Monday, April 9, 2012

Remote Desktop DOS Demo MS12-020

Remote desktop DOS MS12-020

What is Remote desktop by Microsoft
If some of you are new to Microsoft Windows and you are not sure what is remote desktop you can find the answer above by Microsoft it self :

"Remote Desktop Connection is a technology that allows you to sit at a computer (sometimes called the client computer) and connect to a remote computer (sometimes called the host computer) in a different location. For example, you can connect to your work computer from your home computer and have access to all of your programs, files, and network resources as though you were in front of your computer at work. You can leave programs running at work and then, when you get home, you can see your work computer's desktop displayed on your home computer, with the same programs running."

General Information
According to Microsoft, the vulnerabilities exists on the version of the windows from XP onwards to the latest server operating system. But you as the server administrator have you ever though what is those and have you seen in your self?or you just believe what they have mention in the web?. The security flaws is more toward on how the remote desktop handle the ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result an invalid pointer being used, therefore causing a denial-of-service condition.

Should we worry?
If I am you, I will start to worry. If you have any of the terminal server which have been exposed to the internet, I will suggest you to remove it if is no longer in production and also patch the system with the KB2671387 which was released in March 13 2012. In this article I will show you how the attacker launch the DOS attack without credential. I will show you as well how can you use some tools to audit your network.

How we do it?
If you did follow my article on, I did write something on power of exploitation tools, you will notice how easily the attacker can gain access to the tools and launch a different type of attack. For the remote desktop vulnerabilities, I will use the nmap scan engine to detect any host that have this vulnerabilities before I start crash the machine, for more detail on the parameter you can refer to the power of exploitation articles. The reason behind we have such a long parameter is to hide and making sure we are not waking up the IPS.

nmap -v -Pn -sS -script=rdp-vuln-ms12-020.nse -f --mtu 32 --data-length 50 --source-port 99 --randomize-hosts -T 1

The first figure when you do perform a scan, and if there is nothing been detected you will have the output as below
ms12-020 remote desktop

if the scanning tools, detect that your machine is vulnerable to the remote desktop vulnerabilities, you will have the following output. You can do a scan on the entire range of network too.
ms12-020 remote desktop

Once you have identified the machines, you can start run the DOS tools and targeted the client. In some cases, mostly for the bad guys, they won't think of using the nmap to scan first. But you as the security professional you should never use the exploitation tools on your machines to target the server.
ms12-020 remote desktop output from MSF console

Look what we have here, bluescreen of the death on the latest Windows Server 2008 R2 SP1. This could be fix if you have a done your own initiative on protecting the server by applying patches.
ms12-020 remote desktop bluescreen

What we will be expecting next?
As you know this is not the only way the damage can happen, the other will be embedded the code and it become a worm on your network. Think of the damages it could cost you. It could be the most damaging worm compare to conficker worms.

Note on ethics
Our intention, when we started writing these articles was to give an overview what tools exists on the market and how we can use it to secure our organization against any unidentified threats. When you start to use the tools above, please do make sure you have this with you:
  • Don’t use this for any malicious intention
  • Don’t attack any organization without any approval from the top management.
  • Think of the damage that you might cause

In this article, we have presented the abilities of the NMAP as well as metasploit on backtrack 5. We have shown the trick of hiding in the network while we are performing intelligent information gathering. The author also shows you a common attack that commonly done by the attacker and to show how fast they compromise a system. As you can see, the growing of the tools can help anyone to be a security pentester, while if it is been used in a wrong hands it could bring more damage than good. Such and attack is much easier to perform and more likely to succeed. The author sincerely hopes that these short articles can increase the awareness to anyone who is handling computer or security services. In the broader sense however, we hope that the information could help you to increase the security your organization assets in better manner.

Let us know what you though , learns and hope for next articles!. Connect with us on GOOGLE+ , TWITTER and FACEBOOK.

1 comment: