July 2024 Windows Updates brought a patch for CVE-2024-38077,
a memory corruption vulnerability in Remote Desktop Licensing Service that could potentially allow an attacker in a Windows network to remotely execute arbitrary code on a computer running this service.
Security researchers Lewis Lee, Chunyang Han and Zhiniang Peng found this vulnerability and reported it to Microsoft. On August 9 they also published an article (subsequently deleted) with some details about this vulnerability and an incomplete pseudo-code POC. We had confirmed that said POC was not working as-is but combining various sources, we were able to create our own working POC.
The Vulnerability
The vulnerability resides in the Remote Desktop Licensing Service, a service only running on Windows Servers and installed by default: one has to add the “Remote Desktop Licensing” role to have it installed.
The flaw is in a fixed-size buffer being used for user-supplied data, which can result in a buffer overflow. Careful selection of user-supplied data could potentially lead to execution of arbitrary code on the server hosting the Remote Desktop Licensing Service, running as Local System.
Microsoft’s patch checks for the buffer overflow and exits the affected function with error before it occurs.
Our Micropatch
Our micropatch is simpler but logically equivalent to Microsoft’s.
Here’s the source code of our micropatch.
;XX-2326
MODULE_PATH “..AffectedModuleslserver.dll_6.3.9600.18226_Server-2012_64-bit_u2023-1lserver.dll”
PATCH_ID 1000002
PATCH_FORMAT_VER 2
VULN_ID 7834
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x7bb8f
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT lserver.dll!0x7bbf5,kernel32.dll!GetModuleHandleA
code_start
push rax
push rcx
push rdx
push r8
push r9 ;push all the volatile registers to save the initial state
push r10
push r11
push r12
mov r11, 0x0 ;move a 0x0 flag to r11
mov r12, rax ;save the current counter value to r12
call STR1 ;load the current module name to stack so we can call GetModuleHandle
db ‘lserver.dll’,0
STR1:
pop rcx ;pop the string pointer to the first arg
sub rsp, 0x20 ;create the shadowspace
call PIT_GetModuleHandleA ;call GeModuleHandle to get the current module base address
add rsp, 0x20 ;delete the shadowspace
cmp rax, 0x0 ;check if the call succeeded
je EXIT ;if GetModuleHandle call failed jump out of the patch without doing anything
cmp r12d, dword[rax+0xa873c] ;compare the current counter value to the size of the buffer
;that is saved in a global variable on base address + 0xa873c
jb EXIT ;if the counter is less then the buffer size skip the flag setting instruction
mov r11, 0x1 ;otherwise set the flag and continue
EXIT:
cmp r11, 0x1 ;check the flag so we can use a conditional jump after restoring registers
pop r12
pop r11
pop r10
pop r9 ;restore the original register states
pop r8
pop rdx
pop rcx
pop rax
je PIT_0x7bbf5 ;if the flag was set jump to the error block as an overflow is
;about to occur- else continue normally
code_end
patchlet_end
The video below shows our micropatch in action: first, the target server (on the left) has 0patch disabled, and running our POC against it from another machine in the domain causes the Remote Desktop Licensing Service to crash. The same test with 0patch enabled – and therefore our micropatch applied – does not lead to the crash.
Micropatch Availability
Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:
Windows Server 2008 R2 – no ESU, ESU 1-4Windows Server 2012 – no ESUWindows Server 2012 R2 – no ESU
Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things.
If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.
We would like to thank Lewis Lee, Chunyang Han and Zhiniang Peng for sharing their analysis, which made it possible for us to create a
micropatch for this issue.
To learn more about 0patch, please visit our Help Center.
Article Link: 0patch Blog: Micropatches for “MadLicense” Windows Remote Desktop Licensing Service Remote Code Execution (CVE-2024-38077)
1 post – 1 participant
July 2024 Windows Updates brought a patch for CVE-2024-38077,
a memory corruption vulnerability in Remote Desktop Licensing Service that could potentially allow an attacker in a Windows network to remotely execute arbitrary code on a computer running this service.Security researchers Lewis Lee, Chunyang Han and Zhiniang Peng found this vulnerability and reported it to Microsoft. On August 9 they also published an article (subsequently deleted) with some details about this vulnerability and an incomplete pseudo-code POC. We had confirmed that said POC was not working as-is but combining various sources, we were able to create our own working POC. The VulnerabilityThe vulnerability resides in the Remote Desktop Licensing Service, a service only running on Windows Servers and installed by default: one has to add the “Remote Desktop Licensing” role to have it installed.The flaw is in a fixed-size buffer being used for user-supplied data, which can result in a buffer overflow. Careful selection of user-supplied data could potentially lead to execution of arbitrary code on the server hosting the Remote Desktop Licensing Service, running as Local System.Microsoft’s patch checks for the buffer overflow and exits the affected function with error before it occurs.Our Micropatch Our micropatch is simpler but logically equivalent to Microsoft’s.Here’s the source code of our micropatch.
;XX-2326MODULE_PATH “..AffectedModuleslserver.dll_6.3.9600.18226_Server-2012_64-bit_u2023-1lserver.dll”PATCH_ID 1000002PATCH_FORMAT_VER 2VULN_ID 7834PLATFORM win64 patchlet_start PATCHLET_ID 1 PATCHLET_TYPE 2 PATCHLET_OFFSET 0x7bb8f N_ORIGINALBYTES 5 JUMPOVERBYTES 0 PIT lserver.dll!0x7bbf5,kernel32.dll!GetModuleHandleA code_start push rax push rcx push rdx push r8 push r9 ;push all the volatile registers to save the initial state push r10 push r11 push r12 mov r11, 0x0 ;move a 0x0 flag to r11 mov r12, rax ;save the current counter value to r12 call STR1 ;load the current module name to stack so we can call GetModuleHandle db ‘lserver.dll’,0 STR1: pop rcx ;pop the string pointer to the first arg sub rsp, 0x20 ;create the shadowspace call PIT_GetModuleHandleA ;call GeModuleHandle to get the current module base address add rsp, 0x20 ;delete the shadowspace cmp rax, 0x0 ;check if the call succeeded je EXIT ;if GetModuleHandle call failed jump out of the patch without doing anything cmp r12d, dword[rax+0xa873c] ;compare the current counter value to the size of the buffer ;that is saved in a global variable on base address + 0xa873c jb EXIT ;if the counter is less then the buffer size skip the flag setting instruction mov r11, 0x1 ;otherwise set the flag and continue EXIT: cmp r11, 0x1 ;check the flag so we can use a conditional jump after restoring registers pop r12 pop r11 pop r10 pop r9 ;restore the original register states pop r8 pop rdx pop rcx pop rax je PIT_0x7bbf5 ;if the flag was set jump to the error block as an overflow is ;about to occur- else continue normally code_endpatchlet_end
The video below shows our micropatch in action: first, the target server (on the left) has 0patch disabled, and running our POC against it from another machine in the domain causes the Remote Desktop Licensing Service to crash. The same test with 0patch enabled – and therefore our micropatch applied – does not lead to the crash.Micropatch AvailabilityMicropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed: Windows Server 2008 R2 – no ESU, ESU 1-4Windows Server 2012 – no ESUWindows Server 2012 R2 – no ESU Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you’re using Windows that aren’t
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won’t be exploited on your computers – and you won’t
even have to know or care about these things. If you’re new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.We would like to thank Lewis Lee, Chunyang Han and Zhiniang Peng for sharing their analysis, which made it possible for us to create a
micropatch for this issue.
To learn more about 0patch, please visit our Help Center.
Article Link: 0patch Blog: Micropatches for “MadLicense” Windows Remote Desktop Licensing Service Remote Code Execution (CVE-2024-38077)
1 post – 1 participant
Read full topic