Windows Remote Desktop Exploit In the Wild 94
angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."
Not entirely true (Score:5, Informative)
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):
"""
Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."
The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
"""
Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.
Re:Did anyone think it was secure anyway? (Score:5, Informative)
Climb down off your high horse. RDP for years now has been encrypted and certificate authenticated using TLS. There is no inherent reason when it should not be save to connect to a windows 6.x (Vista / 7 / Server '08) machine over the internet with RDP. You don't always use SSH over VPN do you? Its not as if that has never had a vulnerability.
Re:Not entirely true (Score:5, Informative)
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet.
As the CVE [mitre.org] says:
And the MS security bulletin [microsoft.com] also holds it as Maximum Security Impact: Remote Code Execution.
This is not FUD, even if there is no worm completed yet, it is a clear failure of MS security, and their concept of many lines of defense. Also, they promised to implement their own rehash of W^X, but apparently failed.
Leaving the obvious question: how to turn off RDP? (Score:5, Informative)
Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP [microsoft.com] or via group policy [microsoft.com]. Here's how to do it in Windows 7 [microsoft.com] (untested).
Re:Leaving the obvious question: how to turn off R (Score:4, Informative)
Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/
I concur that default does indeed suck, you can do a registry change to disable it though:
http://support.microsoft.com/kb/555444 [microsoft.com]
And yes I use Linux too and realise such pointless hacks aren't necessary :P
Re:Did anyone think it was secure anyway? (Score:2, Informative)
It's turned off by default, which is probably pretty darn secure. In Vista, 7, and Server 2008, Remote Desktop supports network-level authentication which would require you to log-in to the network before being able to exploit this, which means its effectively been fixed for 6 years. If they manage to authenticate already, then your Linux box with SSH on it isn't any safer than the Remote Desktop machine.
There are three radio buttons in the "Remote Desktop Settings" menu: "Don't allow connections to this computer", "Allow connections from computers running any version of remote desktop (less secure)", and "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". So in order to be vulnerable, you have to click the check-box that says less secure on it.