Forgot your password?
typodupeerror
Bug Microsoft Security IT

Windows Remote Desktop Exploit In the Wild 94

Posted by samzenpus
from the known-weakness dept.
angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."
This discussion has been archived. No new comments can be posted.

Windows Remote Desktop Exploit In the Wild

Comments Filter:
  • Not entirely true (Score:5, Informative)

    by Rurik (113882) on Monday March 19, 2012 @04:15AM (#39401135)

    It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):

    """
    Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."

    The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
    """

    Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.

    • Re: (Score:3, Insightful)

      by g0tai (625459)
      That's almost as bad as '640K will be enough for anyone' ;) ..... Murphy's law will prevail and someone will end up writing something that exploits it in a controlled fashion in the next 20 minutes. Unfortunately with bugs like this, the only safe approach is to take the most pessimistic one, that someone somewhere already has an exploit for it that takes control.
    • by rdebath (884132) on Monday March 19, 2012 @04:30AM (#39401187)

      Except that quote is assuming that the attacker is starting from either now or last tuesday. The POC executable that was leaked was written back in November so there's nothing to say that someone hasn't been working on it the LAST 30 days.

      If that's true expect a worm starting up on Friday evening at the latest.
      The threat is real and the lack of a public RCE means little.

    • Re:Not entirely true (Score:5, Informative)

      by buchner.johannes (1139593) on Monday March 19, 2012 @05:10AM (#39401295) Homepage Journal

      It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet.

      As the CVE [mitre.org] says:

      The Remote Desktop Protocol (RDP) implementation in [...] does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

      And the MS security bulletin [microsoft.com] also holds it as Maximum Security Impact: Remote Code Execution.

      This is not FUD, even if there is no worm completed yet, it is a clear failure of MS security, and their concept of many lines of defense. Also, they promised to implement their own rehash of W^X, but apparently failed.

      • by buglista (1967502)
        Not defending MS here, but W^X is not a panacea.

        Also, VPN is always a good idea for access to administrative services - I don't like any kind of admin login from outside without 2-factor auth being involved.

  • This is the third story about this vulnerability.

    "OMG - some software has a vulnerability!"
    "OMG - someone's written a proof of concept attack!"
    "OMG - someone else has done the same!"

    This is even more ridiculous than stories about Bitcoin or the Raspberry Pi. Well, maybe not Bitcoin; that's just fucking retarded.
  • by Anonymous Coward on Monday March 19, 2012 @05:28AM (#39401347)

    Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP [microsoft.com] or via group policy [microsoft.com]. Here's how to do it in Windows 7 [microsoft.com] (untested).

    • It's disabled by default on all consumer versions of their OS. It's been a while since I've installed 2003 or 2008, so I don't know if it's disabled on those systems.

      Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/

  • It's amazing one mans hobby in realitive terms makes the entire industry look like a collection of clueless script kittens.

    The man is a giant... who must be high on powerup mushrooms by now.

  • For a hacker the good news would be they have control of a Windows machine. The bad news would be...they have control of a Windows machine.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...