Windows Remote Desktop Exploit In the Wild

angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."

Re:Did anyone think it was secure anyway?

[Svippy]

How often is it 'people with a clue' that attackers are after?

Re:Not entirely true

[rdebath]

Except that quote is assuming that the attacker is starting from either now or last tuesday. The POC executable that was leaked was written back in November so there's nothing to say that someone hasn't been working on it the LAST 30 days.

If that's true expect a worm starting up on Friday evening at the latest.
The threat is real and the lack of a public RCE means little.

Re:Did anyone think it was secure anyway?

[ozmanjusri]

Doesn't everyone with a clue use it via a VPN anyway?

Good way to miss the point.

The incident brings into question vulnerability Microsoft's program which is intended to alert security partners before the patches themselves are released. The idea is to give the security vendors time to prioritise and test the fixes, however in this instance, it left their customers vulnerable.

tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)

Re:Did anyone think it was secure anyway?

[cbhacking]

That's just placing trust in the VPN software, rather than the terminal services server. How does that help? You may trust a particular VPN implementation more than you trust any code out of Microsoft, I guess, but RDP is already encrypted and can be configured to use fairly good authentication.

Yes, for a business, it is expected that a VPN would be required (because there are a lot of network resources beyond RDP, and because the internal network is typically behind a proxy), but for a home connection that seems excessive. RDP is disabled by default on home installations, but plenty of people enable it at some point and don't later disable it even though it's a potential attack vector - much like SSH, which people also often use without VPN.

Additionally, there's always the risk of things like a disgruntled employee using this attack from within the corporate network to attack a co-worker (or manager) by changing something on their computer or stealing their credentials, or a corporate spy using it to gain access to data they shouldn't have, or... For remote security vulnerabilities, you need to be a lot more imaginitive in considering threat cases!

Re:Did anyone think it was secure anyway?

[jamesh]

tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)

As soon as you release a patch fixing a problem you've given the black hats enough to exploit it if it is exploitable. A simple binary diff should be enough to figure out what was changed and then it's all over. Releasing actual exploit code only lowers the barrier to entry but a small amount.

Re:Did anyone think it was secure anyway?

Doesn't everyone with a clue use it via a VPN anyway?

Nope.

RDP has been encrypted and relatively secure for years now. It's frequently "good enough" encryption on its own. Just as SSH is frequently "good enough" on its own, and run without a a VPN.

I'd suggest that, at this point, running RDP through a VPN doesn't actually get you much more in the way of real security... Although it would allow you to choose specifically who to trust - Cisco, instead of Microsoft, for example.

Re:Did anyone think it was secure anyway?

[omglolbah]

Not many people with a clue would use Windows for anything serious anyway.

Well.....

At -least- 5 different oil rigs in the North Sea run their HMI for operating the process control systems on win2003 server.

I'm not sure how the people who design this would be considered 'clueless' when it comes to design.

The usual MS bashing gets old.. but this -is- slashdot after all :p

Re:Did anyone think it was secure anyway?

[cusco]

Lower cost of code production

Half-right. The code was written when Server 2003's APIs were the predominant security model on the planet. Unfortunately the new security model in Win7/Svr2008 breaks a lot of that code, sometime in non-obvious ways. An enormous industrial machine code base cannot be ported to the new OSs without major or complete re-writes. A goodly amount of that code is for custom-built systems or machines that are no longer being manufactured but which will continue to function for decades longer, and that code will probably NEVER be ported over.

I contracted at a utility that had a knee-high pile of ancient Compaq 386 laptops in their radio communications shop. When I offered to dispose of them the guys told me they had a half-million dollar radio tower which used configuration software that would **ONLY** run under MS DOS 3 on a 386 CPU. The manufacturer had been gobbled up by some other company and had no intention of re-writing software for a product that they no longer made. They kept that pile for 14 years, until the tower was finally replaced.

So, yeah, there's a shitload of that stuff out there and you're just going to have to keep dealing with DOS, Win9x, NT, Win2K, for the next couple of decades.