Remote arbitrary code execution in RDP

    It became known about a dangerous vulnerability in the RDP protocol: Microsoft has prepared an emergency patch for the vulnerability with the identifier CVE-2019-0708, which allows arbitrary code to be executed on the target system.

    A remote code execution vulnerability exists in Remote Desktop Services (formerly called Terminal Services) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability uses preauthentication and does not require user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

    The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.

    To exploit the vulnerability, an attacker must send a specially crafted request to the remote desktop service of the target systems via RDP.

    An interesting fact is that this or a similar vulnerability has been sold on the darknet since at least September last year:

    SELLER, [30.09.18 12:54]
    RDP RCE Exploit

    This is a bug in RDP protocol.
    That means you may exploit any Windows remotely who enables RDP.

    vulnerability type:
    Heap overflow

    affected versions:
    Windows 2000 / XP / 2003 / Vista /

    7/2008 (R2) privilege level obtained:
    SYSTEM privilege

    90% for one core / 30% for multiple core

    exploitation length:
    around 10 seconds

    Possible buyer , [09/30/18 12:58]
    affected versions:
    Windows 2000 / XP / 2003 / Vista / 7/2008 (R2)

    Possible buyer, [09/30/18 12:58]
    is it pre-auth or post-auth vuln?

    SELLER, [30.09.18 12:59]

    Possible buyer, [30.09.18 12:59]
    for how much they / he / she sells it?

    SELLER, [30.09.18 12:59]

    SELLER, [30.09.18 12:59]

    Possible buyer, [30.09.18 12:59]
    500k USD?

    SELLER, [30.09.18 13:00]
    So u can guess it was sold few times

    SELLER, [30.09.18 13:00]
    Exploitation of this vulnerability makes it possible to write malware similar to WannaCry, discovered exactly 2 years ago .
    This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
    The vulnerability is so serious that Microsoft has released patches even for unsupported versions of the OS - Windows XP and Windows 2003.

    Also popular now: