Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Remote Desktop Exploit In the Wild

Posted by samzenpus on from the known-weakness dept.

angry tapir writes "Luigi Auriemma, the researcher who discovered a recently patched critical vulnerability in Microsoft's Remote Desktop Protocol (RDP), published a proof-of-concept exploit for it after a separate working exploit, which he said possibly originated from Microsoft, was leaked online on Friday. Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections."

6 of 94 comments (clear)

  1. Re:Did anyone think it was secure anyway? by Svippy · · Score: 5, Insightful

    How often is it 'people with a clue' that attackers are after?

    --
    Clicked pie.
  2. Re:Did anyone think it was secure anyway? by cbhacking · · Score: 5, Insightful

    That's just placing trust in the VPN software, rather than the terminal services server. How does that help? You may trust a particular VPN implementation more than you trust any code out of Microsoft, I guess, but RDP is already encrypted and can be configured to use fairly good authentication.

    Yes, for a business, it is expected that a VPN would be required (because there are a lot of network resources beyond RDP, and because the internal network is typically behind a proxy), but for a home connection that seems excessive. RDP is disabled by default on home installations, but plenty of people enable it at some point and don't later disable it even though it's a potential attack vector - much like SSH, which people also often use without VPN.

    Additionally, there's always the risk of things like a disgruntled employee using this attack from within the corporate network to attack a co-worker (or manager) by changing something on their computer or stealing their credentials, or a corporate spy using it to gain access to data they shouldn't have, or... For remote security vulnerabilities, you need to be a lot more imaginitive in considering threat cases!

    --
    There's no place I could be, since I've found Serenity...
  3. Re:Did anyone think it was secure anyway? by liamoshan · · Score: 5, Interesting

    Doesn't everyone with a clue use it via a VPN anyway?

    Most people don't have publicly available RDP open. But there are enough Windows machines out there that even if a small percentage have RDP exposed, and only a small percentage of them aren't patched... there is still a metric shitload of vulnerable hosts.

    Dan Kaminsky has done some scanning and extrapolation to estimate that there are about 5 million RDP endpoints exposed

  4. Re:Not entirely true by buchner.johannes · · Score: 5, Informative

    It cannot "be exploited remotely to execute arbitrary code". It can only crash the service. There is no RCE developed for this vulnerability, yet.

    As the CVE says:

    The Remote Desktop Protocol (RDP) implementation in [...] does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

    And the MS security bulletin also holds it as Maximum Security Impact: Remote Code Execution.

    This is not FUD, even if there is no worm completed yet, it is a clear failure of MS security, and their concept of many lines of defense. Also, they promised to implement their own rehash of W^X, but apparently failed.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  5. Leaving the obvious question: how to turn off RDP? by Anonymous Coward · · Score: 5, Informative

    Turns out I already had it disabled (it's disabled by default?), but here's how to disable it in Windows XP or via group policy. Here's how to do it in Windows 7 (untested).

  6. Re:Did anyone think it was secure anyway? by cusco · · Score: 5, Insightful

    Lower cost of code production

    Half-right. The code was written when Server 2003's APIs were the predominant security model on the planet. Unfortunately the new security model in Win7/Svr2008 breaks a lot of that code, sometime in non-obvious ways. An enormous industrial machine code base cannot be ported to the new OSs without major or complete re-writes. A goodly amount of that code is for custom-built systems or machines that are no longer being manufactured but which will continue to function for decades longer, and that code will probably NEVER be ported over.

    I contracted at a utility that had a knee-high pile of ancient Compaq 386 laptops in their radio communications shop. When I offered to dispose of them the guys told me they had a half-million dollar radio tower which used configuration software that would **ONLY** run under MS DOS 3 on a 386 CPU. The manufacturer had been gobbled up by some other company and had no intention of re-writing software for a product that they no longer made. They kept that pile for 14 years, until the tower was finally replaced.

    So, yeah, there's a shitload of that stuff out there and you're just going to have to keep dealing with DOS, Win9x, NT, Win2K, for the next couple of decades.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin