About six weeks ago Microsoft took the highly unusual step of including a patch for operating systems it no longer supports in its May Patch Tuesday output.
It’s something the software juggernaut has only ever felt the need to do on a handful of occasions, so when it does happen it can be taken as a sign that something very serious indeed is going on. In this case, the something serious was CVE-2019-0708, a very serious RDP vulnerability, that would soon become better known as BlueKeep.
RDP (the Remote Desktop Protocol) is what allows people to control Windows machines via a full graphical user interface, over the internet. The millions of internet-connected machines running RDP includes everything from cloud-hosted servers to Windows desktops used by remote workers, and each one is a potential gateway into an organisation’s internal network.
The ‘wormable’ BlueKeep vulnerability, announced by Microsoft with the release of patches to protect against it, could theoretically be used to run attackers’ code on every one of those machines, without a username and password.
The only sliver of hope that came with May’s patches was that CVE-2019-0708 was difficult to exploit. That difficulty created a window of time for organisations to patch against BlueKeep before crooks figured out how to abuse it. There was even the outside chance that it would prove too difficult to reverse engineer.
It was a hope that didn’t last long.
Since CVE-2019-0708 became public, a small number of organisations and security researchers have credibly claimed the ability to successfully exploit it.
Among their number is Sophos, who today revealed the existence of its own CVE-2019-0708 exploit PoC (Proof-of-Concept).
The PoC, described by BlueKeep namer and ‘megathread’ keeper Kevin Beaumont as ‘incredible‘, was created by the SophosLabs Offensive Security team.
The code is obviously too dangerous to be released publicly, so SophosLabs has recorded a video showing the fileless exploit being used to gain full control of a remote system without authentication.
The PoC will help Sophos learn about how CVE-2019-0708 might be exploited by criminals.
So, why release proof of the proof-of-concept?
We hope this video convinces individuals and organizations who still haven’t patched that the BlueKeep vulnerability is a serious threat.
You can read more about the SophosLabs BlueKeep exploit on our sister site Sophos News. Do it after you’ve patched.
15 comments on “RDP BlueKeep exploit shows why you really, really need to patch”
Before you use RDP, you need to hack the VPN Connection.
How you realized that ?.
Or you talk about a RDP Connection of an internal Network ?.
Not everyone uses a VPN to access RDP access from ‘outside’. (And, as you say, most VPNs aren’t required from *inside*, so a vulnerable RDP server of this sort is still a serious risk.)
The video’s PoC was on an internal network. Based on the video the most obvious mitigation for this exploit- besides patching- would be through networking- segregate your servers from anyone that doesn’t require console-level access using subnetting/vLANning (internal) and VPN if external access is required- RDP should NEVER be open directly to the Internet.
We didn’t notice any adverse affects after May’s patch so I approved it for installation shortly after release. Typically I approve patches a month after release to give MS time for the beta testers, aka consumers and other businesses, to discover all the bugs. MS releasing this patch for XP/2003 made me hold my breath and join the beta testing crowd.
learned a new command… whoami
I happened to pause the video to see the application name UTILMAN.EXE in the title bar…just as Sophos was typing WHOA. I first thought that he typed in what was on his mind 🙂
Most already know the risk because Microsoft released patches all the way back to Windows 2003. Microsoft’s internal red team also likely has a working exploit, as even I have several colleagues who have gotten PoCs working. This is just purely a “look at me!” by Sophos. Useful.
So from the command prompt, can you create a user to then be able to login and have full access to the GUI desktop? If yes, that would be good to add to the video imho.
I recall eons ago, a number of MFD’s and even ATM’s running XP. Presumably these moved on to Win7 at some point. I guess blocking RDP could be the only option unless the vendor releases a patch?
The answer is, “It depends on other settings,” but if the computer you’re attacking is already configured to be listening for RDP connections directly on the internet, and is now unpatched for nearly three months I would simply assume, “Yes.” Getting LocalSystem access is, in general, as close to Game Over as to be equivalent to it.
you can. you can also view all current users and change their passwords, but this would be noticeable even by a novice admin. at the point that this is done, you have a system level command prompt (shell), and can do anything on the computer – from exfiltrating/deleting/uploading data to the box, making or changing users / settings / scheduling tasks / installing software etc etc.
Pretty scary stuff, reminds me of how we used to recover machines with lost passwords back in the day by replacing the sticky keys executable with a copy of cmd (obviously that didn’t work from an RDS session though).
That’s almost the same trick used today on windows 10 computers. everything goes in circles.
Some of you are all missing the part how this can be downloaded and run in a malware package and then take over any accessible un-patched machine (on that vlan/lan). pc, server or whatnot. Doesn’t matter if the initial entry point wasn’t an exposed RDP to the net. You can now take over everything from the inside that is vulnerable. Create backdoor accounts with admin privs, and you can worm a whole botnet scavenger with reverse tunnels as most companies do not even bother to filter/scan egress traffic.
Come back OpenVMS … all is forgiven …
It never went away 🙂 There’s a VMS product roadmap up to 2021…
Not everyone uses a VPN to access RDP access from ‘outside’. (And, as you say, most VPNs aren’t required from *inside*, so a vulnerable RDP server of this sort is still a serious risk.