Remote Data Services (RDS) Removal Check

漏洞信息

漏洞名称： Remote Data Services (RDS) Removal Check

漏洞类型： 配置问题

漏洞等级： 中危

漏洞描述： 受影响的产品是Microsoft的Internet Information Services (IIS)，这是一个广泛使用的Web服务器软件，常见于企业级服务和Web应用组件中。IIS支持通过Remote Data Services (RDS)提供数据访问功能，但不当配置可能导致安全风险。此漏洞属于配置问题类型，具体表现为RDS未正确移除或配置，从而增加了拒绝服务攻击或远程执行管理命令的风险。技术根源在于IIS安装或使用中未移除/msadc虚拟目录，或未删除与RDS相关的ADCLaunch注册表键。这种配置不当可能被攻击者利用，执行远程代码或发起拒绝服务攻击，无需认证即可利用，且可自动化利用。影响分析显示，此类漏洞可能导致服务器被完全控制，数据泄露，或服务中断，对企业和组织的信息安全构成严重威胁。

产品厂商： Microsoft

产品名称： Internet Information Services (IIS)

来源： https://github.com/projectdiscovery/nuclei-templates/blob/b740ee6791c0a6d36cac233d23a096ba91d2f060/code%2Fwindows%2Faudit%2Fkisa%2Frds-removal-check.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: rds-removal-check

info:
  name: RDS Removal Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure that Remote Data Services (RDS) are either removed or not configured to reduce the risk of denial-of-service attacks or remote execution of administrative commands.
    Compliance is met if any of the following conditions are true:
    - IIS is not installed or in use,
    - The default website does not include the /msadc virtual directory, or
    - The relevant ADCLaunch registry keys associated with RDS are not present.
  impact: |
    Improperly configured RDS can be exploited by attackers to execute remote code or launch denial-of-service attacks.
  remediation: |
    To mitigate RDS-related risks, take the following actions:
      - Remove the /msadc virtual directory from the default website.
      - Delete these registry keys:
        - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory
        - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory
        - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: rds,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();

    engine:
      - powershell
      - powershell.exe

    args:
      - -ExecutionPolicy
      - Bypass

    pattern: "*.ps1"

    source: |
      # Check if IIS (W3SVC) service is present; if not, IIS is not used and RDS is implicitly compliant.
      $iisService = Get-Service -Name W3SVC -ErrorAction SilentlyContinue
      if (-not $iisService) {
          Write-Output "RDS_COMPLIANT"
          exit
      }
      # Check for the existence of the /msadc virtual directory in the Default Web Site.
      $msadcExists = $false
      try {
          Import-Module WebAdministration -ErrorAction SilentlyContinue
          $vdirs = Get-WebVirtualDirectory -Site "Default Web Site" -ErrorAction SilentlyContinue
          if ($vdirs) {
              foreach ($vdir in $vdirs) {
                  if ($vdir.Path -eq "/msadc") {
                      $msadcExists = $true
                      break
                  }
              }
          }
      } catch {}
      # Check for ADCLaunch registry keys related to RDS.
      $adcLaunchPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch"
      $rdServerExists = Test-Path "$adcLaunchPath\RDSServer.DataFactory"
      $advDataExists = Test-Path "$adcLaunchPath\AdvancedDataFactory"
      $vbBusObjExists = Test-Path "$adcLaunchPath\VbBusObj.VbBusObjCls"
      # Compliance is achieved if the /msadc virtual directory does not exist OR none of the registry keys exist.
      if ((-not $msadcExists) -or (-not ($rdServerExists -or $advDataExists -or $vbBusObjExists))) {
          Write-Output "RDS_COMPLIANT"
      } else {
          Write-Output "RDS_VULNERABLE"
      }

    matchers:
      - type: word
        words:
          - "RDS_VULNERABLE"