[Zeek] Bluegate DOS/RCE

Ben Reardon ben.reardon at corelight.com
Wed Jan 29 16:26:15 PST 2020


Hi all, I'm looking into a few detection ideas around the Remote Desktop
Gateway RCE vulns
CVE-2020-0609
<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609>
 and CVE-2020-0610
<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0610>(AKA
Bluegate). These vulns are exposed on UDP Port 3391 (DTLS), which is
essentially a speedup of RDP. Given it's DTLS, zeek logs all connections
happily into ssl.log, including JA3.
YMMV but one detection method is to look
for (JA3=2e29256489ce9efe000820389e24b2fd OR
JA3=698698ef3647fddcc035694ba0878bf2) AND UDP 3391. These are the JA3 of
the tools noted below.
Another method is to baseline a known list of JA3. You could do this
methodically, or take the pragmatic approach and just list what JA3
connected to your server on DTLS/3391 server prior to the CVE and then look
for anything JA3 that is nett new.
There are other ways to detect this as well, and I'm interested if anyone
is looking into these bugs, and particularly if you are running RDG legit -
could you contact me to chat about the sort of legit traffic you see (pcap
snippets would be great but a chat is good too)

Attack/scanning toolsets currently publicly available (list not exhaustive):

   1. https://github.com/ollypwn/BlueGate operates in "checking mode" and
   "DOS" mode.
   2. https://twitter.com/layle_ctf/status/1221514332049113095 an RCE demo
   has been published but tool not publically available yet.
   3. https://github.com/ioncodes/BlueGate. Check and DOS mode
   4. https://github.com/MalwareTech/RDGScanner. Check mode only

Thanks
Ben Reardon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200130/b7ce843e/attachment.html 


More information about the Zeek mailing list