This is the explanation regarding the CVE 2020–29138 which I’ve discovered in the routers provided by the CLARO company in Brazil.

The SAGEMCOM router, model F@ST3486 NET, running the NET_4.109.0 software version, contains an Improper Access Control vulnerability in the configuration backup functionality. This router is widely distributed by the ISP provider CLARO company, for their customers in Brazil.

The vulnerability occurs when there is a valid session running in the router web interface.

As long as there is any valid session opened, any unauthenticated request to http://<router-ip>/backupsettings.conf will allow the router configuration download.

Reproducing:

Access the router’s web interface…


The goal here is to analyze the behavior of the Metasploit Blueekeep Module, which exploits the CVE-2019–0708 vulnerability, and identify signatures which can be used in writing a snort rule for detecting its usage.

Both NCC Group and Talos Intelligence has published snort rules for detecting the CVE-2019–0708. However, both of them suggested the detection based on some contents that will travel under encryption and will be visible only with specific decryption softwares/appliances.

Here I focus in the not encrypted part of the communication.

RDP Communication

First of all, it’s important to understand the basics of RDP communication which is used in…


The test was executed on a Windows 7 Enterprise x64 Ultimate, running over a VMWare 15 Workstation Pro.

The metasploit was placed on a Kali Linux 4.19, also over VMWare.

Setting Up

Summary of the packages installed in order to run the project’s branch with the operational bluekeep exploit:

UPDATE: Seems that the PullRequest was approved and merged to the project’s master branch. So it’s not necessary to set the origin to the pull/12283.

#git clone https://github.com/rapid7/metasploit-framework.git …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store