Slashdot Mirror
Windows Remote Desktop Exploit In the Wild
angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."
How often is it 'people with a clue' that attackers are after?
Clicked pie.
It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet. The article itself even says this (even though it's author submitted it here):
"""
Creating a working exploit for the CVE-2012-0002 vulnerability is not trivial, Microsoft security engineers Suha Can and Jonathan Ness said in a blog post on Tuesday. "We would be surprised to see one developed in the next few days. However, we expect to see working exploit code developed within the next 30 days."
The PoC is pretty basic, but an experienced exploit writer can modify it to achieve remote code execution, the researcher said.
"""
Yes, MS12-020 is a big deal. But, not THAT big of a deal, yet. Stop flinging FUD around about things that haven't yet happened.
Doesn't everyone with a clue use it via a VPN anyway?
Good way to miss the point.
The incident brings into question vulnerability Microsoft's program which is intended to alert security partners before the patches themselves are released. The idea is to give the security vendors time to prioritise and test the fixes, however in this instance, it left their customers vulnerable.
tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)
"I've got more toys than Teruhisa Kitahara."
Climb down off your high horse. RDP for years now has been encrypted and certificate authenticated using TLS. There is no inherent reason when it should not be save to connect to a windows 6.x (Vista / 7 / Server '08) machine over the internet with RDP. You don't always use SSH over VPN do you? Its not as if that has never had a vulnerability.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
That's just placing trust in the VPN software, rather than the terminal services server. How does that help? You may trust a particular VPN implementation more than you trust any code out of Microsoft, I guess, but RDP is already encrypted and can be configured to use fairly good authentication.
Yes, for a business, it is expected that a VPN would be required (because there are a lot of network resources beyond RDP, and because the internal network is typically behind a proxy), but for a home connection that seems excessive. RDP is disabled by default on home installations, but plenty of people enable it at some point and don't later disable it even though it's a potential attack vector - much like SSH, which people also often use without VPN.
Additionally, there's always the risk of things like a disgruntled employee using this attack from within the corporate network to attack a co-worker (or manager) by changing something on their computer or stealing their credentials, or a corporate spy using it to gain access to data they shouldn't have, or... For remote security vulnerabilities, you need to be a lot more imaginitive in considering threat cases!
There's no place I could be, since I've found Serenity...
Doesn't everyone with a clue use it via a VPN anyway?
Most people don't have publicly available RDP open. But there are enough Windows machines out there that even if a small percentage have RDP exposed, and only a small percentage of them aren't patched... there is still a metric shitload of vulnerable hosts.
Dan Kaminsky has done some scanning and extrapolation to estimate that there are about 5 million RDP endpoints exposed
Businesses yes for the most part, but Windows power users that would like a way to log in remotely - like Linux people ssh with X forwarding - often have RDC enabled and internet exposed. Plus if you can traverse the external firewall some other way, then launch RDC attacks on the computers that's a pretty big loophole too. Or if you're somehow on the inside already, in a big company that external wall is just a tiny bit of your defenses. Overall it's pretty critical.
Live today, because you never know what tomorrow brings
Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).
tldr: Microsoft gave hole in Windows to security guys. Security guys gave it to black hats. Customers lost (probably not for the first time...)
As soon as you release a patch fixing a problem you've given the black hats enough to exploit it if it is exploitable. A simple binary diff should be enough to figure out what was changed and then it's all over. Releasing actual exploit code only lowers the barrier to entry but a small amount.
Doesn't everyone with a clue use it via a VPN anyway?
RDP with NLA gives you just as much protection as a VPN, and one less layer to worry about.
Use a VPN if you need to expose services in addition to RDP or need to support really old RDP clients but otherwise a VPN is just additional complexity.
Doesn't everyone with a clue use it via a VPN anyway?
Nope.
RDP has been encrypted and relatively secure for years now. It's frequently "good enough" encryption on its own. Just as SSH is frequently "good enough" on its own, and run without a a VPN.
I'd suggest that, at this point, running RDP through a VPN doesn't actually get you much more in the way of real security... Although it would allow you to choose specifically who to trust - Cisco, instead of Microsoft, for example.
Which makes me doubly pissed that I'd set up a game download overnight last night (my usage is unmetered overnight) and they decided to force an unneeded patch/reboot on me, which fucked up the download. :/
I concur that default does indeed suck, you can do a registry change to disable it though:
http://support.microsoft.com/kb/555444
And yes I use Linux too and realise such pointless hacks aren't necessary :P
Not many people with a clue would use Windows for anything serious anyway.
Well.....
At -least- 5 different oil rigs in the North Sea run their HMI for operating the process control systems on win2003 server.
I'm not sure how the people who design this would be considered 'clueless' when it comes to design.
The usual MS bashing gets old.. but this -is- slashdot after all :p
Lower cost of code production
Half-right. The code was written when Server 2003's APIs were the predominant security model on the planet. Unfortunately the new security model in Win7/Svr2008 breaks a lot of that code, sometime in non-obvious ways. An enormous industrial machine code base cannot be ported to the new OSs without major or complete re-writes. A goodly amount of that code is for custom-built systems or machines that are no longer being manufactured but which will continue to function for decades longer, and that code will probably NEVER be ported over.
I contracted at a utility that had a knee-high pile of ancient Compaq 386 laptops in their radio communications shop. When I offered to dispose of them the guys told me they had a half-million dollar radio tower which used configuration software that would **ONLY** run under MS DOS 3 on a 386 CPU. The manufacturer had been gobbled up by some other company and had no intention of re-writing software for a product that they no longer made. They kept that pile for 14 years, until the tower was finally replaced.
So, yeah, there's a shitload of that stuff out there and you're just going to have to keep dealing with DOS, Win9x, NT, Win2K, for the next couple of decades.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Yes, most of us use it with VPN. However consider this:
1) Someone with possibly a bit less skill at finding vulnerabilities takes this code and merges it with a social engineering attack.
2) The social engineering attack promises the user some silly thing (maybe extra smiley faces or dancing cats).
3) The user runs the program inside the corporate firewall.
4) All the company's servers begin blue screening as the user's machine spews these malformed RDP packets.
Honestly, that's not too far fetched and some type of blended exploit like this will probably happen. That's why it is important to patch machines for this and not think that a border firewall is going to protect you for long.
I would say that way too many businesses have things set up to be open to the internet at large. Configure your firewalls appropriately. If you need you RDP machine accessible from "the internet" then at least configure your firewalls so that only certain IPs can access that port. If that means providing a static IP to your employees that need to connect, then so be it. Sure it's convenient to be able to connect to your computers from any other internet connected computer in the world, but it is by no means secure.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
VPN often leads to a false sense of security. People see it as a panacea, if you just run VPN everything is good. You can see that on Slashdot with the "How could someone not have it behind VPN?" comments as though VPN is the One True Way(tm) to security and they can't conceive any other way.
So someone sets up a VPN and has a trusted/untrusted idea with the firewall and then doesn't properly mind after the "trusted" area since after all, there's the magic VPN protecting it. An employee then bring in an infected laptop, or VPNs in from an infect computer, punching through all the defenses and it is game over.
They are much less safe than someone who does allow RDP in and thus views all networks, including internal, as untrusted and is up on patching this.
Really VPNs are not a security tool for keeping attacks and so on out. What they are is for logically (virtually) connecting two disparate networks. You have office A and office B and you want them to be one logical network, a VPN will get you that. They are also good for encrypting communications if other security can't be relied upon. For example when I'm in an airport I use VPN since their WiFi is open to the world.
This idea that they are some sort of wonderful network security is rather flawed, they can be just the opposite. If an outside computer, not controlled by you, is allowed to punch through the firewall using VPN and become "trusted" to a degree, they are less secure. Also sometimes they are bad on the user end too as a number of them punch through user protections. Some VPN/software firewall combinations can't successfully identify the VPN as a network adapter and thus it punches right through all client side filtering. Combine that with a public IP on the end of the VPN concentrator and you can take someone who was protected with a NAT and host based firewall and expose them to the world, just by them logging in.
Don't get me wrong, I'm not anti-VPN, but people need to think critically about what they are really good for, how they need to be implemented, and stop with this "Everything should be behind VPN, it makes it more secure!" No, it can make it less secure if you fuck up.