bit-tech.net

Leak outs Microsoft RDP vulnerability exploit

Leak outs Microsoft RDP vulnerability exploit

The code required to exploit the recently disclosed Remote Desktop Protocol vulnerability has been leaked, either by Microsoft or one of its MAPP partners.

Microsoft's estimate that it would take ne'er-do-wells 30 days to exploit the recently discovered RDP vulnerability appears to be wide of the mark, following the apparent leaking of working proof-of-concept code.

The flaw, patched by the MS12-020 Security Update released by Microsoft last Tuesday, allows remote attackers to execute code under the 'system' privilege level. As the attack requires no authentication, it represents a serious threat to any system running Remote Desktop Protocol (RDP) and connected to the internet - some five million machines, according to security researcher Dan Kaminsky.

In mitigation, Microsoft claimed that the complexity of the flaw meant that it was 'not trivial' to produce a working exploit for the flaw, saying that 'we would be surprised to see one developed in the next few days.' Instead, the company predicted that it would take around 30 days for the vulnerability to be actively exploited, giving affected customers time to review and install the patch or implement a workaround.

Sadly, it looks like Microsoft has been caught by surprise after all: a working proof-of-concept has appeared on the internet, giving attackers the code required to readily and easily exploit the security vulnerability.

The code doesn't appear to have been developed independently, either. Security researcher Luigi Auriemma, who spotted the flaw and provided a proof-of-concept to Microsoft via TippingPoint's Zero Day Initiative (ZDI) cash-for-bugs security programme, claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys.

Microsoft, naturally, denies doing any such thing. Instead, the company claims that the leak may have come from one of its Microsoft Active Protections Programme (MAPP) partners, of which ZDI is a member. 'The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Programme partners,' the company's director of trustworthy computing Yunsun Wee admits. 'Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin.'

'Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and programme requirements,' Wee adds.

Those who have installed the MS12-020 patch, either manually or via Windows Update, are protected against exploitation of the flaw.

4 Comments

Discuss in the forums Reply
Action_Parsnip 19th March 2012, 13:12 Quote
"claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys."

Or he leaked it....
schmidtbag 19th March 2012, 14:44 Quote
when i heard ms expecting 30 days to exploit the vulnerability the first thing i thought was "ms has no idea how oblivious they are to programmers who are much better than their own. i expect this will only take a few days" and as i kept reading i found out i was right.

when windows 7 was first released, microsoft was acting all proud of this supposed new anti-piracy method (which still uses the same stupid randomly generated code that has been proven over and over again that it doesn't work) yet windows 7 was successfully pirated before it was even on the shelves. MS seriously needs to stop acting like their developers know best.
GoodBytes 19th March 2012, 14:54 Quote
Actually Microsoft is correct.
If you have your Windows set to allow connections only from computers running Remote Desktop with Network Level Authentication, than this issue doesn't affect you. If you selected the less secure one, to allow an XP or Windows 2000 machine to connect to your computer, NOW you should be worried. It took since 2001 all the way up to 2012 (now) to hack/find security hole in the XP Remote Desktop. That's pretty dam impressive, consider that XP security was a complete joke (in today's needs), and bombarded with security holes.
John_T 19th March 2012, 21:13 Quote
Quote:
Originally Posted by Action_Parsnip
"claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys."

Or he leaked it....

Why on earth would he leak it? He found/developed the thing in the first place. If he wanted to use it himself, he'd have used it himself. Secretly. No-one would have know it was him, no-one would have known the exploit existed and so no-one would have been prepared to defend against it.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums