Exploit circulating for Windows RDP vulnerability
A proof of concept (PoC) exploit, which goes by the name of rdpclient.exe, is currently circulating for a vulnerability in the Remote Desktop Protocol (RDP) server found in all supported versions of Windows. The security hole, which was patched on Tuesday, can be exploited remotely, causing vulnerable systems to crash. Luigi Auriemma, who originally discovered and reported the vulnerability, has alleged on Twitter that the exploit was developed by Microsoft itself.
According to Auriemma, the RDP packet used by the exploit to crash target systems is precisely the same as the one he provided to Microsoft in confidence last year through the Zero Day Initiative. On his web site, Auriemma claims that Microsoft developed the exploit back in November, based on information that he provided.
In response to these events, Auriemma has now publicly released his advisory from 16 May 2011, including the PoC code. The H's associates at heise Security found that the PoC is indeed able to elicit a blue screen of death on an unpatched Windows 7 system.
How the exploit leaked onto the web is still unclear. Microsoft is reported to have provided selected partners – organisations such as anti-virus software companies – with copies of the exploit as part of its ActiveProtections Program (MAPP).
A Metasploit module enabling an attacker to compromise target computers will likely be released in the near future. Heise Security has already obtained information suggesting that a Python script opening a remote shell on a target computer is already in circulation. Users who have not yet installed Tuesday's patch are advised to do so as soon as possible.
The vulnerability is triggered when accessing a freed memory object (use-after-free) and does not require authentication. All Windows versions on which the RDP server – used by system administrators to remotely control and administer systems – has been activated are vulnerable. The vulnerability can only be exploited via the web if a router is set up to forward the RDP port (port 3389) to the system or if the computer is connected directly to the web.
(fab)