The first functional exploit code for the recently-patched BlueKeep vulnerability in Windows' Remote Desktop Services (RDS) functionality has been released, as part of the Metasploit Framework project.
First confirmed by Microsoft back in May through the release of emergency out-of-band patches for Windows operating systems - including supposedly-unsupported release Windows XP - then patched again for new variants in August, BlueKeep is a serious vulnerability. ''This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,' said Microsoft's Simon Pope at the time. 'While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.'
Exploitation will now be considerably easier, courtesy of the Metasploit Framework project - an open-source effort to develop tools for finding and exploiting vulnerabilities, used by both white-hat security researchers and black-hat hackers alike - which now has optional support for BlueKeep via a pull request which has yet to be merged with the core code.
'This PR adds an exploit module for CVE-2019-0708, a.k.a. BlueKeep, exploiting a remote Windows kernel use-after-free vulnerability via RDP,' the documentation for the pull request explains. 'The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.'
The exploit isn't fully functional yet, however: It currently only operates on 64-bit installations of Windows 7 and Windows Server 2008 R2, with the latter requiring a manual registry change in order to be susceptible. A failed exploitation is also likely to crash the target system, something that may be of interest to those looking to carry out a denial of service (DoS) attack but is definitely unwanted when a quieter approach is preferred.
The exploit is not yet functional on older, out-of-support operating systems, which is good news for those who still have Windows XP systems in play: While the emergency patch was released via Windows Update to all currently supported Windows releases, out-of-support operating systems require manual patching - something that many embedded, industrial, and otherwise set-and-forget systems are unlikely to receive any time soon.
February 24 2020 | 12:00