CVE-2019-0708 / BlueKeep scanner: license errors are not handled

[cnotin]

Steps to reproduce

Run the scanner/rdp/cve_2019_0708_bluekeep scanner module against an RDP server which returns a license error.
Here are similar issues and ways of discovering such servers:
https://github.com/zerosum0x0/CVE-2019-0708/issues/16
robertdavidgraham/rdpscan#25

Expected behavior

The module gracefully handles the error and report the host as not vulnerable.

Current behavior

I get the following error:

msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

[*] a.b.c.d:3389     - Verifying RDP protocol...
[*] a.b.c.d:3389     - Attempting to connect using TLS security
[*] a.b.c.d:3389     - Server requests TLS
[*] a.b.c.d:3389     - Sending erect domain request
[*] a.b.c.d:3389     - Sending client info PDU
[*] a.b.c.d:3389     - Received License packet
[*] a.b.c.d:3389     - Sending client confirm active PDU
[*] a.b.c.d:3389     - Sending client synchronize PDU
[*] a.b.c.d:3389     - Sending client control cooperate PDU
[*] a.b.c.d:3389     - Sending client control request control PDU
[*] a.b.c.d:3389     - Sending client input sychronize PDU
[*] a.b.c.d:3389     - Sending client font list PDU
[-] a.b.c.d:3389     - Unexpected error: EOFError
/var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:203:in `get_once'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:395:in `rdp_recv'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:186:in `block in check_for_patch'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:185:in `check_for_patch'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:322:in `check_rdp_vuln'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:93:in `check_host'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:65:in `run_host'
/root/tools/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/root/tools/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] a.b.c.d:3389     - The target service is running, but could not be validated.
[*] a.b.c.d:3389     - Scanned 1 of 1 hosts (100% complete)

System stuff

Metasploit version

I use the latest MSF version from Git (metasploit v5.0.39-dev-6bd7f6cb4a)

I installed Metasploit with:

• Source install (ruby 2.5.5p157)

OS

Kali

[wvu]

Looking into this. Will report back with fix or notes.

[wvu]

Can you retest with set VERBOSE true to verify that this is failing on reading the license response?

[cnotin]

Sorry I forgot to include the options or to mention it, but this is already a verbose output.
Without it, the message is much shorter, and no hint of an error...
I am not sure that msf fails on reading the license, but using the rdesktop fork I can assure you that this issue is present with this server (and others which trigger the same error).
Actually I found these particular server and I was curious to see how this module would handle them.

[wvu]

Ah, gotcha, you're right. But that would indicate there's a read failure on the font list PDU. The license packet actually passes, since apparently I don't know how to use my eyes.

Please see if #12152 fixes the issues.

[cnotin]

Ok for #12152 :)

However, I have noticed that it continues to fail against other hosts (which also return license errors in other tools). Sorry for missing it first but it fails at a different step ("sending patch check payloads" instead of "sending client font list PDU" that you fixed):

[*] a.b.c.d:3389    - Verifying RDP protocol...
[*] a.b.c.d:3389    - Attempting to connect using TLS security
[*] a.b.c.d:3389    - Server requests TLS
[*] a.b.c.d:3389    - Sending erect domain request
[*] a.b.c.d:3389    - Sending client info PDU
[*] a.b.c.d:3389    - Received License packet
[*] a.b.c.d:3389    - Sending client confirm active PDU
[*] a.b.c.d:3389    - Sending client synchronize PDU
[*] a.b.c.d:3389    - Sending client control cooperate PDU
[*] a.b.c.d:3389    - Sending client control request control PDU
[*] a.b.c.d:3389    - Sending client input sychronize PDU
[*] a.b.c.d:3389    - Sending client font list PDU
[*] a.b.c.d:3389    - Sending patch check payloads
[-] a.b.c.d:3389    - Unexpected error: EOFError
/var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:203:in `get_once'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:210:in `block in check_for_patch'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each'
/var/lib/gems/2.5.0/gems/activesupport-4.2.11.1/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:201:in `check_for_patch'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:322:in `check_rdp_vuln'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:93:in `check_host'
/root/tools/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb:65:in `run_host'
/root/tools/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/root/tools/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] a.b.c.d:3389    - The target service is running, but could not be validated.

[cnotin]

Suggested and tested fix:

diff --git a/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb b/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
index 844719754b..d4a4a93c68 100644
--- a/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
+++ b/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb
@@ -207,7 +207,11 @@ class MetasploitModule < Msf::Auxiliary
       rdp_send(x64_packet)
 
       # Quick check for the Ultimatum PDU
-      res = sock.get_once(-1, 1)
+      begin
+        res = sock.get_once(-1, 1)
+      rescue EOFError
+        raise RdpCommunicationError
+      end
       return Exploit::CheckCode::Vulnerable if res && res.include?(["0300000902f0802180"].pack("H*"))
 
       # Slow check for Ultimatum PDU. If it doesn't respond in a timely

However the output is different with this:

[*] a.b.c.d:3389    - Verifying RDP protocol...
[*] a.b.c.d:3389    - Attempting to connect using TLS security
[*] a.b.c.d:3389    - Server requests TLS
[*] a.b.c.d:3389    - Sending erect domain request
[*] a.b.c.d:3389    - Sending client info PDU
[*] a.b.c.d:3389    - Received License packet
[*] a.b.c.d:3389    - Sending client confirm active PDU
[*] a.b.c.d:3389    - Sending client synchronize PDU
[*] a.b.c.d:3389    - Sending client control cooperate PDU
[*] a.b.c.d:3389    - Sending client control request control PDU
[*] a.b.c.d:3389    - Sending client input sychronize PDU
[*] a.b.c.d:3389    - Sending client font list PDU
[*] a.b.c.d:3389    - Sending patch check payloads
[-] a.b.c.d:3389    - Error communicating RDP protocol.
[*] a.b.c.d:3389    - Cannot reliably check exploitability.

"The target service is running, but could not be validated" VS "Cannot reliably check exploitability"
I don't know what's best...

[wvu]

If the server doesn't respond to the patch check, it's assumed to be likely patched (see slow check below).