Forgot your password?
typodupeerror
Bug Microsoft Security IT

Windows Remote Desktop Exploit In the Wild 94

Posted by samzenpus
from the known-weakness dept.
angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."
This discussion has been archived. No new comments can be posted.

Windows Remote Desktop Exploit In the Wild

Comments Filter:
  • Not entirely true (Score:5, Informative)

    by Rurik (113882) on Monday March 19, 2012 @05:15AM (#39401135)

    It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):

    """
    Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

    The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
    """

    Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.

  • by DarkOx (621550) on Monday March 19, 2012 @05:52AM (#39401239) Journal

    Climb down off your high horse. RDP for years now has been encrypted and certificate authenticated using TLS. There is no inherent reason when it should not be save to connect to a windows 6.x (Vista / 7 / Server '08) machine over the internet with RDP. You don't always use SSH over VPN do you? Its not as if that has never had a vulnerability.

  • Re:Not entirely true (Score:5, Informative)

    by buchner.johannes (1139593) on Monday March 19, 2012 @06:10AM (#39401295) Homepage Journal

    It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet.

    As the CVE [mitre.org] says:

    The Remote Desktop Protocol (RDP) implementation in [...] does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

    And the MS security bulletin [microsoft.com] also holds it as Maximum Security Impact: Remote Code Execution.

    This is not FUD, even if there is no worm completed yet, it is a clear failure of MS security, and their concept of many lines of defense. Also, they promised to implement their own rehash of W^X, but apparently failed.

  • by Anonymous Coward on Monday March 19, 2012 @06:28AM (#39401347)

    Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP [microsoft.com] or via group policy [microsoft.com]. Here's how to do it in Windows 7 [microsoft.com] (untested).

  • by commlinx (1068272) on Monday March 19, 2012 @07:40AM (#39401555) Journal

    Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/

    I concur that default does indeed suck, you can do a registry change to disable it though:

    http://support.microsoft.com/kb/555444 [microsoft.com]

    And yes I use Linux too and realise such pointless hacks aren't necessary :P

  • by Anonymous Coward on Monday March 19, 2012 @08:43AM (#39401857)

    It's turned off by default, which is probably pretty darn secure. In Vista, 7, and Server 2008, Remote Desktop supports network-level authentication which would require you to log-in to the network before being able to exploit this, which means its effectively been fixed for 6 years. If they manage to authenticate already, then your Linux box with SSH on it isn't any safer than the Remote Desktop machine.

    There are three radio buttons in the "Remote Desktop Settings" menu: "Don't allow connections to this computer", "Allow connections from computers running any version of remote desktop (less secure)", and "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". So in order to be vulnerable, you have to click the check-box that says less secure on it.

Men love to wonder, and that is the seed of science.

Working...