Microsoft Windows RD Gateway Remote Code Execution Vulnerability

漏洞信息

漏洞名称： Microsoft Windows RD Gateway Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2020-0610

漏洞类型： 命令执行

漏洞等级： 严重

漏洞描述： Microsoft Windows Remote Desktop Gateway (RD Gateway) 是一个允许用户通过互联网安全地连接到企业内部网络中的远程桌面服务的组件。它广泛用于企业环境中，支持远程工作和管理。该组件在处理特制的RDP请求时存在一个远程代码执行漏洞，攻击者无需认证即可利用此漏洞。漏洞的根源在于RD Gateway未能正确处理某些特制的请求，导致攻击者可以执行任意代码。这种漏洞的利用可能导致攻击者完全控制受影响的系统，进而可能导致数据泄露、服务中断或其他恶意活动。由于攻击者无需认证即可利用此漏洞，且可以远程执行代码，因此该漏洞被评定为严重级别。微软已经发布了安全更新来修复此漏洞，建议所有使用受影响版本的用户尽快应用相关补丁以防范潜在的攻击。

产品厂商： Microsoft

产品名称： Windows Server 2012

搜索语法： cpe:”cpe:2.3:o:microsoft:windows_server_2012”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/34c65dfd28813dcfef8f59af304adbe5898d4424/network%2Fcves%2F2020%2FCVE-2020-0610.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-0610

info:
  name: Microsoft Windows RD Gateway - Remote Code Execution
  author: a-b-r-o-w-n,ad-995,geeknik
  severity: critical
  description: |
    Microsoft Windows Remote Desktop Gateway (RD Gateway) contains a remote code execution vulnerability caused by specially crafted requests from unauthenticated attackers via RDP. This allows remote attackers to execute arbitrary code.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system, leading to a full compromise.
  remediation: |
    Apply the appropriate security update from Microsoft.
  reference:
    - https://vulncheck.com/xdb/3a3f10478ff3
    - https://gitlab.com/ind3p3nd3nt/BlueGate.git
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
    - https://nvd.nist.gov/vuln/detail/CVE-2020-0610
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-0610
    cwe-id: CWE-122
    epss-score: 0.97236
    epss-percentile: 0.99991
    cpe: cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: windows_server_2012
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_server_2012"
  tags: cve,cve2020,rdp,rce,unauth,kev,microsoft

network:
  - inputs:
      - data: "05000c000000410001000000"
        type: hex

    host: "{{Hostname}}"
    port: 3391
    transport: udp

    # The vulnerability check is based on the server's response to a crafted packet.
    # A vulnerable server will either not respond at all (timeout) or respond with a packet
    # that does not end with the specific 4-byte sequence 'ff ff 00 80'.
    #
    # The 'read-size' is set to a value larger than the expected response to ensure
    # we capture the full response if one is sent.
    #
    # The 'read-timeout' is set to a value that allows for network latency but is
    # short enough to quickly identify non-responsive (and thus vulnerable) servers.

    read-size: 1024
    read-timeout: 5s

    matchers-condition: or
    matchers:
      # Matcher 1: The server is vulnerable if it doesn't respond at all.
      - type: word
        words:
          - ""
        part: data

      # Matcher 2: The server is vulnerable if it responds, but the response
      # does not end with 'ff ff 00 80'.
      - type: regex
        regex:
          - ".*[^fF][^fF]0080$"
        part: data
        negative: true