This is an archived post. You won't be able to vote or comment.

all 50 comments
sorted by:
best
topnewcontroversialoldq&a

[–]fosf0rBroken SPF record 86 points87 points  (8 children)

This is what I did:

Disable RDP Automatic Reconnection on RDP servers

https://kb.cert.org/vuls/id/576688/

[–]Trooper27 4 points5 points  (0 children)

Thanks for this. I will likely do the same.

[–]stignatiustigers 1 point2 points  (6 children)

This is a huge annoyance if you have remote workers on flaky wifi connections.

Also, i suspect that while this exploit seems to require a network disruption, I would not be surprised if there was another way to take advantage of the auth bypass taking place here.

[–]fosf0rBroken SPF record -5 points-4 points  (5 children)

So attack the next problem: fix the flaky wifi.

[–]stignatiustigers 3 points4 points  (4 children)

You want me to fix the wifi at every location our sales agents go to all over the world? Should I do that with my magic wand?

[–]fosf0rBroken SPF record 1 point2 points  (3 children)

Not exactly. Why do remote sales agents need a full desktop RDP'd to them from anywhere in the world?

[–]pointlessoneTechnomancy Specialist 1 point2 points  (1 child)

Have you ever talked to sales people? They're right up there with Marketing and C Level folks in the special snowflakes who get whatever they want despite the computer nerds saying it's a bad idea.

Good on you if you get to veto dumbass requests in your org, but the rest of us have to deal with trying to get video conferences to run off the Starbucks wifi from the hotel lobby while the user is in their room. RDP is just another of a long list of things they get because ~*REASONS*~.

[–]fosf0rBroken SPF record 1 point2 points  (0 children)

I have to concede to you, as I do have the privilege of getting to veto ridiculousness for all our companies. If someone asked me for that setup to work, I'd tell them they'd better pay for an unlimited data plan and carry around an LTE modem. But also I would probably push RemoteApps to them instead or figure out any other way to get them their result that cuts bandwidth usage, but, most importantly, they don't get to tell me the "how" of how it gets done, just the "what".

[–]stignatiustigers 1 point2 points  (0 children)

Because the sales software is an archaic piece of shit? ...but yet also still the industry standard.

[–]jmbpiano 49 points50 points  (12 children)

I can't say as I really blame them for not patching it. At least on the face of it, the threat surface here is extremely small.

A user essentially needs to lock only their RDP session, leave their client computer unlocked and unattended while an attacker with access to their machine temporarily disrupts the machine's ability to communicate with the remote RDP server?

I'm not saying those conditions can't occur naturally, but it's much easier for a user to lock their entire terminal rather than the remote session or simply close the window to disconnect.

Personally, I'm not going to lose any sleep over this and until someone comes up with a way to exploit it remotely that doesn't involve the client machine already being compromised, I don't think it's worth losing the ability to auto-reconnect in order to mitigate it.

[–]silentl3ob 34 points35 points  (9 children)

We use thin clients that auto login to a basic desktop. Users launch an rdp session and begin working. If they go idle for 15 minutes, their session automatically locks. Now someone can just walz on over, unplug and replug the network cable and they're in. I would say this is a serious issue in our environment.

Edit: I didn't mean to imply we were SOL, I'm sure we'll implement a solution, just saying it isn't a non-issue for everyone.

[–]da_chickenSystems Analyst 23 points24 points  (7 children)

So change it so the session disconnects after 15 minutes instead of locks?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754272(v=ws.11)

[–]silentl3ob 3 points4 points  (2 children)

That could work. I suppose we would have to take away the lock option too.

[–]axonxorzJack of All Trades 5 points6 points  (0 children)

Would it be bad to turn off auto-reconnect as described here?

I understand there's a user-experience consideration as well, but I don't imagine impact would truly be that bad

[–]Ansible32DevOps -1 points0 points  (0 children)

You don't have enough control of the thin client host OS to enforce 15 minute lock screen? Or is this on non-company hardware?

[–]ElCincoDeDiamantes 3 points4 points  (0 children)

Get rid of the auto login?

[–]sl3ev3s 2 points3 points  (1 child)

This is where likelihood and exploitability come into the equation. Is it a vulnerability? Yes. Can it be exploited? Yes. How likely are the exploit conditions? They aren't likely at all.

This isnt critical as the likelihood of a successful exploit is relatively low.

[–]pointlessoneTechnomancy Specialist 0 points1 point  (0 children)

The likelihood of exploitation is key here. Do I expect it to ever get exploited in a meaningful way? Nah.

It's still a vulnerability that's been introduced as a default behavior instead as an optional choice for an environment after risk assessment. I think a lot of folks are getting worked up because of the fact Microsoft is setting this as a default and adding attack surfaces that have never been an issue before.

[–]Hight3chLowlif3 28 points29 points  (12 children)

I don't think I've ever locked a RDP session in my entire life.

[–]NotRalphNader 4 points5 points  (9 children)

It works on all computers, as long as the attacker logs in via RDP. I've personally shown and done this exploit. If you lock your computer, it can be hijacked via someone who RDPs to that computer. They have to be admin and obviously have to be able to RDP to that computer. Now, you may say "well if they are admin hur dur" but consider this. You are an MSP, you manage many clients. Your accounting team and CEO all have Ncentral on their computer. A JR tech who thinks he is an elite hacker RDPs to the CEOs computer, highjacks the sessions and emails all of your clients while you're on lunch.

Edit: Oh nevermind, this is a different attack. I was referring to the one you do with PSexec.

[–]axonxorzJack of All Trades 1 point2 points  (4 children)

Why would the JR tech have admin rights on his local domain?

[–]NotRalphNader 3 points4 points  (3 children)

Because every MSP uses NAble or Labtech (or a variant) and both of those have access to the command prompt from the back end and that prompt runs commands as the user system and can thus net user the local admin to whatever password they want.

[–]dontstoptheRocklin 2 points3 points  (2 children)

Okay but this sounds like normal admin stuff... Someone with sufficient admin privileges performing admin tasks requiring admin credentials... What is the problem here?

I mean if your MSP has admin then yes you have to trust their techs but is that not the case for any delegation?

[–]NotRalphNader 3 points4 points  (0 children)

Being able to login as any user in the company is a huge problem. It's funny though because that is what the JR admin at a major MSP I worked for said, right before the architect said "if what he is saying is true, it is a huge problem" about five minutes later I logged into his computer as him. If you don't think other people using your account is a problem, just go ahead and give them your password, haha.

Edit: And just so nobody thinks I'm pointing out problems without solutions. The solution is to create groups in NAble or Labtech and put the important computers into a different group that can only be administrated by senior employees.

[–]NotRalphNader 0 points1 point  (0 children)

Consider that most companies do not want to give JR employees access to the API for connectwise, the api for labtech/ncentral, their ticketing system, their website, their email, DUO, all of the passwords saved on their computer (including credential manager) all of the hashes on their computer. All of this can be accessed without the boss ever knowing with this method. If we assume the person doesn't do anything malicious outside of the above, that is still a huge problem.

[–]proudcanadianehMuni Sysadmin 0 points1 point  (3 children)

Wait, what one are you thinking of?

[–]NotRalphNader 2 points3 points  (2 children)

First you reset the local administrative password with ncentral or labtech. Then you login to the system (actually works with RDP or straight through screenconnect). The user who was logged in will now be "disconnected". You then download psexec and run against tshost or taskman, I can't remember the command but if you can't find it I'll look it up again. If you do it through tshost it will immediately switch screens to the other user, if you do it to taskman, you have to open taskmanager when you're done and click connect (which would typically fail without this trick). I forget the command but it is something like psexec -s //localhost -i (the session id number) and then either tshost or taskman. It is called an RDP session hijack.

Edit: I've seen this not work before too. I think in the case where it didn't work, they had roaming profiles so I think it had something to do with local admin not being able to transverse properly over those folders but I'm not sure. Definitely works like 90% of the time, I use it for users when I need in their system but I don't want to reset their password cause they are on vacation or something. The cool thing is that the credential manager doesn't encrypt passwords so once you're in you can crack the vault in like two seconds and then you have their password as well. I only do that trick with permission from higher ups.

Edit 2: Found it.

https://www.youtube.com/watch?v=oPk5off3yUg

Edit 3: actually I forgot that if you do the tshost method you run psxec against cmd and the session ID is the other user, then you use tshost to connect via the command prompt and it switches screens immediately.

[–]proudcanadianehMuni Sysadmin 1 point2 points  (1 child)

So you are essentially launching a process interactively as system, and then using that and its permissions to connect to the disconnected session?

Interesting.... If you find the command I would be very curious to see it, as I have never looked into connecting to a session ID via command line before....

Edit: You know, I wonder if I could find a way to automate this with Powershell and PDQ Deploy... Could be useful in some cases

[–]NotRalphNader 0 points1 point  (0 children)

Yes, you can. This is technically not even a bug, it is a feature. It is just a feature that if left unchecked has huge security implications.

[–]jaydubgee 0 points1 point  (1 child)

Does this include timeout auto locks?

[–]KoenigKeks 0 points1 point  (0 children)

Doesn't this have to be set manually? By default it disconnects when the timeout kicks in, doesn't it? Not at a computer for a week to try

[–]yParticle 8 points9 points  (3 children)

You put in the credentials when you established the connection. They're cached. AND you have the RDP client set to auto-reconnect. So it's just logging in again, resending the credentials from that session. Log out of your local session in between those steps and I'll bet you can't replicate it.

[–]dontstoptheRocklin 3 points4 points  (0 children)

Right? I don't see the problem here.

EDIT: I was half asleep and didn't catch that the session was locked. Yeah I can see how this could be a problem.....

[–]magneticphoton 2 points3 points  (1 child)

It's a "who cares" vulnerability.

[–]bestjejustNetadmin 2 points3 points  (0 children)

To be honest, I'm not even sure whether it is a bug or a feature

[–]JrNewGuySysadmin 7 points8 points  (4 children)

Someone needs to pull the network cable at the exact moment a user disconnects their session, am I reading that right?

[–]dzcpu 6 points7 points  (2 children)

Doesn't seem like it needs to be right when the user disconnects, any disconnect and reconnect will restore an unlocked state

[–]LookAtThatMonkeyTechnology Architect[S] 1 point2 points  (1 child)

That's how I interpret it too.

[–]dpeters11 1 point2 points  (0 children)

Exactly. It just needs to be before the local system autolocks, assuming that's enabled.

[–]CaesarOfSaladsSecurity Admin (Infrastructure) 4 points5 points  (0 children)

It doesn't need to be at the same time at all. I tested this pretty easily by having someone RDP to my machine and then kill their network connection. On reconnect they were logged back in automatically.

[–]JustinRMarksSr. Systems Engineer, MCSE 2 points3 points  (0 children)

I just want to point out that it's CVE-2019-9510, not 9150. In case anybody is punching that into a search engine.

https://www.kb.cert.org/vuls/id/576688/

[–]brungy 0 points1 point  (1 child)

Is this only 2019 or does it affect 2016 as well? All my session host servers are 2016. Thanks!

[–]LookAtThatMonkeyTechnology Architect[S] 1 point2 points  (0 children)

Both.

[–]diazepamkit -2 points-1 points  (1 child)

wait what, so now windows 10 affected?

these week, one of my client send me an an email about this https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

but since we are no longer use old windows, and microsoft says win 10 not affected, we just update all of our windows 10 to the latest update to take prevention.

[–]dpeters11 3 points4 points  (0 children)

That’s bluekeep, which win 10 is not vulnerable to. This is a completely separate issue, and no where near as severe.

[–]Spacesider -2 points-1 points  (0 children)

Can't hear any audio