Microsoft Windows RD Gateway Remote Code Execution Vulnerability

漏洞信息

漏洞名称： Microsoft Windows RD Gateway Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2020-0610

漏洞类型： 命令执行

漏洞等级： 严重

漏洞描述： Microsoft Windows Remote Desktop Gateway (RD Gateway) 是微软提供的一种服务，允许用户通过互联网安全地连接到内部企业网络资源。它广泛用于企业环境中，支持远程工作场景。该服务在处理特制的RDP请求时存在一个远程代码执行漏洞，攻击者无需认证即可利用此漏洞。漏洞的根源在于RD Gateway未能正确处理某些特制的网络请求，导致攻击者可以执行任意代码。这种漏洞的利用可能导致攻击者完全控制受影响的系统，进而可能导致数据泄露、服务中断或其他恶意活动。由于攻击者无需认证即可发起攻击，且漏洞利用过程可以自动化，因此该漏洞的安全风险极高。微软已发布安全更新来修复此漏洞，建议所有使用受影响版本的用户尽快应用相关补丁。

产品厂商： microsoft

产品名称： windows_server_2012

搜索语法： cpe:”cpe:2.3:o:microsoft:windows_server_2012”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/897e562c368569335eb1ad006b17ea9fd3aff74d/network%2Fcves%2F2020%2FCVE-2020-0610.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-0610

info:
  name: Microsoft Windows RD Gateway - Remote Code Execution
  author: a-b-r-o-w-n,ad-995,geeknik
  severity: critical
  description: |
    Microsoft Windows Remote Desktop Gateway (RD Gateway) contains a remote code execution vulnerability caused by specially crafted requests from unauthenticated attackers via RDP. This allows remote attackers to execute arbitrary code.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system, leading to a full compromise.
  remediation: |
    Apply the appropriate security update from Microsoft.
  reference:
    - https://vulncheck.com/xdb/3a3f10478ff3
    - https://gitlab.com/ind3p3nd3nt/BlueGate.git
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610
    - https://nvd.nist.gov/vuln/detail/CVE-2020-0610
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-0610
    cwe-id: CWE-122
    epss-score: 0.97236
    epss-percentile: 0.99991
    cpe: cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: windows_server_2012
    shodan-query: cpe:"cpe:2.3:o:microsoft:windows_server_2012"
  tags: cve,cve2020,rdp,rce,unauth,kev,microsoft

network:
  - inputs:
      - data: "05000c000000410001000000"
        type: hex

    host: "{{Hostname}}"
    port: 3391
    transport: udp

    # The vulnerability check is based on the server's response to a crafted packet.
    # A vulnerable server will either not respond at all (timeout) or respond with a packet
    # that does not end with the specific 4-byte sequence 'ff ff 00 80'.
    #
    # The 'read-size' is set to a value larger than the expected response to ensure
    # we capture the full response if one is sent.
    #
    # The 'read-timeout' is set to a value that allows for network latency but is
    # short enough to quickly identify non-responsive (and thus vulnerable) servers.

    read-size: 1024
    read-timeout: 5s

    matchers-condition: or
    matchers:
      # Matcher 1: The server is vulnerable if it doesn't respond at all.
      - type: word
        words:
          - ""
        part: data

      # Matcher 2: The server is vulnerable if it responds, but the response
      # does not end with 'ff ff 00 80'.
      - type: regex
        regex:
          - ".*[^fF][^fF]0080$"
        part: data
        negative: true