December 4, 2016

Hackers Trying to Build Exploit for RDP Vulnerability

(LiveHacking.Com) – On Tuesday Microsoft patched all currently supported version of Windows to fix a vulnerability in the Remote Desktop Protocol. At the time of the patch there was no actual known exploit but now a $1467 reward has been offered to develop a working module for Metasploit that exploits this vulnerability.

The vulnerability, which is now patched, in the Remote Desktop Protocol (RDP) exists because of the way Windows processes RDP packets in memory. In theory remote attackers can execute arbitrary code by sending crafted RDP packets triggering access to an object that was not properly initialized or has been deleted.

According to SC Magazine a proof of concept exploit has been shown to trigger a blue screen of death on Windows XP and Windows Server 2003 machines. The first proof of concept to be published was posted briefly on a Chinese website before disappearing. The second, based off the Chinese POC, was described by Accuvant researcher Josh Drake.

In a lighthearted tweet Chaouki Bekrar of VUPEN wrote “writing a remote exploit for MS12-020 / RDP for Windows 7 is definitely a challenge for Chuck Norris or Steven Seagal.” Which underlines the complexity of writing an exploit for a known vulnerability.

“However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days.” said Microsoft on its Security Research & Defense blog.

For organisations which haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: You can enable Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established to the remote desktop server. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks