Slashdot Mirror
RDP Proof-of-Concept Exploit Triggers Blue Screen of Death
mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."
I heard a rumor that if you send an SYN-ACK after SYN request from a certain IP, you die.
It totally happened to my cousin's friend.
The exploit is one thing, but the real story is that the exploit code was leaked from somewhere inside Microsoft, likely the MSRC. There's a string in the exploit that points to a folder on an internal MSRC server. This is about as bad as it gets. See here: https://twitter.com/#!/jduck1337/status/180495975377408001 and here: https://threatpost.com/en_us/blogs/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612
The exploit doesn't allow unauthorized access or remote root. It only allows a denial of service against Windows XP and Windows Server 2003 products. It doesn't seem that Windows 7 and Windows Server 2008 are vulnerable. That really mitigates that risk. I have a Windows Home Server 2011 box that shouldn't be vulnerable because it's based on the WS2008R2 code base. Furthermore, there's already a patch for this bug. Therefore, if you're still running an old version of Windows that you neglected to patch, then your server might be crashed remotely. I don't think it's really that deadly or scary.
A NYC lawyer blogs. http://www.chuangblog.com/
I haven't found the answer to this yet: Virtualbox uses a flavor of RDP (or backwards compatible to RDP) called VRDE. Someone where I worked said this was a protocol problem, so exploit apply to virtualbox or is this just the implementation of RDP that Microsoft uses?
Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.
So much for responsible disclosure! Although as soon as I saw that TippingPoint had released a signature for this on Tuesday, I figured that would be enough information for people to figure out what was up. Leaking the exact packet made things even easier and quicker, though.
Gee, I do so love it when I get three days to deploy a critical patch throughout my entire production environment. That makes for some wonderful conversations with the admin staff, let me tell you!
Just below your comment there's one from an AC titled "Missed the real story" indicating the exploit code was released from within MS.
That might mean some jackass got the brilliant idea that if there's going to be an exploit soon anyway, it may as well be the original one, and that will scare people into deploying the patch *right now*.
Because this one is bigger than usual - I know of quite a few small companies that use RDP as a "poor man's VPN" and open it from their internal server(s) directly to the Internet. Insanely stupid and I've never allowed any SMBs that I've set up to do it, but it definitely happens quite a bit.
Interestingly, scanning for 3389 over the Internet has been quite prevalent for quite awhile. I'm sure there are many, many bad guys out there with big lists of system IP addresses all set to go once this (inevitably) turns into a remote code exploit rather than just a DoS.
I have never seen RDP open to the world. If you do that, you're asking for issues regardless of any exploit.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Aside from this nasty RDP bug, how exactly is this "insanely stupid" any more so than leaving a web server connected to the Internet? I've seen plenty of web servers get rooted and turned into zombie spewing infected machines throwing spam and hosting fake AV advertisements.
For over ten years now, a major exploit of RDP is a first that I can recall. And BTW, the RDP connection is encrypted. With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.
Just because RDP provides a GUI remote desktop and looks more exposed visually doesn't mean it technically is any less secure than other protocols used.
Life is not for the lazy.
http://pastebin.com/nSp1Qxpi
"If any question why we died, Tell them because our fathers lied."
Well, for starters, because Web servers don't run as SYSTEM for quite some time now.
And in any case, opening up port 80 from the Internet to an internal server, rather than one on a DMZ designed to do nothing but host Web content is just as insanely stupid. Same goes for port 443, even though I've lost count of the number of times people have told me 443 is okay "because it's secure!".
You mean "download for free" then maybe. You realize that all Windows updates for the entire life cycle of the product are included with the purchase price of the original copy, correct? They do not charge a maintenance fee. They are also very up front about life cycle and end of life. 10 years minimum for all OSes. It can be (and often is) extended, but it is never less than that.
There is no particular reason RDP needs to be behind a VPN any more than any other protocol. It is fully encrypted, does secure password exchange and all that jazz. Same as SSH. So if you run any SSH servers that are open to the world, well there's your answer.
If you are all VPN all the time, ok, though I will caution you to carefully check your setup, VPN is often a false sense of security (particularly since in many configurations it punches through the user's NAT and host based firewall and can expose them). However if you are ok with things like SSH to your UNIX systems but not RDP to your Windows systems that just means you have a poor understanding of the protocols.
I'm sorry, mod parent up, so freaking right not even funny.
Was going to post anon, but to hell with my Karma, if you can't recognize that Microsoft isn't the same company it was 12 years ago you are part of the problem and not part of the solution. Not saying they are the best at anything, that's in the eye of the beholder. I'm just saying that Windows 7 (while needing it's code optimized like KDE4 had) is a far superior OS to Windows XP and Windows XP wasn't a bad platform to start off with. In 1999 (when it was released) it was far superior to linux in many ways and it was far worst in others. Today, the same case applies, however MS is actually now contributing to the OS community, working with the development community (see Kinect, their Sony reaction only lasted a few days).
Want to talk about Security, there are 13 known rootkits for Linux which rootkit (the application that scans for them) can't detect. There are viruses, there are kernel dumps, and worst of all there is LIBHELL, this look familiar?
/usr/lib/libboost.so.15
/boot perhaps run fschk without -j or -f? /boot ... :'( :'( )':
$ someapp
Someapp can't find libboost.so.14
$ find / -name "libboost.so.*"
$ yes QQ
QQ
QQ
QQ
QQ
QQ
^C
$
or my favorite one
Couldn't find
root$ ls
grub boot
root$
>)';
Couldn't find command:
So yeah, Linux has it's own stability and security issues, some that make me want to throw myself off a 30floor building sometimes, but I love it too, but I think Microsoft puts out an upstanding product and so does Linux.
I really don't know why I was so verbose, esp with the BS commands.
WTF Slashdot, why do I have to login 50 times to post?
I can't imagine anyone with any important data leaving an X session port open balls-to-the-walls to the Internet, so why on Earth would anyone let RDP, particularly the rather weakly-protected pre-Server 2008 variants, run basically naked like that (not that I would allow a Server 2008 Terminal Server or any other RDP service from a newer OS be visible to the outside world).
We have a Windows Terminal Server plus a few workstations that people can remote into, but they have to come in on our VPN. I closed that channel years ago when I looked on one of our DC security logs and saw a stunning number of dictionary attacks against the Terminal Server.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Well in a way I honestly can't say that I blame them. Just look at how many here are pissing and moaning they are gonna have to go and deploy this patch across their system, aka doing their jobs, when we ALL know it is SOP for the script kiddies to reverse engineer every single patch MSFT releases and to use that for making easy attacks. Look at how many "ZOMFG Windows got horribly hacked!" we have seen where it was fucking patched MONTHS AGO but corps drug their feet and ended up getting pwned.
To use a /. car analogy if you park your car on the railroad track to take a nap and someone comes along and says "hey i live around here and there is a train coming down that track, let me help you move to someplace safe" and you go "nahhh, hitting those bumps might shake loose a screw, give me time to crawl under the hood and check everything out" and you drag your feet until the train hits you? Well stupid fucking you, you deserved what you got. Its not like this isn't common knowledge, or some new thing the script kiddies are doing, its been SOP since Win9X. MSFT releases a patch, script kiddies reverse engineer, a dozen variants are out in the wild within hours of patching. If you are so damned worried about compatibility you need to be running a test bed anyway just for this scenario, and when a nasty bug is patched your ass damned well better be on the ball and ready to deploy because those script kiddies aren't gonna go "Its okay, we'll wait, just let us know when you're ready". Like it or not folks malware and exploits are a billion dollar business and with that kind of money at stake you damned well better bring your A game, anything less is your ass.
ACs don't waste your time replying, your posts are never seen by me.
You have 3 days to deploy this critical patch throughout production? Are you saying you have RDP exposed on the Internet, or you have in-house employees that are capable of exploiting the flaw? If it's the former, you are in the wrong field and might be better off working in retail or fastfood somewhere. If it's the latter, I truly feel sorry for you - the employees in my office can barely turn a computer on, therefore I don't have to worry much about them exploiting it until I can get around to patching.
I have employees who are allowed to come in to the VPN with their home (non-corporate-managed) machines, and no restrictions on their network traffic. I'm working on changing that but it hasn't happened as yet. Additionally, I have way too much experience with malware running on Windows machines while their installed antivirus software is happily telling anyone who asks there's nothing wrong at all.
You need to stop thinking about internal risks in terms of deliberate actions by malicious employees (which is still a risk) and start thinking more in terms of the malware they're almost inevitably running and what actions it can take without their knowledge. This is a highly wormable exploit - think SQL Slammer. I would suggest you consider your soft center as well as your hard crunchy outside for this one.