Forgot your password?
typodupeerror
Bug Microsoft Security Windows IT

RDP Proof-of-Concept Exploit Triggers Blue Screen of Death 128

Posted by Soulskill
from the if-you-build-it dept.
mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."
This discussion has been archived. No new comments can be posted.

RDP Proof-of-Concept Exploit Triggers Blue Screen of Death

Comments Filter:
  • by fuzzyfuzzyfungus (1223518) on Friday March 16, 2012 @10:01AM (#39377645) Journal
    I heard a rumor that if you send an SYN-ACK after SYN request from a certain IP, you die.

    It totally happened to my cousin's friend.
    • *on* Tuesday...

    • by Abalamahalamatandra (639919) on Friday March 16, 2012 @10:11AM (#39377835)

      Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.

      So much for responsible disclosure! Although as soon as I saw that TippingPoint had released a signature for this on Tuesday, I figured that would be enough information for people to figure out what was up. Leaking the exact packet made things even easier and quicker, though.

      Gee, I do so love it when I get three days to deploy a critical patch throughout my entire production environment. That makes for some wonderful conversations with the admin staff, let me tell you!

      • by Sir_Sri (199544) on Friday March 16, 2012 @10:17AM (#39377923)

        Just below your comment there's one from an AC titled "Missed the real story" indicating the exploit code was released from within MS.

        That might mean some jackass got the brilliant idea that if there's going to be an exploit soon anyway, it may as well be the original one, and that will scare people into deploying the patch *right now*.

        • Well in a way I honestly can't say that I blame them. Just look at how many here are pissing and moaning they are gonna have to go and deploy this patch across their system, aka doing their jobs, when we ALL know it is SOP for the script kiddies to reverse engineer every single patch MSFT releases and to use that for making easy attacks. Look at how many "ZOMFG Windows got horribly hacked!" we have seen where it was fucking patched MONTHS AGO but corps drug their feet and ended up getting pwned.

          To use a /. car analogy if you park your car on the railroad track to take a nap and someone comes along and says "hey i live around here and there is a train coming down that track, let me help you move to someplace safe" and you go "nahhh, hitting those bumps might shake loose a screw, give me time to crawl under the hood and check everything out" and you drag your feet until the train hits you? Well stupid fucking you, you deserved what you got. Its not like this isn't common knowledge, or some new thing the script kiddies are doing, its been SOP since Win9X. MSFT releases a patch, script kiddies reverse engineer, a dozen variants are out in the wild within hours of patching. If you are so damned worried about compatibility you need to be running a test bed anyway just for this scenario, and when a nasty bug is patched your ass damned well better be on the ball and ready to deploy because those script kiddies aren't gonna go "Its okay, we'll wait, just let us know when you're ready". Like it or not folks malware and exploits are a billion dollar business and with that kind of money at stake you damned well better bring your A game, anything less is your ass.

      • by arth1 (260657)

        Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.

        That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.

        If that exact packet is an obvious way of doing it, it could also have been an independent discovery.

        • That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.

          If that exact packet is an obvious way of doing it, it could also have been an independent discovery.

          Why doesn't it follow? This has been a risk since day one of Microsoft's advance notification program.

          In this [zdnet.com] article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.

          • by arth1 (260657)

            In this article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.

            That doesn't in any way preclude him from having sent the same code to others. We don't know that Microsoft is to blame here. And I'm not a MS fanboi - I just want there to be more information before anyone draw any conclusions.

      • by jdastrup (1075795)
        You have 3 days to deploy this critical patch throughout production? Are you saying you have RDP exposed on the Internet, or you have in-house employees that are capable of exploiting the flaw? If it's the former, you are in the wrong field and might be better off working in retail or fastfood somewhere. If it's the latter, I truly feel sorry for you - the employees in my office can barely turn a computer on, therefore I don't have to worry much about them exploiting it until I can get around to patching.
        • by Abalamahalamatandra (639919) on Friday March 16, 2012 @02:27PM (#39381559)

          I have employees who are allowed to come in to the VPN with their home (non-corporate-managed) machines, and no restrictions on their network traffic. I'm working on changing that but it hasn't happened as yet. Additionally, I have way too much experience with malware running on Windows machines while their installed antivirus software is happily telling anyone who asks there's nothing wrong at all.

          You need to stop thinking about internal risks in terms of deliberate actions by malicious employees (which is still a risk) and start thinking more in terms of the malware they're almost inevitably running and what actions it can take without their knowledge. This is a highly wormable exploit - think SQL Slammer. I would suggest you consider your soft center as well as your hard crunchy outside for this one.

  • by Anonymous Coward on Friday March 16, 2012 @10:03AM (#39377693)
    The exploit is one thing, but the real story is that the exploit code was leaked from somewhere inside Microsoft, likely the MSRC. There's a string in the exploit that points to a folder on an internal MSRC server. This is about as bad as it gets. See here: https://twitter.com/#!/jduck1337/status/180495975377408001 [twitter.com] and here: https://threatpost.com/en_us/blogs/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612 [threatpost.com]
    • by fuzzyfuzzyfungus (1223518) on Friday March 16, 2012 @10:27AM (#39378065) Journal
      It has come to our attention that some of our customers may not have purchased upgrades in a timely manner... We encourage them to remedy this situation as swiftly as their checkbooks allow.
      • If by purchase (Score:3, Informative)

        by Sycraft-fu (314770)

        You mean "download for free" then maybe. You realize that all Windows updates for the entire life cycle of the product are included with the purchase price of the original copy, correct? They do not charge a maintenance fee. They are also very up front about life cycle and end of life. 10 years minimum for all OSes. It can be (and often is) extended, but it is never less than that.

    • by Anonymous Coward
      Reread your article. They seem to claim that the leak came from one of Microsofts partners, not Microsoft itself. Posting as AC since I don't want my inbox flooded with the usual haters going on about grammar subtleties.
  • by darkmeridian (119044) <william@chuang.gmail@com> on Friday March 16, 2012 @10:03AM (#39377705) Homepage

    The exploit doesn't allow unauthorized access or remote root. It only allows a denial of service against Windows XP and Windows Server 2003 products. It doesn't seem that Windows 7 and Windows Server 2008 are vulnerable. That really mitigates that risk. I have a Windows Home Server 2011 box that shouldn't be vulnerable because it's based on the WS2008R2 code base. Furthermore, there's already a patch for this bug. Therefore, if you're still running an old version of Windows that you neglected to patch, then your server might be crashed remotely. I don't think it's really that deadly or scary.

    • by Anonymous Coward on Friday March 16, 2012 @10:13AM (#39377877)

      The sourcecode linked in the summary is just a proof-of-concept. A much more devastating payload, in principle, certainly can be delivered. MS says the vulnerability could allow arbitrary code execution https://technet.microsoft.com/en-us/security/bulletin/ms12-020

    • by xorbe (249648)

      That's the point, that someone may turn the crash into a root.

      • As I know, a BSOD is a kernel panic. The dump file creations and debug splash screen is the last thing it craps out before accepting any further input or output. While I don't know for a fact, but I think at BSOD status, the OS is frozen and halted from performing any additional processing. That means it cannot be rooted.

        If what you say can happen, it would have to occur in a small window of time from the moment a malformed RDP packet triggers a fault to when the last line of execution that bring about a BS

        • by tom17 (659054)

          My understanding is that if you fill a buffer overflow with random data (or just wrong data) it can cause the kernel to panic if it unexpectedly stumbles upon this incorrect/corrupt data and thus BSODs.

          Now, if you are more crafty, you can inject valid code/data rather than panic-inducing random data. This valid code/data could then potentially allow a thorough rooting.

          • by Alioth (221270) <no@spam> on Friday March 16, 2012 @12:01PM (#39379557) Journal

            With buffer overflows the way it usually works is that a buffer that is allocated on the stack (let's say, a temporary buffer where some user input goes to have something done on it) isn't properly bounds checked. Local function variables are on the stack. What is below them (on x86 and amd64) will be first the saved base pointer of the calling function, and then the return address of the next instruction in the calling function. So on a 32 bit arch, if we imagine the buffer is the first thing on the stack, the first 4 bytes of the buffer overflow will overwrite the calling function's saved %ebp register, and then the next 4 bytes you overwrite will be the return address of the calling function. When the function finishes and executes the RET statement, what happens is the address put on the stack by the CALL is popped off, and the program counter is set to this address.

            Normally, this address is the valid return address, but in this case, where you've been able to overflow the buffer, it's whatever the 4 bytes were set to in the overflowing data. In a userland program, the program will usually crash with "Segmentation fault". In kernel land, you may get a kernel panic.

            To exploit this, when the attacker overwrites the return address, if they can have this address point to their code instead, they can then gain control of the machine with whatever privilege level the process they are attacking has. Usually, the whole exploit is in the buffer that's overflowed, the attacker basically has to figure out what the address of their payload will be in the stack, and set the function's return address to this, and voila, they can execute arbitrary code.

            A number of things have been done in recent years to frustrate this: randomizing the address of the heap and stack to make it harder to predict the address your attacking code will be at, and also making the stack and heap non-executable if the CPU supports it (or using a software emulation of the NX bit) so even if you do overwrite the return address with the address of your code, the program dies with "Segmentation fault" because the processor won't allow code to execute in that memory page.

            • by djdanlib (732853)

              Wow, that was a well-written post on the subject. I hope you're working for the good guys.

            • by kermidge (2221646)

              Thanks for the most clear explanation I've read about this.

              [I'm old and not terribly bright; I've never understood why stuff isn't checked to see if it fits before it is used.]

            • by afidel (530433) on Friday March 16, 2012 @04:08PM (#39383013)
              For userland applications these type of stack smashing attacks have become much harder to exploit due to DEP and ASLR. ASLR basically randomizes where the buffers will allocated from for each run of a program while DEP marks memory pages as being either data or code and data pages are not able to execute (this is hardware enforced on modern processors). However ASLR is not implemented in XP/2003 and DEP is not available for kernel code.
        • Re: (Score:2, Redundant)

          by ThePiMan2003 (676665)

          The idea is that a specially crafted payload could root the box instead of crashing the system. Right now the payload only crashes the system because the researches didn't spend the time making it worse.

        • by squiggleslash (241428) on Friday March 16, 2012 @10:44AM (#39378303) Homepage Journal

          It depends on what the exploit is.

          A BSoD is a sign that the kernel space has been tampered with in some way. Now, it could be that there's no way to predictably tamper with the kernel using this exploit (eg all it does is, say, to cause some kernel routine to divide by zero, and thus crash), or it could be something like a buffer overflow exploit, where you can, using this technique, set a specific part of the memory to contain specific code, and by a little finagling, cause that code to be executed.

          Now, it's a whole lot easier to demonstrate that a flaw like a buffer overflow can be used to cause a DoS situation like a BSoD than to spend days or weeks getting it to do something more "useful", so what we have here is a quick and dirty proof of concept to demonstrate there is a flaw to begin with.

          Basically, the fact the proof-of-concept causes a BSoD doesn't mean that exploits of the flaw are limited to a BSoD. If it's a buffer overflow or something similar, then in theory anyone could exploit this bug to gain remote kernel level access to a Windows computer, without you ever knowing or seeing anything out of the ordinary.

    • by remus.cursaru (1423703) on Friday March 16, 2012 @10:23AM (#39378013)
      Windows 2003 crashed remotely because you didn't applied a 3 days old patch doesn't seem scary to you? Just wait for the bean counters on the second floor to stone you to death because their stone-age old ERP crap is down. Or the DNS/DHCP server. Or the hole freaking AD.
      • I of course have not RTFA, but if your organization is running stone-age ERP, or DNS/DHCP, or Active Directory Server, on the machine configured as your RDP host, then it logically follows that this must be the only computer in your entire organization, because nobody with a clue is likely to distribute core apps/services like that.
        • by NatasRevol (731260) on Friday March 16, 2012 @10:45AM (#39378335) Journal

          You'd be wrong. Dead wrong.

          MS shops do this.
          Shops that avoid MS at all costs and give control of it to finance/ms person, who have no clue about security do this.
          Small businesses that just don't know better do this.

          • by eldorel (828471)
            Small businesses who know better but can't afford the extra expense of an additional server when they barely use the resources on the primary one do this also. Holy run on sentence batman!
            • by omglolbah (731566)

              Mmmmmm, virtualization

              • Never been in a small business, have you?

                Hint: There is no IT guy, maybe a consultant, definitely no one who knows what platform vSphere runs on.

                • by omglolbah (731566)

                  I have worked for several years in a fairly small business. I was the only person with technical knowledge and had to support a myriad of odd setups.

                  If a business cannot afford the tech, then they'll have to live with the downside.. as we did.

                  • If a business cannot afford the tech, then they'll have to live with the downside.. as we did.

                    Absolutely agree. Which is why things are usually not set up right and virtualization will never be an answer.

        • by DarkOx (621550)

          Never heard of Microsoft Small Business server have you?

    • by EliSowash (2532508) <eliNO@SPAMsowash.net> on Friday March 16, 2012 @10:31AM (#39378129)

      That really mitigates that risk.

      I question your definition of 'mitigates' sir. You are describing systems that are not vulnerable to this particular exploit. If you're infrastucture runs on Linux or Mac or oranges with electrodes sticking out of them, you havn't mitigated dick. You just aren't vulnerable.

      • Re: (Score:2, Insightful)

        by LordLimecat (1103839)

        Mitigate means "reduces the severity of". If fewer machines are vulnerable, that mitigates some risk.

    • by Alioth (221270)

      *Yet*. The vulnerability according to the original CVE is a double free of memory that ends up calling a function pointer in the already-freed block of data. Now if the exploit can change the address to their shellcode, they have just gained unauthorized access.

      This might not be easy to do; it might not be possible on some architectures due to the NX bit, but it's possible it could result in a remote execution vulnerability.

    • by hellkyng (1920978)

      Windows Server 2008 64 bit is vulnerable to the POC, I've confirmed it myself.

      • Windows Server 2008 64 bit is vulnerable to the POC, I've confirmshgo7xny3978ty78+++ATH NO CARRIER

        Fixed that for you... ;)

      • It may be vulnerable to the denial of service (or just crashing the remote desktop service), but likely, it isn't vulnerable to running arbitrary code/privilege escalation. But I could be wrong.

    • Actually from what I see it appears to be newer versions of Windows [microsoft.com] as well...

  • by MickyTheIdiot (1032226) on Friday March 16, 2012 @10:11AM (#39377829) Homepage Journal

    I haven't found the answer to this yet: Virtualbox uses a flavor of RDP (or backwards compatible to RDP) called VRDE. Someone where I worked said this was a protocol problem, so exploit apply to virtualbox or is this just the implementation of RDP that Microsoft uses?

    • interesting question. Any Virtualbox devs in the house?

    • by Anonymous Coward

      Tested it on my VirtualBox VMs and it did not work.

    • by Alioth (221270)

      It's an implementation problem. It depends on whether Virtualbox has the same issue in its implementation. According to the original CVE for the vulnerability, the cause is a double free of some memory, the crash actually occuring when the system reads a function pointer that is no longer valid.

  • by Kenja (541830) on Friday March 16, 2012 @10:33AM (#39378153)
    I have never seen RDP open to the world. If you do that, you're asking for issues regardless of any exploit.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.

      I've closed this hole many times at new clients.

      • by parlancex (1322105) on Friday March 16, 2012 @11:38AM (#39379195)

        Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.

        I've closed this hole many times at new clients.

        Ah yes, another incompetent *nix admin with his head in the sand. Since this was posted as AC I know you're probably trolling but I'll bite. Since the RDP changes starting with Windows Vista and Server 2008 (pre-R2, even) the RDP connection handshake resembles that of TLS, SSH, and other VPN protocols, utilizing RSA, certificate based identity verification, and AES (with keys transmitted during the RSA encrypted during setup).

        If modern RDP is insecure, I have really bad news for SSH, e-commerce and the entire fucking world that uses TLS.

        • Wow. Shill much?

          First of all, your ever-so-awesome RDP changes that started with Vista don't seem to have helped a ton here, unless you took the non-default step of turning on NLA which breaks accessing the server from XP clients that haven't had an upgrade to the RDP client.

          Secondly, given the choice between opening RDP to a Windows box or SSH to a Linux box, I'll place my bets on SSH any day of the week. OpenSSH was designed from the start to be a highly-secure protocol. It has, of course, had to evolv

    • Re: (Score:2, Funny)

      by parlancex (1322105)
      Who uses a VPN without a VPN? If you connect to a VPN without first tunneling it through a secure VPN, you're just asking for issues regardless of any exploit.
    • This:
      for i in {1..254}; do nc -v -n -z -w 1 207.46.130.$i 3389; done
      will scan Microsoft's public IP space for RDP.

      Feel free to test it on your infrastructure.

      • by webheaded (997188)
        I run mine on a completely non-standard port via port forwarding at the router. :D

        Extra security through obscurity, yes, but hey, most people only bother with the low hanging fruit. It's already encrypted and me not using that port probably stops a shit ton of attacks.
    • There is no particular reason RDP needs to be behind a VPN any more than any other protocol. It is fully encrypted, does secure password exchange and all that jazz. Same as SSH. So if you run any SSH servers that are open to the world, well there's your answer.

      If you are all VPN all the time, ok, though I will caution you to carefully check your setup, VPN is often a false sense of security (particularly since in many configurations it punches through the user's NAT and host based firewall and can expose th

      • That applies to Server 2008/Windows 7 RDP (maybe Vista, not sure about that). The versions found in Windows 2000, XP and Server 2003 are not nearly as secure.

      • by rdebath (884132)

        If you're running SSH open to the world you SHOULD be forcing keys not passwords. It only takes one user with a poor password to allow an attacker access to try a local admin exploit or use you as a 'bounce server'.

        RDP cannot be put into a key/certificate only mode.

        Add to that Microsoft's past performance with security applications (eg pptp) and I have always strongly recommended that RDP be only used within some sort of secure pipe (VPN, ssh!!, zebedee etc). or at the very least moved off the default

        • by afidel (530433)
          RDP cannot be put into a key/certificate only mode.

          Yes but you can use IPSEC with machine certificates to achieve the same goal, or you can put the RDP machine behind a RDS Gateway and use certificates as the authentication method on the website however this does limit the usefulness as it limits your users to only having access from company owned assets (well technically you could issue the certificates and have them install them on other machines but I'm not sure everyone in our IT department would get
    • by Anonymous Coward

      Important to note that this is a "no authorization required" vulnerability. Merely the correct sequence of malformed packets leads to a kernel-level remove code execution. If RDP is listening to the port and it recieves this sequence.... *bork* The BSOD mentioned is just a crude proof of concept in the wild. Be afraid of the attacks that DO NOT BSOD, and in fact leave no real trace.

    • by Rich0 (548339)

      Sure, but all it takes is some code getting run anywhere on a corporate LAN to run through it like wildfire. Firewalls are an obvious layer of protection, but you can't have big security holes on the other side, otherwise you're talking worm city.

    • Well you should start nmap then. I see 3389 open every-f-where. Seriously.

      Just think web hosting on windows. That's not SSH. That's RDP. Everywhere.

  • Have fun (Score:3, Informative)

    by koan (80826) on Friday March 16, 2012 @11:23AM (#39378973)
  • I tried to go to the March 2012 Microsoft Security Bulletin on their website and got a 404 Error. Guess they're updating it with new info? BTW I tested the sample Ruby code that was published and the BSOD worked like a champ on a couple of my older boxes here at work. Good thing I don't use RDP on any Internet-facing hosts. Only through a VPN...

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...