CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

时间:2021-06-15 18:35:47

目录

1. 漏洞的起因
2. 漏洞原理分析
3. 漏洞的影响范围
4. 漏洞的利用场景
5. 漏洞的POC、测试方法
6. 漏洞的修复Patch情况
7. 如何避免此类漏洞继续出现

 

1. 漏洞的起因

这次的CVE和windows的Secure Channel (Schannel)有关

The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement secure communications in support of several common internet and network applications, such as web browsing. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server.

黑客通过向windows server上Secure Channel相关服务监听的端口发送畸形网络数据包,从而可以达到远程任意代码执行(RCE)的效果,获取受害者用户主机的代码执行权限

Relevant Link:

https://technet.microsoft.com/en-us/library/security/dn848375.aspx#Schannel
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6321
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321
https://technet.microsoft.com/library/security/ms14-066
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321


2. 漏洞原理分析

0x1: Secure Channel简介

漏洞的源头在于Secure Channel Security Package,Secure Channel Security Package是一个提供SSL(Secure Sockets Layer)和TLS(Transport Layer Security)协议实现的代码库(.dll文件),用于提供windows server和远程客户端(client)之间跨越非安全公网的安全通信通道,例如

1. WEB浏览器和WEB Server之间的HTTPS通信
2. Active Directory的身份认证
3. Secure Channel是Secure Channel Security Package代码库中的一个功能模块,主要负责提供client和server之间的身份认证服务,即,它是处理Secure Channel中和网络认证数据包有关的这部分逻辑

流程架构图

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

和openssl的原理类似,Secure Channel Security Package只是一个底层的代码库,它负责实现上层SSL/TLS协议的具体实现

Relevant Link:

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2014/11/11/it-s-time-to-update-your-secure-channel-ms14-066-cve-2014-6321.aspx
http://msdn.microsoft.com/en-us/library/aa380123(VS.85).aspx

0x2: 漏洞原理分析

通过对windows的path更新进行patch diff,我们可以知道,漏洞存在的DLL文件为

C:\WINDOWS\system32\schannel.dll

使用depends.exe查看schannel.dll的API

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

因为windows是闭源的操作系统,需要逆向才能拿到源代码,这里不做深入的代码分析了,根据微软漏洞分析团队的分析报告来看,漏洞的成因应该是如下几项

1. schannel.dll中和SSL/TLS会话数据包(非握手)的处理相关的API对数据包中的某些字段的处理流支存在缓冲区溢出相关漏洞
2. 要完成最终的POC,黑客需要进行数据包构造,这是一种数据包字段型的畸形攻击
3. 最终的POC转换为攻击还需要黑客在数据包中构造buf overflow所需要的特定shellcode

 

3. 漏洞的影响范围

0x1: 漏洞造成的风险

An attacker who successfully exploited this vulnerability could run arbitrary code on a target server.

通过构造畸形的恶意数据报,黑客可以在受害者的机器上执行任意的代码,并且可以绕过windows提供的安全防御机制,包括

1. Enhanced Protected Mode (EPM) sandbox in IE 11
2. Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool 

0x2: 漏洞影响的操作系统版本

Operating System

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced

Windows Server 2003

Windows Server 2003 Service Pack 2
(2992611)

Remote Code Execution

Critical

2655992 in MS12-049

Windows Server 2003 x64 Edition Service Pack 2
(2992611)

Remote Code Execution

Critical

2655992 in MS12-049

Windows Server 2003 with SP2 for Itanium-based Systems
(2992611)

Remote Code Execution

Critical

2655992 in MS12-049

Windows Vista

Windows Vista Service Pack 2
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Vista x64 Edition Service Pack 2
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Server 2008 for x64-based Systems Service Pack 2
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Server 2008 for Itanium-based Systems Service Pack 2
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(2992611)

Remote Code Execution

Critical

2982378 in SA2871997

Windows 7 for x64-based Systems Service Pack 1
(2992611)

Remote Code Execution

Critical

2982378 in SA2871997

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(2992611)

Remote Code Execution

Critical

2982378 in SA2871997

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(2992611)

Remote Code Execution

Critical

2982378 in SA2871997

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(2992611)

Remote Code Execution

Critical

2868725 in SA2868725

Windows 8 for x64-based Systems
(2992611)

Remote Code Execution

Critical

2868725 in SA2868725

Windows 8.1 for 32-bit Systems
(2992611)

Remote Code Execution

Critical

None

Windows 8.1 for x64-based Systems
(2992611)

Remote Code Execution

Critical

None

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(2992611)

Remote Code Execution

Critical

2868725 in SA2868725

Windows Server 2012 R2
(2992611)

Remote Code Execution

Critical

None

Windows RT and Windows RT 8.1

Windows RT[1]
(2992611)

Remote Code Execution

Critical

2868725 in SA2868725

Windows RT 8.1[1]
(2992611)

Remote Code Execution

Critical

None

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(2992611)

Remote Code Execution

Critical

2207566 in MS10-085

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(2992611)

Remote Code Execution

Critical

2982378 in SA2871997

Windows Server 2012 (Server Core installation)
(2992611)

Remote Code Execution

Critical

2868725 in SA2868725

Windows Server 2012 R2 (Server Core installation)
(2992611)

Remote Code Execution

Critical

None

从微软的公告上来看,这次的漏洞覆盖了windows几乎所有的操作系统版本,属于高危级别漏洞

 
4. 漏洞的利用场景

这个漏洞属于底层代码库的代码漏洞,要100%验证是否存在这个漏洞需要能够根据代码的漏洞细节构造对应的畸形数据包POC,微软的研究团队并没有公布关于这个漏洞的更多细节,因此无法从源码和POC层面来进行漏洞验证,比较遗憾

 

5. 漏洞的POC、测试方法

0x1: 验证本机是否存在漏洞的方法

微软对存在漏洞的DLL文件进行了修复,所以我们可以根据当前系统的DLL版本号来判断当前系统是否存在安全漏洞

在命令行下执行指令,得到对应DLL文件的版本号

wmic datafile where name="C:\\Windows\\System32\\schannel.dll" get version

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

根据得到的版本号和微软官方给出的版本号进行对比,如果版本号不等于这个,则说明当前系统存在漏洞,需要修复

1. Windows Server 2003

Schannel.dll    5.2.3790.5462  

2. Windows Server 2008 x86

Schannel.dll    5.2.3790.5462 

3. Windows Server 2008 x64 

Schannel.dll    6.0.6002.19193

4. Windows Server 2012 x64

Schannel.dll    6.2.9200.17124

5. Windows Server 2012 R2 x64

Schannel.dll    6.3.9600.17385

0x2: 通过构造畸形数据包的方式验证本机是否存在漏洞

暂无,需要对Schannel.dll进行深入逆向分析,才能得到可以从外部打进去的畸形数据包

 

6. 漏洞的修复Patch情况

0x1: 使用windows自动的update服务进行自动补丁升级

最稳定有效的方案就是使用系统自带的升级程序去升级更新补丁

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

0x2: MS14-066单补丁修复

Windows2003   32位 中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44649
Windows2003   32位 英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44649
Windows2003   64位中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44606
Windows2003   64 英文版 位补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44606
Windows2008   32位 英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44645
Windows2008   32位 中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44645
Windows2008  64位  英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44631
Windows2008  64位  中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44631
Windows2008  R2 64位  中文版 补丁
http://www.microsoft.com/zh-CN/download/details.aspx?id=44618
Windows2008  R2 64位  英文版 补丁
http://www.microsoft.com/en-us/download/details.aspx?id=44618

Relevant Link:

http://bbs.aliyun.com/read.php?tid=182074&displayMode=1&page=1&toread=1#tpc


7. 如何避免此类漏洞继续出现

这里附带上自动化的漏洞修复程序源代码,主要做2件事

1. 自动根据操作系统版本下载对应的update修复补丁程序:从集团内部FTP上下载
    1) all server 2003: WindowsServer2003-KB2992611.exe
    2) all Windows Server 2008: WindowsServer2008-KB2992611.msu
    3) all Windows Server 2008 R2: WindowsServer2008-R2-KB2992611.msu
    4) all Windows Server 2012: WindowsServer2012-KB2992611.msu
    5) all Windows Server 2012 R2: WindowsServer2012-R2-KB2992611.msu
1. 自动进行静默、非重启安装
因为这次的漏洞的源头是那个DLL文件,它被加载到了LSASS系统常驻进程里面,我们安装修复补丁程序只是在进行磁盘上的DLL文件替换,要真正使本次升级生效,还需要对LSASS系统进程进行RELOAD,也就相当于重启了

code

#if (defined _WIN32 || defined __WIN32__)
#include <windows.h>
#endif

#include <stdio.h>
#include <io.h>
#include <curl/curl.h>
#include <curl/easy.h>

using namespace std;

size_t write_data(void *ptr, size_t size, size_t nmemb, FILE *stream)
{
    size_t written = fwrite(ptr, size, nmemb, stream);
    return written;
}

/*
parameters:
url: 下载链接
outfilename: 要保存的文件路径
*/
void installUpdate(char * url, char * filename)
{
    //1. 下载升级程序文件
    CURL *curl;
    FILE *fp;
    CURLcode res;
    char* outfilename = filename;
    char* parame = " /quiet /norestart";
    char cmdline[128] = {0};

    memcpy(cmdline, filename, 128);
    strcat(cmdline, parame);
    //char *url = "http://localhost/aaa.txt";
    //char outfilename[FILENAME_MAX] = "C:\\bbb.txt";
    curl = curl_easy_init();
    if (curl)
    {
        fp = fopen(outfilename,"wb");
        curl_easy_setopt(curl, CURLOPT_URL, url);
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data);
        curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp);
        res = curl_easy_perform(curl);
        /* always cleanup */
        curl_easy_cleanup(curl);
        fclose(fp);
    }

    //2. 检查是否下载成功
    if ( !access(outfilename, 0) )
    {
        printf("update file download succussfully!\n");
        //3. 执行静默安装
        system(cmdline);
    }
    else
    {
        printf("update file download faild!\n");
    }
    return;
}

/*
判断
return:
x64 = 1: 64位
x64 = 0: 32位
*/
int getPlatForm()
{
    unsigned short x64 = 0;

    #if defined(_MSC_VER)
        // vs
        __asm mov x64,gs
    #else
        // gcc
        asm("mov %%gs, %0" : "=r"(x64));
    #endif
    //printf("In x%s OS\n", x64 ? "64" : "86");

    return x64;
}

/*
判断操作系统的版本、32/64
*/
int GetOSVer()
{
    OSVERSIONINFO osver;
    osver.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx(&osver);


    if(osver.dwPlatformId == 2)
    {
        //1. windows server 2003
        if(osver.dwMajorVersion ==  5 && osver.dwMinorVersion == 2)
        {
            printf("windows server 2003\n");
            //32位
            if(getPlatForm() == 0)
            {
                installUpdate("http://xxxx/WindowsServer2003-KB2992611-32.exe", "WindowsServer2003-KB2992611-32.exe");
            }
            //64位
            else
            {
                installUpdate("http://xxxx/WindowsServer2003-KB2992611-64", "WindowsServer2003-KB2992611-64");
            }
            return(1);
        }
        //2. windows server 2008
        if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 0)
        {
            printf("windows server 2008\n");
            //32位
            if(getPlatForm() == 0)
            {
                installUpdate("http://xxxx/WindowsServer2008-KB2992611-32.msu", "WindowsServer2008-KB2992611-32.msu");
            }
            //64位
            else
            {
                installUpdate("http://xxxx/WindowsServer2008-KB2992611-64.msu", "WindowsServer2008-KB2992611-64.msu");
            }
            return(1);
        }
        //3. windows server 2008 R2
        if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 1)
        {
            printf("windows server 2008 R2\n");
            //32位
            if(getPlatForm() == 0)
            {
            }
            //64位
            else
            {
                installUpdate("xxxx/WindowsServer2008-R2-KB2992611-64.msu", "WindowsServer2008-R2-KB2992611-64.msu");
            }
            return(1);
        }
        //4. windows server 2012
        if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 2)
        {
            printf("windows server 2012\n");
            //32位
            if(getPlatForm() == 0)
            {
            }
            //64位
            else
            {
                //installUpdate("xxxx/WindowsServer2012-KB2992611.msu", "WindowsServer2012-KB2992611.msu");
            }
            return(1);
        }
        //5. windows server 2012 R2
        if(osver.dwMajorVersion ==  6 && osver.dwMinorVersion == 3)
        {
            printf("windows server 2012 R2\n");
            //32位
            if(getPlatForm() == 0)
            {
            }
            //64位
            else
            {
                //installUpdate("xxxx/WindowsServer2012-R2-KB2992611.msu", "WindowsServer2012-R2-KB2992611.msu");
            }
            return(1);
        }
    }
    return 0;
}

int main(int argc, char* argv[])
{
    #ifdef _WIN32
        printf("Hello: %d", GetOSVer());
    #endif

    #ifdef _UNIX
    #endif

    #ifdef _LINUX
    #endif

    return 0;
}

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis

代码中的下载链接请自行到官网下载官方的补丁程序

对不同的操作系统测试结果

1. windows server 2003 32: 
2. windows server 2003 64: 测试通过
3. windows server 2008 32: 4. windows server 2008 64: 测试通过 5. windows server 2008 R2 32: 6. windows server 2008 R2 64: 7. windows server 2012 32: 8. windows server 2012 64: 9. windows server 2012 R2 32: 10. windows server 2012 R2 64:

Relevant Link:

http://files.cnblogs.com/LittleHann/vulfix.rar

 

Copyright (c) 2014 LittleHann All rights reserved