Embed Size (px)
Citation preview
RDP Fuzzingor
Why the Microsoft Open Protocol Specification is Awesome!
And These Guys Are?
• Lane Thames, PhD– VERT Security Researcher @ Tripwire
– Decade+ Experience
– Focused on Tool Development and Data Analytics
• Andrew Swoboda– VERT Security Researcher @ Tripwire
– Focused on Python and Network Protocol Implementation
– Most Recent Research: RDP
Ok... And This Talk?
Microsoft Open Protocol Spec
• Open Spec Promise – September 2006
• Includes:
– Office File Formats – Binary & XML
– Multiple RFCs
– WMF Image Format
• Microsoft allows the open use/sale of products using the included specs.
Microsoft Open Protocol Spec
• Documentation on hundreds of MS Protocols
• Includes examples and capture data
• Multiple Uses
– Build your own protocol stack
– Exploit Research
– Protocol Troubleshooting
– Malware Research
– Fuzzer Development!
RDP Packet Dissection
• Server/Client based dissection
– Order maintained
– Encrypted packets were decrypted
– Fields and values explained
• Organized & Structured
RDP Encryption
• Encryption– FIPS
• Federal Information Processing Standard
– Non-FIPS• 3 encryption lengths
– 40 bit, 56 bit, 128 bit
– Session key• Used to encrypt/decrypt• OPS
– How to calculate» Decrypt key» Encrypt key» Mac Key (Not mac signature)
– http://msdn.microsoft.com/en-us/library/cc240785.aspx
Why Python
• Interpreted language.
– Quick development
– No need to recompile between changes
– Ease of Use
• It’s used by many security tools.
• We use it internally at Tripwire
Python 101: Hello World!
Basic Hello World!
>>> print 'Hello World!'
Hello World!
Hello World! function>>> def hw():... print 'Hello World!'...>>> hw()Hello World!
Hello World! Class>>> class Hello:... def __init__( self ):... self.hw = 'Hello World!'... def greet ( self ):... return self.hw...>>> world = Hello()>>> world.greet()'Hello World!'>>> print world.greet()Hello World!
Fuzzing 101
• What is Fuzzing?
• Why Fuzz?
• Examples of Fuzzing outside of IT?
Our Fuzzing Concept
• Stand Alone Fuzzer; Protocol Independent
• Protocol library can be built any way
– Requires – protocol library, error library
• Uses templates for fuzzing attempts.
– Generate the templates a number of ways
– Each template attempt is reported
• Allows for easy reproduction
Pluggable Protocols
• Protocols are independent.
• Requires a function named start()
• Raises error messages
• Dynamically generates protocol module names
– <protocol>.py
– <protocol>_error.py
Templates
• Define variables that can be manipulated.
• Generated via:
– Manually
– Programmatically
• With a script
• Populated with packet data– Packet Capture
– Exploit
Why
• Minimal past experience with fuzzers
– It can be difficult to trace error generation
• Wanted it to work with many protocols
• Valid for our work at Tripwire
Fuzzer: find_templates()
Fuzzer: run()
Fuzzer: fuzz()
Finding a vulnerability
Disclosure Process - Why
• Tripwire has a responsible disclosure policy.
• We recommend everyone follow responsible disclosure guidelines.
• 0-day hurts everyone.
Disclosure Process - How
• Request a CVE from Mitre (unless the vendor of the product is a CNA)
• Contact the Vendor, determine security contact.
• Contact security contact, include details on the vulnerability
• Follow up until you know the issue is resolved.
Your Name in Lights
Thank You
