BlueKeep guides make imminent public exploit more likely

A public exploit for Microsoft’s apocalyptic BlueKeep vulnerability is just days away. In fact, for those with deep enough pockets, it’s already here.

To refresh your memory. BlueKeep is a vulnerability in the Remote Desktop Protocol (RDP) implementation affecting Windows XP, Windows 7, Windows Server 2003, and Windows Sever 2008.

An attacker who exploits it can do two things. First, they can run code remotely on the compromised machine. Secondly, they can use RDP to exploit other machines without any human interaction. That’s a worm, and that’s bad, because it can spread on its own, infecting potentially hundreds of thousands of machines in short order.

The problem is exploiting it properly. Getting code to run on targeted machines without crashing them is technically difficult. That’s why, even though Microsoft acknowledged the vulnerability and patched it on 14 May 2019, we haven’t seen BlueKeep worms swarming across the internet yet.

Working exploits for BlueKeep have been developed by a number of ethical hackers and security companies, including Sophos, who decided to keep the details secret.

As the time people have had to patch increases, and as more people develop exploits, the omertà that’s keeping offensive code under wraps is starting to unravel.

One technical expert released workable exploits, while others posted detailed instructions on how to produce them, this week.

On Tuesday, security company Immunity Inc claimed to have added a module to its CANVAS automated exploitation system with a working BlueKeep exploit.

A subscription to the service costs tens of thousands of dollars, though, which should keep it out of the hands of the script kiddies.

The same day, a researcher posted a detailed technical analysis of the vulnerability, along with some Python proof-of-concept code, explaining exactly how to bridge the technical gap. The analysis omits an executable shellcode payload, and doesn’t explain where to put it, instead calling those “exercises left to the reader”. Still, it gets coders far closer to an executable attack.

The details are, as you might expect, extremely technical. BlueKeep is a use-after-free vulnerability, meaning that the program tries to use memory after it is supposed to have discarded it. The vulnerability lies in termdd.sys, which is the RDP kernel driver. A user can exploit this by opening an RDP connection to a remote computer called a channel – in this case a default RDP channel called MS_T210 – and sending specially crafted data to it.

The exploit runs code on Windows XP, they said, but warned that it would probably crash Windows 7 or Server 2008 machines.

They justified the release of the information by saying that the information is “largely already available within the Chinese hacker community”. They might have been referring to a series of Chinese-language slides purportedly explaining how to exploit the vulnerability and execute remote code that someone else posted on GitHub on Monday.

We’re not linking to either of the GitHub repos here, because why make it easier for someone to develop a worm? They’re easy enough for people to find, though.

How many people could a working exploit hit? A scan from security firm BitSight on 2 July 2019 identified 805,665 vulnerable computers, down from almost a million in May. That’s worrying, because it shows that not enough people are patching. So the message is clear: If you’re running Windows XP, 7, Server 2003 or Server 2008, patch them, please.

More on RDP attacks

BlueKeep isn’t the only problem facing machines running RDP. Recent research by Sophos showed that criminals are performing massive numbers of simple but effective RDP password guessing attacks every day against internet-facing Windows machines.

Anna Brading talks to Matt Boddy, Ben Jones and Mark Stockley about their research in the Naked Security podcast series 2 launch episode, entitled RDP Exposed.

Listen now, and let us know what you think!


(Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.)

You can find out more about our RDP research here on Naked Security, or by reading the full report.