 @@ RDP_Analyzer::RDP_Analyzer(Connection* c) : analyzer::tcp::TCP_ApplicationAnalyz
interp = new binpac::RDP::RDP_Conn(this);
had_gap = false;
pia = nullptr;
ssl = nullptr;
}
RDP_Analyzer::~RDP_Analyzer()
@ -54,19 +54,15 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
// 0x03-0x04 is CredSSP which is effectively SSL/TLS
if ( interp->encryption_method() > 0x00 )
{
if ( ! pia )
if ( ! ssl )
{
pia = new analyzer::pia::PIA_TCP(Conn());
if ( ! AddChildAnalyzer(pia) )
ssl = new analyzer::ssl::SSL_Analyzer(Conn());
if ( ! AddChildAnalyzer(ssl) )
{
reporter->AnalyzerError(this, "failed to add TCP child analyzer "
"to RDP analyzer: already exists");
return;
}
pia->FirstPacket(true, nullptr);
pia->FirstPacket(false, nullptr);
}
ForwardStream(len, data, orig);

3
src/analyzer/protocol/rdp/RDP.h
View file

@ -3,6 +3,7 @@
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/rdp/events.bif.h"
#include "zeek/analyzer/protocol/rdp/rdp_pac.h"
#include "zeek/analyzer/protocol/ssl/SSL.h"
#include "zeek/analyzer/protocol/tcp/TCP.h"
namespace zeek::analyzer::rdp
@ -30,7 +31,7 @@ protected:
binpac::RDP::RDP_Conn* interp;
bool had_gap;
analyzer::pia::PIA_TCP* pia;
analyzer::ssl::SSL_Analyzer* ssl;
};
} // namespace zeek::analyzer::rdp

8
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -92,7 +92,7 @@ type Connect_Request(cotp: COTP) = record {
type RDP_Negotiation_Request = record {
type: uint8;
flags: uint8;
length: uint16; # must be set to 8
length: uint16 &enforce(length == 8); # must be set to 8
requested_protocols: uint32;
} &let {
PROTOCOL_RDP: bool = requested_protocols & 0x00;
@ -127,7 +127,7 @@ type Connect_Confirm_Record = record {
type RDP_Negotiation_Response = record {
flags: uint8;
length: uint16; # must be set to 8
length: uint16 &enforce(length==8); # must be set to 8
selected_protocol: uint32;
} &let {
# Seems to be SSL encrypted (maybe CredSSP also?)
@ -310,10 +310,12 @@ type Server_Network_Data = record {
channel_count: uint16;
} &byteorder=littleendian;
# See MS-RDPBCGR Section 2.2.1.4.3 for reasoning for the &enforce value on
# the server_random_length field.
type Server_Security_Data = record {
encryption_method: uint32;
encryption_level: uint32;
server_random_length: uint32;
server_random_length: uint32 &enforce((encryption_level == 0 && encryption_method == 0 && server_random_length == 0) || (server_random_length == 0x20));
server_cert_length: uint32;
server_random: bytestring &length=server_random_length;
server_certificate: Server_Certificate &length=server_cert_length;