Slashdot Mirror
RDP Proof-of-Concept Exploit Triggers Blue Screen of Death
mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."
I heard a rumor that if you send an SYN-ACK after SYN request from a certain IP, you die.
It totally happened to my cousin's friend.
Or something entirely new?
The exploit is one thing, but the real story is that the exploit code was leaked from somewhere inside Microsoft, likely the MSRC. There's a string in the exploit that points to a folder on an internal MSRC server. This is about as bad as it gets. See here: https://twitter.com/#!/jduck1337/status/180495975377408001 and here: https://threatpost.com/en_us/blogs/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612
The exploit doesn't allow unauthorized access or remote root. It only allows a denial of service against Windows XP and Windows Server 2003 products. It doesn't seem that Windows 7 and Windows Server 2008 are vulnerable. That really mitigates that risk. I have a Windows Home Server 2011 box that shouldn't be vulnerable because it's based on the WS2008R2 code base. Furthermore, there's already a patch for this bug. Therefore, if you're still running an old version of Windows that you neglected to patch, then your server might be crashed remotely. I don't think it's really that deadly or scary.
A NYC lawyer blogs. http://www.chuangblog.com/
I haven't found the answer to this yet: Virtualbox uses a flavor of RDP (or backwards compatible to RDP) called VRDE. Someone where I worked said this was a protocol problem, so exploit apply to virtualbox or is this just the implementation of RDP that Microsoft uses?
Because this one is bigger than usual - I know of quite a few small companies that use RDP as a "poor man's VPN" and open it from their internal server(s) directly to the Internet. Insanely stupid and I've never allowed any SMBs that I've set up to do it, but it definitely happens quite a bit.
Interestingly, scanning for 3389 over the Internet has been quite prevalent for quite awhile. I'm sure there are many, many bad guys out there with big lists of system IP addresses all set to go once this (inevitably) turns into a remote code exploit rather than just a DoS.
I have never seen RDP open to the world. If you do that, you're asking for issues regardless of any exploit.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Aside from this nasty RDP bug, how exactly is this "insanely stupid" any more so than leaving a web server connected to the Internet? I've seen plenty of web servers get rooted and turned into zombie spewing infected machines throwing spam and hosting fake AV advertisements.
For over ten years now, a major exploit of RDP is a first that I can recall. And BTW, the RDP connection is encrypted. With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.
Just because RDP provides a GUI remote desktop and looks more exposed visually doesn't mean it technically is any less secure than other protocols used.
Life is not for the lazy.
Did we ever really stop? ;)
-1 overrated isn't the same thing as "I disagree".
For clarification, I didn't mean VPN, I meant VNC.
Life is not for the lazy.
With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.
If you are setting up a VPN on basically any point-and-click interface, encryption will be enabled by default.
http://pastebin.com/nSp1Qxpi
"If any question why we died, Tell them because our fathers lied."
Well, for starters, because Web servers don't run as SYSTEM for quite some time now.
And in any case, opening up port 80 from the Internet to an internal server, rather than one on a DMZ designed to do nothing but host Web content is just as insanely stupid. Same goes for port 443, even though I've lost count of the number of times people have told me 443 is okay "because it's secure!".
This is by far not the first vulnerability in RDP. I know what you mean though its supposed to be a remote management solution; saying its insanely stupid to expose RDP to the net is like saying its insanely stupid to put SSH on the net.
The truth is minimize you attack surface and pick your poison. Have SSH? good tunnel your RDP, have a VPN? even better use it, want to use RDP? ideally use Microsofts terminal server gateway, if not fine put one 'terminal server' open to the outside and access other boxes thru it don't run your critical infrastructure on that box etc.
The fewer services you have the fewer ways you can be attacked. You probably have to run one more web servers, dns, and mail, most business need some sort of remote access solution, pick ONE vpn, terminal services gateway, citrix, ssh, and the administrative people might need a back door should the remote access solution fail for emergencies. My advice on that good old fashion modem listing on an unpublished phone number; and very strong passwords.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
You mean "download for free" then maybe. You realize that all Windows updates for the entire life cycle of the product are included with the purchase price of the original copy, correct? They do not charge a maintenance fee. They are also very up front about life cycle and end of life. 10 years minimum for all OSes. It can be (and often is) extended, but it is never less than that.
Sure, what product do you sell? If I'm interested and it's affordable, I will send you a check in the form of purchasing said product. And if a lot of people like your product they will send you a check for receivable goods or services. Those proceeds will then amount up to this thing called "profit", once you have that you can buy new licenses.
WTF Slashdot, why do I have to login 50 times to post?
There is no particular reason RDP needs to be behind a VPN any more than any other protocol. It is fully encrypted, does secure password exchange and all that jazz. Same as SSH. So if you run any SSH servers that are open to the world, well there's your answer.
If you are all VPN all the time, ok, though I will caution you to carefully check your setup, VPN is often a false sense of security (particularly since in many configurations it punches through the user's NAT and host based firewall and can expose them). However if you are ok with things like SSH to your UNIX systems but not RDP to your Windows systems that just means you have a poor understanding of the protocols.
I recall seeing a handful of OpenSSL/SSH vulnerabilities over the years as well... IMHO RDP is no more/less dangerous.. though I was planning on closing off VNC/RDP access and tunneling via SSH myself... I tend to stay on top of these issues more than a lot of small/home office types though.
Michael J. Ryan - tracker1.info
I use them mainly for IIS, because I happen to work with .Net based web applications... And IIS is a path of less resistance than shoehorning a solution into Mono/Linux. That said IIS is a pretty damned nice web server. There's also AD and Exchange. Those are probably the biggest reasons to run windows based servers.
Michael J. Ryan - tracker1.info
I'm sorry, mod parent up, so freaking right not even funny.
Was going to post anon, but to hell with my Karma, if you can't recognize that Microsoft isn't the same company it was 12 years ago you are part of the problem and not part of the solution. Not saying they are the best at anything, that's in the eye of the beholder. I'm just saying that Windows 7 (while needing it's code optimized like KDE4 had) is a far superior OS to Windows XP and Windows XP wasn't a bad platform to start off with. In 1999 (when it was released) it was far superior to linux in many ways and it was far worst in others. Today, the same case applies, however MS is actually now contributing to the OS community, working with the development community (see Kinect, their Sony reaction only lasted a few days).
Want to talk about Security, there are 13 known rootkits for Linux which rootkit (the application that scans for them) can't detect. There are viruses, there are kernel dumps, and worst of all there is LIBHELL, this look familiar?
/usr/lib/libboost.so.15
/boot perhaps run fschk without -j or -f? /boot ... :'( :'( )':
$ someapp
Someapp can't find libboost.so.14
$ find / -name "libboost.so.*"
$ yes QQ
QQ
QQ
QQ
QQ
QQ
^C
$
or my favorite one
Couldn't find
root$ ls
grub boot
root$
>)';
Couldn't find command:
So yeah, Linux has it's own stability and security issues, some that make me want to throw myself off a 30floor building sometimes, but I love it too, but I think Microsoft puts out an upstanding product and so does Linux.
I really don't know why I was so verbose, esp with the BS commands.
WTF Slashdot, why do I have to login 50 times to post?
I tried to go to the March 2012 Microsoft Security Bulletin on their website and got a 404 Error. Guess they're updating it with new info? BTW I tested the sample Ruby code that was published and the BSOD worked like a champ on a couple of my older boxes here at work. Good thing I don't use RDP on any Internet-facing hosts. Only through a VPN...
I can't imagine anyone with any important data leaving an X session port open balls-to-the-walls to the Internet, so why on Earth would anyone let RDP, particularly the rather weakly-protected pre-Server 2008 variants, run basically naked like that (not that I would allow a Server 2008 Terminal Server or any other RDP service from a newer OS be visible to the outside world).
We have a Windows Terminal Server plus a few workstations that people can remote into, but they have to come in on our VPN. I closed that channel years ago when I looked on one of our DC security logs and saw a stunning number of dictionary attacks against the Terminal Server.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I've seen so many exploits with VNC over the years that it is ridiculous. I'm not a huge fan of Microsoft, but if you're trying to tell me that the VNC servers are a more secure product, you're insane. I was once sitting at my computer and actually had a delightful conversation with someone that hacked into my server while I was physically sitting at it. I immediately switched VNC vendors but I'll never forget that. I always kept it up to date so that was rather horrifying. I hear things like this about VNC server ALL THE TIME. There seem to constantly be new exploits like this and I'm not sure why. Maybe because most Linux users are on SSH and most Windows users use RDP?
Maybe it's just the Windows versions, I dunno, but holy shit. The command line is just so crappy and foreign to me in Windows that I can't get anything done without GUI (and I'm quite fast with GUI). Give me good old SSH on a Linux box and I'm good to go but I need my GUI tools in Windows unfortunately. As it is right now, I've got the webserver and whatnot running inside a virtualbox on my Windows machine that runs all my media center software as well as various other kinds of servers (minecraft etc). Quite frankly, it's just easier to RDP into it than anything else because there are several different types of things I need to dick with.
"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - BenF
Actually newer versions of Windows are also included in the patch. Of course learning this would require one to read past the often-incorrect or often-shortsighted summaries :-P
Are you serious? I guess I have been trolled:
$ someapp /usr/lib/libboost.so.15
Someapp can't find libboost.so.14
$ find / -name "libboost.so.*"
Um... I guess you didn't launch the application from it's starter script, OR use yum or a package aware system to install it, OR you used the "force" option.
In any of these cases - you should know what you're doing. Now -
# sudo ln -s /usr/lib/libboost.so.14 /usr/lib/libboost.so.15
# sudo lddconfig
has around a 80% (possibly greater) chance of fixing it anyway. Free advice.
$ yes QQ
QQ
QQ
QQ
QQ
QQ
^C
$
Un... yes, yes does that -- it's to be used like this:
yes | other stuff that will prompt
The reason it repeats is that it is expected that YES/yes/ok/OK, whatever, is what the application will keep requesting.
Practical use -- a FORTRAN application that uses the PAUSE statement. Run as follows:
grep $p cards > /dev/null && yes go | ./$p >> results;
Ok?
or my favorite one /boot perhaps run fschk without -j or -f? /boot ...
Couldn't find
root$ ls
grub boot
More details please -- what couldn't find /boot?
root$ :'( :'( )':
>)';
Couldn't find command:
The message depends on your shell. Nothing prevents putting newlines into filenames. Don't do it -- it makes the files difficult to type at the shell.
As none of these are security issues, or even bugs, they won't be "fixed" (nothing to fix here).
Now, I want to here more about the root kits. It is rather difficult to insert a rootkit into an SELinux system. Either a shell account would be needed, or a method to get around the service audits and denials. For example, Apache under SELinux is denied the ability to open files outside of its assigned subdirectory. Since this priviledge (or lack of) is inherited by the subprocesses, they also cannot access system files. Simply introducing code won't work. You would need to introduce kernel code. A buffer overflow may introduce code into Apache (also difficult, but possible), but that doesn't have the necessary security to broach the kernel.
Of course SELinux (MAC level security) is only really enabled for services, and not for arbitrary user level code. Simply separate the boxes physically, and don't put user dev accounts on the external facing server. Pretty much done.
And yes, I admit it, I've been trolled good.
Just another "Cubible(sic) Joe" 2 17 3061
To be fair, RDP does use encryption, so it isn't wildly wrong to expose RDP to an external site. I wouldn't want to do it myself, but then I use much prefer Linux and use VNC behind SSH tunnels (use -localhost for the VNC server so that it only allows connections from itself).
Hiding RDP behind a VPN should protect from external attacks on this, so security through layers is the answer. I often wonder why FWKNOP http://cipherdyne.org/fwknop/isn't more widely used to hide and protect services.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Now, I want to here more about the root kits. It is rather difficult to insert a rootkit into an SELinux system. Either a shell account would be needed, or a method to get around the service audits and denials. For example, Apache under SELinux is denied the ability to open files outside of its assigned subdirectory. Since this priviledge (or lack of) is inherited by the subprocesses, they also cannot access system files. Simply introducing code won't work. You would need to introduce kernel code. A buffer overflow may introduce code into Apache (also difficult, but possible), but that doesn't have the necessary security to broach the kernel.
I'll come back when I'm home to pull up the rootkits, I will not pull up the list while at work. I will first put the ones that are known and are in the rootkit scan application, then I will link to the article about the others (that don't show up on the list in the rootkit scan application, no I don't remember the name off the top of my head).
$ yes QQ....
Un... yes, yes does that -- it's to be used like this:
root$ :'(
>)';
Couldn't find command: :'( )':
The message depends on your shell. Nothing prevents putting newlines into filenames. Don't do it -- it makes the files difficult to type at the shell.
Ok yeah so my brain puked my usual response when I see that (the sad thing is I cleaned it up from the poor choice of language)... Lucky you, I decided not to put sex output down (which I originally had).
Ok back to the real meat of this instead of criticizing the waste lines that I decided to put in there.
# sudo ln -s /usr/lib/libboost.so.14 /usr/lib/libboost.so.15
# sudo lddconfig
The problem with this is that methods tend to be deleted more than deprecated in a lot of these libraries. The k's and q's (kde/Qt) are a good example of this, or if they deprecated they're functionality still doesn't work. Let's also talk about hard links to certain libraries and WHY they do that (and why you shouldn't do what you just did above). Let's say I download applicationX and applicationX was developed using libraries with good code quality standards around them (aka they deprecate and don't delete), applicationX is critical to my business. I have to have this application because maybe our code depends on it, maybe it's just really good, maybe it's all my people know. Well applicationX hasn't been updated since 2006 and fills niche market, it depends on libX.so.30 while the current version is libX.so.51, libX has had a complete overhaul for performance and awesomeness reasons. However the developers (for performance reasons) have finally after so many years removed the waste methods that my applicationX depends on. Now I'm left with one of two choices, completely rewrite applicationX (because I was lucky it wasn't closed source), statically link it to the lib (which can cause serious issues if libX is a kernel module and they aren't using a static link and they reaching for libX.so.*), or well no that's all I can think of.
I think the best example of this was when I used to use gaim and kde 3.5, I updated kde and gaim (with linking) wouldn't work. I actually have a lot of examples including but not limited to KDE, Gnome, XFCE, Xorg, gaim/pidgin, qbittorrent, libtorrent, libboost, gimp libraries, linux (the kernel module on arch linux here).
Then again, I may very well be jaded from using things like FreeBSD and Arch Linux since 2002 (only recently shifted to arch from fbsd). So maybe that's it.
More details please -- what couldn't find /boot?
This is during bootup of about any *nix *BSD I've used when a hard shutdown had to happen, or if fschk on boot had an e
WTF Slashdot, why do I have to login 50 times to post?
Got it -- makes more sense now.
The solution is to retain .so.14, .so.15, etc. The interface to the KERNEL is consistent, so all you need is multiple environments.
This can be achieved by several means -- using LXC (linux containers) is a good choice.
You can also use chrpath to change rpath.
You can also just leave the various library versions. I generally don't do this. After a "while" (defined as several versions), I will gather the application (and attendant libraries) into /opt/... and modify rpath first. After a longer while, I will consider containers (coming from a Solaris background). Anyway, the idea is always to have the application and its environment in a functional form, and deal with both the applications and the library layers above the kernel as an entity.
As to the management of SELinux -- yes, it's a pain. It will require an investment into learning how and what to tag files. However, the same pain you are feeling in simply trying (for example) to get Apache to read from a directory other than /var/www even via symlink is also felt by the attacking program. So, it's a good thing to study up on. Pretty well all MAC systems will exhibit the same pain. The gain? A very limited attack surface.
To know when you have achieved the "Zen" of SELinux? It probably comes around the time when you can incant the spell needed to move /home to /export/home, and still have the system work without spewing everywhere.
Start at:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
and note that, although the underlying MAC is stable, the "UI" is still being tweaked. This is genuinely hard stuff.
SELinux is manageable, but, it requires a philosophical understanding of what it is doing.
I agree that Linux/Unix isn't perfect. But it is universal, open, peer reviewed, and usable.
Looking forward to your list of undetected rootkits. Note that the Unix/Linux philosophy was to allow /boot, /usr, /bin, /sbin, /lib to be mounted read-only. Again, makes it rather difficult to install a root kit. I generally do something like that, and run tripwire (available in your repository). tripwire can be set up with a ruleset of files to CRC, and can detect tampering of any of those files. I generally run tripwire against a known-good off-machine set of CRCs on a weekly or monthly basis, and daily with a set that are on-machine.
Tripwire will email you reports on any suspicious changes (and, really, there shouldn't be any -- maybe a /etc/hosts change if anything).
Now, it is best if your machine can be booted via PXE as well as locally. A separate "clean" set of OS and application images can be maintained off-machine as well.
I watched a machine being rooted back in the Linux 2.0 days. Last time for me. Maybe I am being a bit paranoid, but a combination of these things basically solves the problem. I may get a web-site defacement, but that is about as far as an attack will go (unless its 0-day against SELinux, of course, but I will detect that in either a day, or a week).
Just another "Cubible(sic) Joe" 2 17 3061
You can also use Remote Desktop Gateway (RD Gateway). It's a proxy that uses SSL and RADIUS to hit RD Session Hosts behind it. AFAIK, it is not susceptible to this.
Chance favors the prepared mind.
Perfect is the enemy of good.