The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Patch Tuesday March 2012 - Remote Desktop Pre-Auth Ring0 Use-After-Free RCE!

Kurt Baumgartner
Kaspersky Lab Expert
Posted March 13, 17:41  GMT
Tags: Microsoft

Patch Tuesday March 2012 fixes a set of vulnerabilities in Microsoft technologies. Interesting fixes rolled out will patch a particularly problematic pre-authentication ring0 use-after-free in Remote Desktop and a DoS flaw, a DoS flaw in Microsoft DNS Server, and several less critical local EoP vulnerabilities.

It seems to me that every time a small and medium sized organization runs a network, the employees or members expect remote access. In turn, this Remote Desktop service is frequently exposed to public networks with lazy, no-VPN or restricted communications at these sized organizations. RDP best practices should be followed requiring strong authentication credentials and compartmentalized, restricted network access.

Some enterprises and other large organizations continue to maintain a "walled castle" and leave RDP accessible for support. The problem is that RDP-enabled mobile laptops and devices will make their way to coffee shops or other public wifi networks, where a user may configure a weak connection policy, exposing the laptop to attack risk. Once infected, they bring back the laptop within the walled castle and infect large volumes of other connected systems from within. To help enterprises that may have patch rollout delays, Microsoft is providing a fix-it that adds network layer authentication to the connection, protecting against exploit of the vulnerability.

This past fall, we observed the RDP worm Morto attacking publicly exposed Remote Desktop services across businesses of all sizes with brute force password guessing. It was spreading mainly because of extremely weak and poor password selection for administrative accounts! The Morto worm incident brought attention to poorly secured RDP services. Accordingly, this Remote Desktop vulnerability must be patched immediately. The fact that it's a ring0 use-after-free may complicate the matter, but Microsoft's team is rating its severity a "1" - most likely these characteristics will not delay the development of malicious code for this one. Do not delay patch rollout for CVE-2012-0002.

Finally, for less technical readers, allow me to explain a little about what a "Remote Desktop pre-auth ring0 use-after-free RCE" really is. Remote Desktop is a remotely accessible service that enables folks to connect remotely to a Windows system and open a window to the desktop in an application as though you were sitting in front of the computer. Usually, you need to log in to the system to do that, so the system is fairly protected. Unfortunately, this bug is such that a remote attacker that can connect to the system's Remote Desktop service over the network can successfully attack the system without logging in. The "ring0" piece simply means that the vulnerable code exists deeply in the Windows system internals, or the kernel, of the operating system (most applications running on a system run in "ring3", or "user-mode"). "Use-after-free" is the type of vulnerability enabling the exploit, and this type of flaw is something that continues to be extremely difficult to weed out as predicted years ago, even as many of the more traditional low hanging stack and heap overflows have been stomped out by automated code reviews and better coding practices. And finally, RCE applies to the type of exploit enabled by the vulnerability, or "remote code execution", meaning an attacker can deliver malicious code of their choosing to the system and steal everything. There you go, "pre-auth ring0 use-after-free RCE".

Also, Microsoft's DNS servers maintain DoS vulnerabilities. With hacktivist activity hugely increasing over the past year, enterprises and providers running this software should quickly move to patch their DNS servers. Indications of attack include your standard UDP request flood.

UPDATE (2012.03.16): the twitter infosec sphere last night and the blogosphere this morning is in a bit of a frenzy about the public leak of a DoS PoC targeting CVE-2012-0002, the RDP pre-auth remote. First off, patch now. Now. If you can't, use the mitigation tool that Microsoft is offering - the tradeoff between requiring network authentication and the fairly high risk of RCE in the next couple of weeks is worth it. You can see the list of related links on the side of this page, one was included for MS12-020.

Some interesting additional information has surfaced about the vulnerability, including the fact that the bug was generated in May of 2011 and "reported to Microsoft by ZDI/TippingPoint in August 2011". The researcher, Luigi Ariemma, discusses that this work wasn't disclosed by him (often his fully discloses his work). After some careful investigation of the poorly coded "rdpclient.exe" posted online in Chinese forums, he found that it was a cheap replica of the unique code he provided to ZDI and in turn, Microsoft, when privately reporting the bug. This is bad. And already, researchers with connections to Metasploit open source exploit dev like Joshua Drake are tightening up the code, developing and sharing improved PoC. As Microsoft pointed out, confidence in the development of a reliable public exploit within 30 days is very high.

Regardless, the implications of a leak in the highly valuable MAPP program could hinder strong and important security efforts that have been built on years of large financial investment, integrity, and maturing operational and development processes. Thoughts and opinions on the leak itself can be found over at Zero Day. At the same time, I think that this event may turn out to be nothing more than a ding in the MAPP program's reputation, but it's important that this one is identified and handled properly. With the expansion of the program, an event like this one is something that certainly should have been planned for.


If you would like to comment on this article you must first

Bookmark and Share

Related Links