RDP Bug Goes Big Time

Thursday, March 22, 2012 @ 02:03 PM gHale

A Metasploit module for the Microsoft Remote Desktop Protocol (RDP) vulnerability is now available.

It’s been a week now since Microsoft released a patch for the RDP bug and the exploit code included with the information the company sent to its partners in the Microsoft Active Protections Program (MAPP) was in an exploit on a Chinese download site shortly thereafter.

RDP Exposure at 5 Million
Attack Code Leak on the MAPP
Patch Tuesday also Exploit Tuesday
Bounty for Patched RDP Exploit
Microsoft Shuts RDP Hole

Luigi Auriemma, the researcher who discovered and reported the vulnerability to Microsoft through the TippingPoint Zero Day Initiative (ZDI), said the packet found in the exploit code that leaked was a direct copy of the one he submitted with his bug report.

Officials at ZDI said they are certain the code did not leak from their organization. Microsoft officials have said little more than to acknowledge that there seems to be a leak from somewhere within MAPP. The company has not indicated whether that was on their end or from one of the MAPP members.

Be that as it may, there is now a working exploit committed to the Metasploit Framework, which is a typically a good indicator that attacks are about to ramp up.

Brad Arkin, head of product security and privacy at Adobe, said in a talk recently when there’s a newly public vulnerability in one of the company’s products, the attacks start with a trickle against high value targets and then increase sharply from there.

“The biggest jump in exploits we see is right after the release of a Metasploit module,” he said. “We’ll see a few attacks a day before that and then it will spike to five thousand a day, and it goes up from there. There’s a correlation between the broader availability of an exploit and more people getting attacked.”

The exploit in Metasploit, like the one that has been circulating online, causes a denial-of-service condition on vulnerable machines. Researchers have been working on developing a working remote code execution exploit for the bug, as well, but none has surfaced publicly yet.

Leave a Reply

You must be logged in to post a comment.