About about six weeks ago, Microsoft took the unusual step of releasing patches intended to protect versions of their operating systems that no longer receive updates have reached the “end of life”, such as Windows XP. It’s something that the software giant has only felt the need to do on a handful of occasions, so it can be taken as a sign that something very serious is happening.
In this case, something serious was CVE-2019-0708, a serious RDP vulnerability, which would soon be better known as BlueKeep. RDP (Remote Desktop Protocol) is what allows people to control Windows machines with a complete graphical user interface, over the Internet. The millions of Internet-connected machines running RDP range from cloud-hosted servers to Windows desktops used by remote workers, each a potential gateway to an organization’s on-premises network.
The BlueKeep “worm-type” vulnerability allows unauthenticated access through RDP, giving attackers the ability to issue commands to install malware, modify data, and create new user accounts. It affects computers running Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008.
Following several reports showing that the number of unpatched RDP servers on the Internet remains very high- despite warnings from experts and government agencies – the SophosLabs Offensive Research team has developed a Blue Keep attack with proof of concept (POC), using an exploit of its own to explain how this vulnerability remains a serious threat and will help Sophos learn how CVE-2019-0708 can be exploited by criminals.
The code is too dangerous to be published, so SophosLabs has recorded a video showing that the exploit is being used to gain full control of a remote system without authentication
The exploit works completely without files, providing the total control of a remote system without having to implement any malware. Nor does it require an active session with the objective. The development of this exploit is produced as a result of an arduous process of reverse engineering of the patch released by Microsoft in May to consider what was trying to fix.
While many security analysts have already published their own proof of concept code, they are only able to make fail Windows causing an error of “Blue Screen of Death” (BSOD). This type of attack causes the computer unusable until you restart; technically is a form of denial of service attack.
Andrew Brandt, Principal Investigator at Sophos, says: “The method built by Sophos Labs is not just DoS, after executing the exploit code, a hypothetical attacker can start a command shell that appears before login, on the screen of Windows login. Our researcher who worked on developing the PoC vulnerability chose to use a somewhat different technique than the public PoC code.” It is also a different method than that used in functional PoCs (that is, farms that do not cause blockages).
“We hope this video can convince people and organizations that have not yet patched BlueKeep that this is really a serious threat.” The expert recommends: “If you haven’t upgraded your Windows computers yet, do so now. We think it’s only a matter of time before someone takes advantage of this, and the best defense they can have is that patch. Also, close all firewalls that expose RDP to the open Internet.”