MS12-020: Breeding RDP Worms

    On Tuesday, Microsoft released the next batch of patches, and among them our attention was especially attracted by MS12-020 , which has a critical status. The vulnerability allows arbitrary code to be executed on a remote system with the power of a specially crafted RDP package. This vulnerability affects all versions of MS Windows, including 64-bit versions. In fact, within the scope of patch MS12-020, two vulnerabilities CVE-2012-0002 (RCE in RDP) and CVE-2012-0152 (DoS in Terminal Server) were closed. We are more interested in the first vulnerability, since it is much more dangerous and can lead to the appearance of network worms that will actively exploit it (at the moment I do not know about its use in malicious programs).

    By the way, the vulnerability was relatively recently closed.MS11-065 (August 2011), which allowed DoS (WinXP / 2003) and was seen in the same rdpwd.sys driver, in which CVE-2012-0002 was found. These changes can be tracked by timestamps in rdpwd.sys before and after the patch. And also in the official change lists for MS11-065 and for MS12-020 .

    image


    image

    Actually, the main changes were noticed in the HandleAttachUserReq () function , the decompiled version of which looks like this:

    image

    image

    When comparing the corrected driver and driver before the patch, it is clear that there were not so many changes.

    image

    It can be seen that an additional check and freeing of memory was added using ExFreePoolWithTag () :

    image

    Now let's look at a decompiled version of these changes:

    image

    image

    It is the absence of this check that may entail the possibility of remote memory capture and the possibility of unauthorized code execution. Moreover, code execution occurs in the kernel.

    A good analysis of CVE-2012-0152 (DoS in Terminal Server) can be found here .

    There is an opinion that a working exploit already exists:

    image

    Perhaps this is just a fake, but, according to our forecasts, a public exploit will most likely appear next week as part of Metasploit, which will cause a chain reaction of its appearance in malicious programs.

    Also popular now: