Attacker Value
Very High
2

Windows Remote Desktop (RDP) Use-after-free vulnerablility, “Bluekeep”

Disclosure Date: May 16, 2019 Last updated June 09, 2020

Exploitability

(10 users assessed) Moderate
Attack Vector
Unknown
Privileges Required
Unknown
User Interaction
Unknown

Description

A bug in Windows Remote Desktop protocol allows unauthenticated users to run arbitrary code via a specially crafted request to the service. This affects Windows 7/Windows Server 2008 and earlier releases. Given the ubiquity of RDP in corporate environments and the trusted nature of RDP, this could pose serious concerns for ransomware attacks much like WannaCry.

Patches are released for Windows 7/2008 Operating systems as well as Windows XP.

Add Assessment

8
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

The effort to execute the exploit out of the box, with default settings on known targets is not that high. It’s important to note that to exploit this reliably in atypical scenarios you need to know a bit more detail of the target, including what hypervisor it may be running on.

6
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

What a pain to make it work generally across different versions! The work put into this will be foundational for future exploit development around RDP and Windows kernel exploitation in general.

6
Ratings
Technical Analysis

Like some others have said, this requires an understanding of your targets Host devices in order to generate a reliable exploit. This involves identifying the Start address of the NonPageedPool and plugging this into the existing metasploit module.

With a large number of cloud-based resources this is perhaps a little easier to exploit than enterprise desktops.

An example against AWS hosted windows appliances works something like this.

  • Spin up your own AWS Instance.
  • Use Memory Dump tool like WinPMem to grab a memory image.
  • Transfer mem dump to a machine running the rekall memory forensics tool
  • Run the pools plugin to get the address.

This offset will work against any instance in this region started from that same base AMI.

alt text

5
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

It is a scary vuln, and you should patch immediately. As no PoC is out, don’t trust the patch entirely and limit exposure to critical systems.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

Watch this one for details. In the meantime, if you can’t patch, then block TCP/3389 (or whatever port you might be mapping RDP to), enable Network Level Authentication (NLA), or disable RDP.

This exploit is critical. RDP is ubiquitous in corporate settings, which are the most likely to have older Operating Systems deployed. That issue is complicated by the general reasoning that most older Operating systems are there to support legacy equipment and are less likely to receive automated patching.

EDIT (24-July-2019): Welp, we’ve heard lots of researchers say they’re privately holding onto PoCs, but now PoCs and details are starting to surface. It won’t be long until this one is easily weaponized, and I’m willing to bet it’s being used in the wild, if only in selected cases.

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This vuln is important to focus attention to. Pre-auth RCE on a likely large target base is very dangerous.

3
Ratings
Technical Analysis

Due to public exploits being flaky and sometimes resulting in a Blue Screen on the victim, this exploit is still somewhat difficult to always replicate. If you have paid tools that have better versions of the exploit, it’s more reliable.

The fact that an exploit is included in newer versions of metasploit massively lowers the bar for being able to exploit this vulnerability.

The damage potential is astronomical as there are so many machines that expose RDP to the internet.

3
Ratings
Technical Analysis

Some of the gotchas on patching this vuln:

  • Not restarting the vulnerable asset, even after you apply the patch, keeps the asset vulnerable. Must restart.
  • There have been cases where even with the patch reported as being installed, files on disk were vulnerable, manually checking termdd.sys, the file is normally located at C:\Windows\System32\drivers and the version retrieved with this powershell command:

get-item -Path ‘C:\Windows\System32\drivers\termdd.sys’ | Format-List -Force

General Information

Additional Info

Technical Analysis