i NSA’s EsteemAudit RCE vulnerability in Server 2003 / Windows XP RDP – All things in moderation

NSA’s EsteemAudit RCE vulnerability in Server 2003 / Windows XP RDP

Introduction

EsteemAudit is an RCE (Remote Code Execution) vulnerability in RDP service (port 3389) on Microsoft Windows Server 2003 / Windows XP machines, that is an exploit deverloped by NSA leaked by the Shadow Brokers

The vulnerability this RDP exploit targets will not be patched since Microsoft has stopped supporting for Windows Server 2003 and Windows XP. Over 30,000 vulnerable systems remains still exposed on the Internet, by exploiting this vulnerability, a threat actor can target a remote RDP Service and eventually take control of the compromised system.

Detect host vulnerable to EsteemAudit using FUZZBUNCH

The first to use FUZZBUNCH, you need to configure as the following tutorials: http://hydrasky.com/network-security/exploit-eternalblue-vulnerability-using-nsa-leaked-tools-and-metasploit/

Run script fb.py and config like above tutorial (eternalblue replaced by esteemAudit)

After succeeding to detect a vulnerability, the screen like following:

How it work?

The vulnerability exploited by this attack is related to Smart Card authentication used when logging onto the system via the RDP service. In this post, we will examine the Windows Smart Card logon mechanism (supported by all Windows versions after Windows 2000), and figure out the root cause of this vulnerability.

This vulnerability is located in the “MyCPAcquireContext()” function in “gpkcsp.dll”, which is called by “winlogon.exe” in the new windows session. The “MyCPAcquireContext()” function is used to set up the Windows Cryptographic Service Providers (CSP) context. It reads the data from the Smart Card and sets the value of the fields of the CSP context structure. If the data read from the Smart Card is overlarge, the field buffer used by CSP context structure overflows and overwrites another field, eventually enabling arbitrary code execution.

To more knowledgeable to how it work, you can refer to the following: https://blog.fortinet.com/2017/05/11/deep-analysis-of-esteemaudit

Reference

http://thehackernews.com
https://blog.fortinet.com/2017/05/11/deep-analysis-of-esteemaudit
https://cysinfo.com/wp-content/uploads/2017/04/Shadow_release_updated.pdf

Leave a Reply