Remote arbitrary code execution in RDP
It became known about a dangerous vulnerability in the RDP protocol: Microsoft has prepared an emergency patch for the vulnerability with the identifier CVE-2019-0708, which allows arbitrary code to be executed on the target system.
A remote code execution vulnerability exists in Remote Desktop Services (formerly called Terminal Services) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability uses preauthentication and does not require user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
The vulnerability (CVE-2019-0708) resides in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates.
To exploit the vulnerability, an attacker must send a specially crafted request to the remote desktop service of the target systems via RDP.
An interesting fact is that this or a similar vulnerability has been sold on the darknet since at least September last year:
SELLER, [30.09.18 12:54]Exploitation of this vulnerability makes it possible to write malware similar to WannaCry, discovered exactly 2 years ago .
RDP RCE Exploit
description:
This is a bug in RDP protocol.
That means you may exploit any Windows remotely who enables RDP.
vulnerability type:
Heap overflow
affected versions:
Windows 2000 / XP / 2003 / Vista /
7/2008 (R2) privilege level obtained:
SYSTEM privilege
reliability:
90% for one core / 30% for multiple core
exploitation length:
around 10 seconds
Possible buyer , [09/30/18 12:58]
affected versions:
Windows 2000 / XP / 2003 / Vista / 7/2008 (R2)
LOL
Possible buyer, [09/30/18 12:58]
is it pre-auth or post-auth vuln?
SELLER, [30.09.18 12:59]
Pre
Possible buyer, [30.09.18 12:59]
for how much they / he / she sells it?
SELLER, [30.09.18 12:59]
500
SELLER, [30.09.18 12:59]
Shared
Possible buyer, [30.09.18 12:59]
500k USD?
SELLER, [30.09.18 13:00]
So u can guess it was sold few times
SELLER, [30.09.18 13:00]
Yes
This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.The vulnerability is so serious that Microsoft has released patches even for unsupported versions of the OS - Windows XP and Windows 2003.