Sunday, July 15, 2012

RDP flaw

In march 2012 a security vulnerability, MS12-020, has been detected in the famous Microsoft RDP
protocol. Everyone using the RDP protocol should be aware of the damage it can cause!

Targets:

Microsoft Windows servers / clients with RDP enabled.

Attack surface:

DoS and Remote Code Execution (not in the wild).
Researchers have been working on developing a working remote code execution exploit for the bug,
but none has been published yet.

Your Risk:

A simple program 'with some exploit code' can crash your Windows Server on the RDP port.
If you publish your RDP servers over the Internet you are a BIG target.

Proof of Concept:

A Windows Server 2008 R2 (x64) with RDP enabled.




When launching a program with the concerning exploit code the following happens:



This is really NOT GOOD !

Solutions:
  • Don't use RDP :) (or try a least the RD Gateway)
  • Allow only 'Remote Desktop with Network Level Authentication'.
  • Patch your RDP servers.