Bluekeep RDP CVE-2019-0708 Metasploit Exploit POC
On the 6th of September, a Metasploit exploit was released to the public. The exploit is not yet 100% stable but does work at least on Windows 7. We believe that an exploit with higher quality will be developed in the nearest future that will be able to exploit systems from Win 2000 – Windows 2008 R2.
Short Explanation of the Vulnerability
The RDP protocol uses “virtual channels”, configured pre-authentication, as a data path between the client and server for providing extensions. RDP 5.1 defines 32 “static” virtual channels, and “dynamic” virtual channels are contained within one of these static channels. If a server binds the virtual channel “MS_T120” (a channel for which there is no legitimate reason for a client to connect to) with a static channel other than 31, heap corruption occurs that allows for arbitrary code execution at the system level.
So how does the exploitation of the vulnerability work?
- You create an RDP connection with the “MS_T120” virtual channel (which there is no legitimate reason for a client to connect to)
- Heap Spray
- Invoke Allocations
- Control the EIP
- Cause the UAF heap corruption and execute the ring 0 shellcode
!NOTE the exploit is not 100% stable and may cause the remote host to crash and enter bluescreen mode.
How to mitigate the vulnerability
- RDP should really not be used as a protocol listening on the internet. This protocol can be exploited not only with this exploit but also by guessing user credentials or potential phishing chained attacks. As a general rule, it is recommended to not use RDP externally. We recommend using a secure VPN connection instead if you have to connect to your organization
- Patch your windows with the latest windows security updates. You can do this from the following link: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 If you are still using Windows XP or Windows 2003 which is not recommended you can patch them with the following update:
- You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
- If you don’t use RDP we still recommend blocking port 3389 and RDP connection in your firewall/security system to be sure that there is no way to connect to RDP to or from your organization’s network.
It is illegal to use this exploit on any computer without the owner’s permission. This blog post is written for educational purposes only and to show how the vulnerability is exploited and how to mitigate against it.