Working PoC for MS12-020 Spotted in the Wild

A warning against a critical vulnerability in the Remote Desktop Protocol (RDP) was posted by Microsoft on Tuesday, March 13. A patch to close this security hole was released on the same day as part of the regular MS Patch Tuesday release: Microsoft Remote Desktop Protocol CVE-2012-0002 Remote Code Execution Vulnerability (BID 52353).

As RDP listens on a TCP port, this vulnerability can be triggered remotely and could lead to code execution. Hackers are eager to develop an exploit. Security Response can confirm that a Proof of Concept (PoC) resulting in a denial-of-service condition for MS12-020 has been published. Symantec has released IPS signature 25610 (Attack: Microsoft RDP CVE-2012-0002 3) to block attempts to exploit the vulnerability.

At this time, the PoC does not deliver a payload and is detected by the 25610 signature. There is no doubt that development of an effective exploit will continue and will accelerate based on the published PoC. We have not yet seen any PoC that provides remote code execution. Security Response will continue to closely monitor this issue and will update protections based on the evolution of the threat.

Update #1 [March 16, 2012]:

There have been three updates in the last 24 hours:

  1. There have been many reports coming in of additional PoC code being published on various sites. For instance, one of these postings includes a comment that claimed a PoC was created by Sabu—a possible attempt to mock the recently maligned Anonymous member following news of his involvement with law enforcement.
  2. A screenshot emerged that reportedly shows an executable performing remote code execution. It is probable this is not a legitimate exploitation example. Aside from the screenshot, remote code execution has not been confirmed.



  3. Luigi Auriemma, the researcher who discovered the vulnerability, has published his original advisory with his own PoC submitted last year.

Update #2 [March 19, 2012]:

The race for Remote Code Execution (RCE) is well underway but as of today there are still no available exploits that have achieved this target. This is testament to the difficulty in controlling the crash in order to redirect the program flow. This is a window of opportunity that should be used to ensure that you have no unnecessary Internet-facing machines using RDP unless absolutely necessary and that the patch available for MS12-020 from Microsoft is applied to limit exposure to this critical vulnerability.

Dan Kaminsky ran a quick scan on exposed IP addresses using the RDP protocol estimating that there are as many as five million endpoints on the Internet today.

There are also indications with more recent tweets that controlling the exploit has progressed from the original denial-of-service Proof of Concept (PoC).

Below is a screenshot from crypt0ad’s tweet - “Productive day. Not there yet though.”

We are monitoring the situation closely as this exploit continues to develop.

Update #3 [March 23, 2012]:

Alas, we still await the RCE for MS12-020 (CVE-2012-0002). It appears as though controlling the code subsequent to the crash is still providing a major stumbling block for vulnerability researchers and hackers alike. The main technique being discussed on IRC chatrooms, such as #ms12-2012 on, is the use of a heap spray to catch the program flow from the vulnerable crash in order to execute code of the hackers/crackers choosing. This approach is causing some serious head scratching!

The metasploit framework has been updated to facilitate a denial-of-service module for the exploit on March 19, which can be used to test against machines that remain vulnerable.

Intrustion Prevention Signatures (IPS) are in place for all of the known PoCs and exploit modules that are publicly available and we continue to investigate this RDP exploit as the situation develops. The IPS will be complemented with traditional AV signatures should this nasty exploit find its way into any malicious code such as worms, which would use the exploit as a self-propagation method. We are monitoring the situation closely for developments.

IPS Attack Signatures: