RDP Proof-of-Concept Exploit Triggers Blue Screen of Death 128
mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."
Remote Death Packet... (Score:5, Funny)
It totally happened to my cousin's friend.
Re: (Score:1)
Re:Remote Death Packet... (Score:5, Funny)
Now now, don't be so synackal.
Re: (Score:1)
Is this the hole that was patched one Tuesday? (Score:2)
Or something entirely new?
Re: (Score:2)
*on* Tuesday...
Re:Is this the hole that was patched one Tuesday? (Score:5, Informative)
Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.
So much for responsible disclosure! Although as soon as I saw that TippingPoint had released a signature for this on Tuesday, I figured that would be enough information for people to figure out what was up. Leaking the exact packet made things even easier and quicker, though.
Gee, I do so love it when I get three days to deploy a critical patch throughout my entire production environment. That makes for some wonderful conversations with the admin staff, let me tell you!
Re:Is this the hole that was patched one Tuesday? (Score:4, Interesting)
Just below your comment there's one from an AC titled "Missed the real story" indicating the exploit code was released from within MS.
That might mean some jackass got the brilliant idea that if there's going to be an exploit soon anyway, it may as well be the original one, and that will scare people into deploying the patch *right now*.
Comment removed (Score:4, Insightful)
Re: (Score:2)
Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.
That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.
If that exact packet is an obvious way of doing it, it could also have been an independent discovery.
Re: (Score:2)
That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.
If that exact packet is an obvious way of doing it, it could also have been an independent discovery.
Why doesn't it follow? This has been a risk since day one of Microsoft's advance notification program.
In this [zdnet.com] article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.
Re: (Score:2)
In this article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.
That doesn't in any way preclude him from having sent the same code to others. We don't know that Microsoft is to blame here. And I'm not a MS fanboi - I just want there to be more information before anyone draw any conclusions.
Re: (Score:3)
Re:Is this the hole that was patched one Tuesday? (Score:5, Insightful)
I have employees who are allowed to come in to the VPN with their home (non-corporate-managed) machines, and no restrictions on their network traffic. I'm working on changing that but it hasn't happened as yet. Additionally, I have way too much experience with malware running on Windows machines while their installed antivirus software is happily telling anyone who asks there's nothing wrong at all.
You need to stop thinking about internal risks in terms of deliberate actions by malicious employees (which is still a risk) and start thinking more in terms of the malware they're almost inevitably running and what actions it can take without their knowledge. This is a highly wormable exploit - think SQL Slammer. I would suggest you consider your soft center as well as your hard crunchy outside for this one.
Missed the real story (Score:5, Informative)
Re:Missed the real story (Score:5, Funny)
If by purchase (Score:3, Informative)
You mean "download for free" then maybe. You realize that all Windows updates for the entire life cycle of the product are included with the purchase price of the original copy, correct? They do not charge a maintenance fee. They are also very up front about life cycle and end of life. 10 years minimum for all OSes. It can be (and often is) extended, but it is never less than that.
Re: (Score:1)
How important is this? (Score:5, Informative)
The exploit doesn't allow unauthorized access or remote root. It only allows a denial of service against Windows XP and Windows Server 2003 products. It doesn't seem that Windows 7 and Windows Server 2008 are vulnerable. That really mitigates that risk. I have a Windows Home Server 2011 box that shouldn't be vulnerable because it's based on the WS2008R2 code base. Furthermore, there's already a patch for this bug. Therefore, if you're still running an old version of Windows that you neglected to patch, then your server might be crashed remotely. I don't think it's really that deadly or scary.
Re:How important is this? (Score:4, Informative)
The sourcecode linked in the summary is just a proof-of-concept. A much more devastating payload, in principle, certainly can be delivered. MS says the vulnerability could allow arbitrary code execution https://technet.microsoft.com/en-us/security/bulletin/ms12-020
Re: (Score:1)
That's the point, that someone may turn the crash into a root.
Re: (Score:1)
Re: (Score:3)
My understanding is that if you fill a buffer overflow with random data (or just wrong data) it can cause the kernel to panic if it unexpectedly stumbles upon this incorrect/corrupt data and thus BSODs.
Now, if you are more crafty, you can inject valid code/data rather than panic-inducing random data. This valid code/data could then potentially allow a thorough rooting.
Re:How important is this? (Score:5, Informative)
With buffer overflows the way it usually works is that a buffer that is allocated on the stack (let's say, a temporary buffer where some user input goes to have something done on it) isn't properly bounds checked. Local function variables are on the stack. What is below them (on x86 and amd64) will be first the saved base pointer of the calling function, and then the return address of the next instruction in the calling function. So on a 32 bit arch, if we imagine the buffer is the first thing on the stack, the first 4 bytes of the buffer overflow will overwrite the calling function's saved %ebp register, and then the next 4 bytes you overwrite will be the return address of the calling function. When the function finishes and executes the RET statement, what happens is the address put on the stack by the CALL is popped off, and the program counter is set to this address.
Normally, this address is the valid return address, but in this case, where you've been able to overflow the buffer, it's whatever the 4 bytes were set to in the overflowing data. In a userland program, the program will usually crash with "Segmentation fault". In kernel land, you may get a kernel panic.
To exploit this, when the attacker overwrites the return address, if they can have this address point to their code instead, they can then gain control of the machine with whatever privilege level the process they are attacking has. Usually, the whole exploit is in the buffer that's overflowed, the attacker basically has to figure out what the address of their payload will be in the stack, and set the function's return address to this, and voila, they can execute arbitrary code.
A number of things have been done in recent years to frustrate this: randomizing the address of the heap and stack to make it harder to predict the address your attacking code will be at, and also making the stack and heap non-executable if the CPU supports it (or using a software emulation of the NX bit) so even if you do overwrite the return address with the address of your code, the program dies with "Segmentation fault" because the processor won't allow code to execute in that memory page.
Re: (Score:2)
Wow, that was a well-written post on the subject. I hope you're working for the good guys.
Re: (Score:2)
Thanks for the most clear explanation I've read about this.
[I'm old and not terribly bright; I've never understood why stuff isn't checked to see if it fits before it is used.]
Re:How important is this? (Score:5, Informative)
Re: (Score:2, Redundant)
The idea is that a specially crafted payload could root the box instead of crashing the system. Right now the payload only crashes the system because the researches didn't spend the time making it worse.
Comment removed (Score:5, Informative)
Re:How important is this? (Score:5, Insightful)
Re:How important is this? (Score:5, Funny)
... If your mission critical server is still running Windows, then you're doing it wrong...
FTFY. :)
(just to please up the anti-microsoft crowd...)
Re: (Score:2)
Re: (Score:1)
Re:How important is this? (Score:5, Insightful)
You'd be wrong. Dead wrong.
MS shops do this.
Shops that avoid MS at all costs and give control of it to finance/ms person, who have no clue about security do this.
Small businesses that just don't know better do this.
Re: (Score:3)
Re: (Score:2)
Mmmmmm, virtualization
Re: (Score:2)
Never been in a small business, have you?
Hint: There is no IT guy, maybe a consultant, definitely no one who knows what platform vSphere runs on.
Re: (Score:2)
I have worked for several years in a fairly small business. I was the only person with technical knowledge and had to support a myriad of odd setups.
If a business cannot afford the tech, then they'll have to live with the downside.. as we did.
Re: (Score:2)
If a business cannot afford the tech, then they'll have to live with the downside.. as we did.
Absolutely agree. Which is why things are usually not set up right and virtualization will never be an answer.
Re: (Score:3)
Never heard of Microsoft Small Business server have you?
Re:How important is this? (Score:5, Informative)
That really mitigates that risk.
I question your definition of 'mitigates' sir. You are describing systems that are not vulnerable to this particular exploit. If you're infrastucture runs on Linux or Mac or oranges with electrodes sticking out of them, you havn't mitigated dick. You just aren't vulnerable.
Re: (Score:2, Insightful)
Mitigate means "reduces the severity of". If fewer machines are vulnerable, that mitigates some risk.
Re: (Score:3)
*Yet*. The vulnerability according to the original CVE is a double free of memory that ends up calling a function pointer in the already-freed block of data. Now if the exploit can change the address to their shellcode, they have just gained unauthorized access.
This might not be easy to do; it might not be possible on some architectures due to the NX bit, but it's possible it could result in a remote execution vulnerability.
Re: (Score:3)
Windows Server 2008 64 bit is vulnerable to the POC, I've confirmed it myself.
Re: (Score:2)
Windows Server 2008 64 bit is vulnerable to the POC, I've confirmshgo7xny3978ty78+++ATH NO CARRIER
Fixed that for you... ;)
Re: (Score:2)
It may be vulnerable to the denial of service (or just crashing the remote desktop service), but likely, it isn't vulnerable to running arbitrary code/privilege escalation. But I could be wrong.
Re: (Score:2)
Actually from what I see it appears to be newer versions of Windows [microsoft.com] as well...
Question: Virtualbox's VRDE/RDP (Score:4, Interesting)
I haven't found the answer to this yet: Virtualbox uses a flavor of RDP (or backwards compatible to RDP) called VRDE. Someone where I worked said this was a protocol problem, so exploit apply to virtualbox or is this just the implementation of RDP that Microsoft uses?
Re: (Score:2)
interesting question. Any Virtualbox devs in the house?
Re: (Score:1)
Tested it on my VirtualBox VMs and it did not work.
Re: (Score:2)
It's an implementation problem. It depends on whether Virtualbox has the same issue in its implementation. According to the original CVE for the vulnerability, the cause is a double free of some memory, the crash actually occuring when the system reads a function pointer that is no longer valid.
Re: (Score:3)
Because this one is bigger than usual - I know of quite a few small companies that use RDP as a "poor man's VPN" and open it from their internal server(s) directly to the Internet. Insanely stupid and I've never allowed any SMBs that I've set up to do it, but it definitely happens quite a bit.
Interestingly, scanning for 3389 over the Internet has been quite prevalent for quite awhile. I'm sure there are many, many bad guys out there with big lists of system IP addresses all set to go once this (inevitably
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.
If you are setting up a VPN on basically any point-and-click interface, encryption will be enabled by default.
Re: (Score:3)
Well, for starters, because Web servers don't run as SYSTEM for quite some time now.
And in any case, opening up port 80 from the Internet to an internal server, rather than one on a DMZ designed to do nothing but host Web content is just as insanely stupid. Same goes for port 443, even though I've lost count of the number of times people have told me 443 is okay "because it's secure!".
Re: (Score:2)
This is by far not the first vulnerability in RDP. I know what you mean though its supposed to be a remote management solution; saying its insanely stupid to expose RDP to the net is like saying its insanely stupid to put SSH on the net.
The truth is minimize you attack surface and pick your poison. Have SSH? good tunnel your RDP, have a VPN? even better use it, want to use RDP? ideally use Microsofts terminal server gateway, if not fine put one 'terminal server' open to the outside and access other boxes
Re: (Score:2)
Re: (Score:3, Insightful)
I'm sorry, mod parent up, so freaking right not even funny.
Was going to post anon, but to hell with my Karma, if you can't recognize that Microsoft isn't the same company it was 12 years ago you are part of the problem and not part of the solution. Not saying they are the best at anything, that's in the eye of the beholder. I'm just saying that Windows 7 (while needing it's code optimized like KDE4 had) is a far superior OS to Windows XP and Windows XP wasn't a bad platform to start off with. In 1999 (when
Re: (Score:2, Informative)
Are you serious? I guess I have been trolled:
$ someapp /usr/lib/libboost.so.15
Someapp can't find libboost.so.14
$ find / -name "libboost.so.*"
Um... I guess you didn't launch the application from it's starter script, OR use yum or a package aware system to install it, OR you used the "force" option.
In any of these cases - you should know what you're doing. Now -
# sudo ln -s /usr/lib/libboost.so.14 /usr/lib/libboost.so.15
# sudo lddconfig
has around a 80% (possibly greater) chance of fixing it anyway. Free advic
Re: (Score:2)
Now, I want to here more about the root kits. It is rather difficult to insert a rootkit into an SELinux system. Either a shell account would be needed, or a method to get around the service audits and denials. For example, Apache under SELinux is denied the ability to open files outside of its assigned subdirectory. Since this priviledge (or lack of) is inherited by the subprocesses, they also cannot access system files. Simply introducing code won't work. You would need to introduce kernel code. A buffer overflow may introduce code into Apache (also difficult, but possible), but that doesn't have the necessary security to broach the kernel.
I'll come back when I'm home to pull up the rootkits, I will not pull up the list while at work. I will first put the ones that are known and are in the rootkit scan application, then I will link to the article about the others (that don't show up on the list in the rootkit scan application, no I don't remember the name off the top of my head).
$ yes QQ....
Un... yes, yes does that -- it's to be used like this:
root$ :'(
>)';
Couldn't find command: :'( )':
The message depends on your shell. Nothing prevents putting newlines into filenames. Don't do it -- it makes the files difficult to type at the shell.
Ok yeah so my brain puked my usual response
Re: (Score:2)
Got it -- makes more sense now.
The solution is to retain .so.14, .so.15, etc. The interface to the KERNEL is consistent, so all you need is multiple environments.
This can be achieved by several means -- using LXC (linux containers) is a good choice.
You can also use chrpath to change rpath.
You can also just leave the various library versions. I generally don't do this. After a "while" (defined as several versions), I will gather the application (and attendant libraries) into /opt/... and modify rpath first.
Who uses RDP without a VPN? (Score:5, Insightful)
Re: (Score:2, Interesting)
Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.
I've closed this hole many times at new clients.
Re:Who uses RDP without a VPN? (Score:5, Insightful)
Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.
I've closed this hole many times at new clients.
Ah yes, another incompetent *nix admin with his head in the sand. Since this was posted as AC I know you're probably trolling but I'll bite. Since the RDP changes starting with Windows Vista and Server 2008 (pre-R2, even) the RDP connection handshake resembles that of TLS, SSH, and other VPN protocols, utilizing RSA, certificate based identity verification, and AES (with keys transmitted during the RSA encrypted during setup).
If modern RDP is insecure, I have really bad news for SSH, e-commerce and the entire fucking world that uses TLS.
Re: (Score:3)
Wow. Shill much?
First of all, your ever-so-awesome RDP changes that started with Vista don't seem to have helped a ton here, unless you took the non-default step of turning on NLA which breaks accessing the server from XP clients that haven't had an upgrade to the RDP client.
Secondly, given the choice between opening RDP to a Windows box or SSH to a Linux box, I'll place my bets on SSH any day of the week. OpenSSH was designed from the start to be a highly-secure protocol. It has, of course, had to evolv
Re: (Score:2, Funny)
Re: (Score:3)
This:
for i in {1..254}; do nc -v -n -z -w 1 207.46.130.$i 3389; done
will scan Microsoft's public IP space for RDP.
Feel free to test it on your infrastructure.
Re: (Score:2)
Extra security through obscurity, yes, but hey, most people only bother with the low hanging fruit. It's already encrypted and me not using that port probably stops a shit ton of attacks.
The same people who use SSH without a VPN? (Score:3, Insightful)
There is no particular reason RDP needs to be behind a VPN any more than any other protocol. It is fully encrypted, does secure password exchange and all that jazz. Same as SSH. So if you run any SSH servers that are open to the world, well there's your answer.
If you are all VPN all the time, ok, though I will caution you to carefully check your setup, VPN is often a false sense of security (particularly since in many configurations it punches through the user's NAT and host based firewall and can expose th
Re: (Score:2)
That applies to Server 2008/Windows 7 RDP (maybe Vista, not sure about that). The versions found in Windows 2000, XP and Server 2003 are not nearly as secure.
Re: (Score:3)
If you're running SSH open to the world you SHOULD be forcing keys not passwords. It only takes one user with a poor password to allow an attacker access to try a local admin exploit or use you as a 'bounce server'.
RDP cannot be put into a key/certificate only mode.
Add to that Microsoft's past performance with security applications (eg pptp) and I have always strongly recommended that RDP be only used within some sort of secure pipe (VPN, ssh!!, zebedee etc). or at the very least moved off the default
Re: (Score:2)
Yes but you can use IPSEC with machine certificates to achieve the same goal, or you can put the RDP machine behind a RDS Gateway and use certificates as the authentication method on the website however this does limit the usefulness as it limits your users to only having access from company owned assets (well technically you could issue the certificates and have them install them on other machines but I'm not sure everyone in our IT department would get
Re: (Score:1)
Important to note that this is a "no authorization required" vulnerability. Merely the correct sequence of malformed packets leads to a kernel-level remove code execution. If RDP is listening to the port and it recieves this sequence.... *bork* The BSOD mentioned is just a crude proof of concept in the wild. Be afraid of the attacks that DO NOT BSOD, and in fact leave no real trace.
Re: (Score:2)
Sure, but all it takes is some code getting run anywhere on a corporate LAN to run through it like wildfire. Firewalls are an obvious layer of protection, but you can't have big security holes on the other side, otherwise you're talking worm city.
Re: (Score:2)
Well you should start nmap then. I see 3389 open every-f-where. Seriously.
Just think web hosting on windows. That's not SSH. That's RDP. Everywhere.
Re: (Score:2)
Have fun (Score:3, Informative)
http://pastebin.com/nSp1Qxpi [pastebin.com]
Re:Have fun (Score:4, Interesting)
That code is not real, it was a fake release from yesterday. Actual POC code is available in a number of places though and looks very similar.
Re: (Score:2)
http://pastebin.com/48XkG9sq [pastebin.com]
nice payload :P
but not very useful for exploiting the bug. lol.
Re: (Score:3)
Here is the real one:
http://115.com/file/be27pff7 [115.com]
Directly from the author's blog:
http://aluigi.altervista.org/adv/ms12-020_leak.txt [altervista.org]
Ouch... (Score:2)
I tried to go to the March 2012 Microsoft Security Bulletin on their website and got a 404 Error. Guess they're updating it with new info? BTW I tested the sample Ruby code that was published and the BSOD worked like a champ on a couple of my older boxes here at work. Good thing I don't use RDP on any Internet-facing hosts. Only through a VPN...
Re: (Score:2)
Re: (Score:2)
Actually newer versions of Windows [microsoft.com] are also included in the patch. Of course learning this would require one to read past the often-incorrect or often-shortsighted summaries :-P
Re: (Score:2)
Re: (Score:3)
I can't imagine anyone with any important data leaving an X session port open balls-to-the-walls to the Internet, so why on Earth would anyone let RDP, particularly the rather weakly-protected pre-Server 2008 variants, run basically naked like that (not that I would allow a Server 2008 Terminal Server or any other RDP service from a newer OS be visible to the outside world).
We have a Windows Terminal Server plus a few workstations that people can remote into, but they have to come in on our VPN. I closed th
Re: (Score:2)
Hiding RDP behind a VPN should protect from external attacks on this, so security through layers is the answer. I often wonder why FWKNOP http://cipherdyne.org/fwknop/ [cipherdyne.org]isn't more widely used to hide and protect services.
Re: (Score:2)