Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RDP Proof-of-Concept Exploit Triggers Blue Screen of Death

Soulskill posted more than 2 years ago | from the if-you-build-it dept.

Bug 128

mask.of.sanity writes "A working proof of concept has been developed for a dangerous vulnerability in Microsoft's Remote Desktop Protocol (RDP). The hole stands out because many organizations use RDP to work from home or access cloud computing services. Only days after a patch was released, a bounty was offered for devising an exploit, and later a working proof of concept emerged. Chinese researchers were the first to reveal it, and security professionals have found it causes a blue screen of death in Microsoft Windows XP and Windows Server 2003 machines. Many organizations won't apply the patch and many suspect researchers are only days away from weaponizing the code."

Sorry! There are no comments related to the filter you selected.

Remote Death Packet... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#39377645)

I heard a rumor that if you send an SYN-ACK after SYN request from a certain IP, you die.

It totally happened to my cousin's friend.

Re:Remote Death Packet... (-1)

Anonymous Coward | more than 2 years ago | (#39377819)

I heard a rumor that if you send an SYN-ACK after SYN request from a certain IP, you die. It totally happened to my cousin's friend.

I heard a better rumor that if you send a SYN-ACK after SYN to a certain IP ...

They send you back to Africa, you nigger!

It like totally, as if, talk to the hand.

Re:Remote Death Packet... (0)

Anonymous Coward | more than 2 years ago | (#39378229)

Came here to make essentially the same remark.
As AC I never have modpoints, so you'll have to settle for a tip of the hat.

Summary writer: "weaponize"? Please.

Re:Remote Death Packet... (0)

Anonymous Coward | more than 2 years ago | (#39378921)

Like, totally!

Re:Remote Death Packet... (0)

Anonymous Coward | more than 2 years ago | (#39379043)

This is totally right, if you're laptop gets a SYN, and responds with a SYN-ACK, you will die!
Eventually.

Re:Remote Death Packet... (1)

Nrrqshrr (1879148) | more than 2 years ago | (#39380075)

I just sent you a SYN request, send a SYN-ACK back to ten friends and the crush of your life will start noticing you.

Re:Remote Death Packet... (0)

Anonymous Coward | more than 2 years ago | (#39380237)

Almost, you need a mirror, but a loop-back adapter will do in a pinch. Then you must SYN-ACK, SYN-ACK, SYN-ACK (three times is important, not two, not four, most definitely not five). The next time you reboot, Bloody Mary will appear and wipe you hard drive. Seriously, Microsoft reported it last Tuesday.

Re:Remote Death Packet... (4, Funny)

Ihmhi (1206036) | more than 2 years ago | (#39380701)

Now now, don't be so synackal.

Is this the hole that was patched one Tuesday? (1)

bemymonkey (1244086) | more than 2 years ago | (#39377651)

Or something entirely new?

Re:Is this the hole that was patched one Tuesday? (1)

bemymonkey (1244086) | more than 2 years ago | (#39377691)

*on* Tuesday...

Re:Is this the hole that was patched one Tuesday? (5, Informative)

Abalamahalamatandra (639919) | more than 2 years ago | (#39377835)

Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.

So much for responsible disclosure! Although as soon as I saw that TippingPoint had released a signature for this on Tuesday, I figured that would be enough information for people to figure out what was up. Leaking the exact packet made things even easier and quicker, though.

Gee, I do so love it when I get three days to deploy a critical patch throughout my entire production environment. That makes for some wonderful conversations with the admin staff, let me tell you!

Re:Is this the hole that was patched one Tuesday? (3, Interesting)

Sir_Sri (199544) | more than 2 years ago | (#39377923)

Just below your comment there's one from an AC titled "Missed the real story" indicating the exploit code was released from within MS.

That might mean some jackass got the brilliant idea that if there's going to be an exploit soon anyway, it may as well be the original one, and that will scare people into deploying the patch *right now*.

Re:Is this the hole that was patched one Tuesday? (3, Insightful)

hairyfeet (841228) | more than 2 years ago | (#39380133)

Well in a way I honestly can't say that I blame them. Just look at how many here are pissing and moaning they are gonna have to go and deploy this patch across their system, aka doing their jobs, when we ALL know it is SOP for the script kiddies to reverse engineer every single patch MSFT releases and to use that for making easy attacks. Look at how many "ZOMFG Windows got horribly hacked!" we have seen where it was fucking patched MONTHS AGO but corps drug their feet and ended up getting pwned.

To use a /. car analogy if you park your car on the railroad track to take a nap and someone comes along and says "hey i live around here and there is a train coming down that track, let me help you move to someplace safe" and you go "nahhh, hitting those bumps might shake loose a screw, give me time to crawl under the hood and check everything out" and you drag your feet until the train hits you? Well stupid fucking you, you deserved what you got. Its not like this isn't common knowledge, or some new thing the script kiddies are doing, its been SOP since Win9X. MSFT releases a patch, script kiddies reverse engineer, a dozen variants are out in the wild within hours of patching. If you are so damned worried about compatibility you need to be running a test bed anyway just for this scenario, and when a nasty bug is patched your ass damned well better be on the ball and ready to deploy because those script kiddies aren't gonna go "Its okay, we'll wait, just let us know when you're ready". Like it or not folks malware and exploits are a billion dollar business and with that kind of money at stake you damned well better bring your A game, anything less is your ass.

Re:Is this the hole that was patched one Tuesday? (1)

arth1 (260657) | more than 2 years ago | (#39378629)

Yes. The guy who discovered it reported it to both the TippingPoint Zero Day Initiative and to Microsoft, and sent them the packet that triggers the exploit. That exact same packet showed up in this exploit, meaning somebody either at ZDI or Microsoft or part of the MAPP program leaked it.

That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.

If that exact packet is an obvious way of doing it, it could also have been an independent discovery.

Re:Is this the hole that was patched one Tuesday? (1)

Abalamahalamatandra (639919) | more than 2 years ago | (#39379797)

That does not follow. The original discoverer might have disclosed it to other resources who leaked it, or leaked it himself.

If that exact packet is an obvious way of doing it, it could also have been an independent discovery.

Why doesn't it follow? This has been a risk since day one of Microsoft's advance notification program.

In this [zdnet.com] article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.

Re:Is this the hole that was patched one Tuesday? (1)

arth1 (260657) | more than 2 years ago | (#39380423)

In this article, Luigi Auriemma, the guy who discovered the flaw and reported it to Microsoft, explains the changes he made to the packet and the fact that the same packet was in the released exploit code.

That doesn't in any way preclude him from having sent the same code to others. We don't know that Microsoft is to blame here. And I'm not a MS fanboi - I just want there to be more information before anyone draw any conclusions.

Re:Is this the hole that was patched one Tuesday? (0)

Anonymous Coward | more than 2 years ago | (#39380771)

That doesn't in any way preclude him from having sent the same code to others. We don't know that Microsoft is to blame here. And I'm not a MS fanboi - I just want there to be more information before anyone draw any conclusions.

Dude, this is the internet. We draw conclusions before we even know what the story is, let alone what "more information" entails.

Missed the real story (5, Informative)

Anonymous Coward | more than 2 years ago | (#39377693)

The exploit is one thing, but the real story is that the exploit code was leaked from somewhere inside Microsoft, likely the MSRC. There's a string in the exploit that points to a folder on an internal MSRC server. This is about as bad as it gets. See here: https://twitter.com/#!/jduck1337/status/180495975377408001 [twitter.com] and here: https://threatpost.com/en_us/blogs/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612 [threatpost.com]

Re:Missed the real story (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#39378065)

It has come to our attention that some of our customers may not have purchased upgrades in a timely manner... We encourage them to remedy this situation as swiftly as their checkbooks allow.

If by purchase (2, Informative)

Sycraft-fu (314770) | more than 2 years ago | (#39379307)

You mean "download for free" then maybe. You realize that all Windows updates for the entire life cycle of the product are included with the purchase price of the original copy, correct? They do not charge a maintenance fee. They are also very up front about life cycle and end of life. 10 years minimum for all OSes. It can be (and often is) extended, but it is never less than that.

Re:Missed the real story (1)

Anonymous Coward | more than 2 years ago | (#39378883)

Reread your article. They seem to claim that the leak came from one of Microsofts partners, not Microsoft itself. Posting as AC since I don't want my inbox flooded with the usual haters going on about grammar subtleties.

How important is this? (4, Informative)

darkmeridian (119044) | more than 2 years ago | (#39377705)

The exploit doesn't allow unauthorized access or remote root. It only allows a denial of service against Windows XP and Windows Server 2003 products. It doesn't seem that Windows 7 and Windows Server 2008 are vulnerable. That really mitigates that risk. I have a Windows Home Server 2011 box that shouldn't be vulnerable because it's based on the WS2008R2 code base. Furthermore, there's already a patch for this bug. Therefore, if you're still running an old version of Windows that you neglected to patch, then your server might be crashed remotely. I don't think it's really that deadly or scary.

Re:How important is this? (0)

Anonymous Coward | more than 2 years ago | (#39377771)

Just like a buffer overflow crashing an application, it's only a matter of time before they inject code to run.

Re:How important is this? (0)

Anonymous Coward | more than 2 years ago | (#39377867)

Were you the CIO of DigiNotar by chance?

Re:How important is this? (4, Informative)

Anonymous Coward | more than 2 years ago | (#39377877)

The sourcecode linked in the summary is just a proof-of-concept. A much more devastating payload, in principle, certainly can be delivered. MS says the vulnerability could allow arbitrary code execution https://technet.microsoft.com/en-us/security/bulletin/ms12-020

Re:How important is this? (1)

xorbe (249648) | more than 2 years ago | (#39377953)

That's the point, that someone may turn the crash into a root.

Re:How important is this? (0)

DigiShaman (671371) | more than 2 years ago | (#39378147)

As I know, a BSOD is a kernel panic. The dump file creations and debug splash screen is the last thing it craps out before accepting any further input or output. While I don't know for a fact, but I think at BSOD status, the OS is frozen and halted from performing any additional processing. That means it cannot be rooted.

If what you say can happen, it would have to occur in a small window of time from the moment a malformed RDP packet triggers a fault to when the last line of execution that bring about a BSOD ends.

Re:How important is this? (2)

tom17 (659054) | more than 2 years ago | (#39378239)

My understanding is that if you fill a buffer overflow with random data (or just wrong data) it can cause the kernel to panic if it unexpectedly stumbles upon this incorrect/corrupt data and thus BSODs.

Now, if you are more crafty, you can inject valid code/data rather than panic-inducing random data. This valid code/data could then potentially allow a thorough rooting.

Re:How important is this? (5, Informative)

Alioth (221270) | more than 2 years ago | (#39379557)

With buffer overflows the way it usually works is that a buffer that is allocated on the stack (let's say, a temporary buffer where some user input goes to have something done on it) isn't properly bounds checked. Local function variables are on the stack. What is below them (on x86 and amd64) will be first the saved base pointer of the calling function, and then the return address of the next instruction in the calling function. So on a 32 bit arch, if we imagine the buffer is the first thing on the stack, the first 4 bytes of the buffer overflow will overwrite the calling function's saved %ebp register, and then the next 4 bytes you overwrite will be the return address of the calling function. When the function finishes and executes the RET statement, what happens is the address put on the stack by the CALL is popped off, and the program counter is set to this address.

Normally, this address is the valid return address, but in this case, where you've been able to overflow the buffer, it's whatever the 4 bytes were set to in the overflowing data. In a userland program, the program will usually crash with "Segmentation fault". In kernel land, you may get a kernel panic.

To exploit this, when the attacker overwrites the return address, if they can have this address point to their code instead, they can then gain control of the machine with whatever privilege level the process they are attacking has. Usually, the whole exploit is in the buffer that's overflowed, the attacker basically has to figure out what the address of their payload will be in the stack, and set the function's return address to this, and voila, they can execute arbitrary code.

A number of things have been done in recent years to frustrate this: randomizing the address of the heap and stack to make it harder to predict the address your attacking code will be at, and also making the stack and heap non-executable if the CPU supports it (or using a software emulation of the NX bit) so even if you do overwrite the return address with the address of your code, the program dies with "Segmentation fault" because the processor won't allow code to execute in that memory page.

Re:How important is this? (0)

Anonymous Coward | more than 2 years ago | (#39380647)

Thank you!! that was an amazingly concise explanation.

Re:How important is this? (1, Redundant)

ThePiMan2003 (676665) | more than 2 years ago | (#39378249)

The idea is that a specially crafted payload could root the box instead of crashing the system. Right now the payload only crashes the system because the researches didn't spend the time making it worse.

Re:How important is this? (5, Informative)

squiggleslash (241428) | more than 2 years ago | (#39378303)

It depends on what the exploit is.

A BSoD is a sign that the kernel space has been tampered with in some way. Now, it could be that there's no way to predictably tamper with the kernel using this exploit (eg all it does is, say, to cause some kernel routine to divide by zero, and thus crash), or it could be something like a buffer overflow exploit, where you can, using this technique, set a specific part of the memory to contain specific code, and by a little finagling, cause that code to be executed.

Now, it's a whole lot easier to demonstrate that a flaw like a buffer overflow can be used to cause a DoS situation like a BSoD than to spend days or weeks getting it to do something more "useful", so what we have here is a quick and dirty proof of concept to demonstrate there is a flaw to begin with.

Basically, the fact the proof-of-concept causes a BSoD doesn't mean that exploits of the flaw are limited to a BSoD. If it's a buffer overflow or something similar, then in theory anyone could exploit this bug to gain remote kernel level access to a Windows computer, without you ever knowing or seeing anything out of the ordinary.

Re:How important is this? (0)

Anonymous Coward | more than 2 years ago | (#39379037)

OS is just another application. When an app crashes from a buffer overflow you get a pretty little message, but when the OS crashes, you see a nasty screen. All they need to do is find a way to inject data that doesn't crash the OS, but runs said code in kernel mode, which is above even root.

Re:How important is this? (5, Insightful)

remus.cursaru (1423703) | more than 2 years ago | (#39378013)

Windows 2003 crashed remotely because you didn't applied a 3 days old patch doesn't seem scary to you? Just wait for the bean counters on the second floor to stone you to death because their stone-age old ERP crap is down. Or the DNS/DHCP server. Or the hole freaking AD.

Re:How important is this? (0, Redundant)

darkmeridian (119044) | more than 2 years ago | (#39378151)

Windows 2003 R2 was released on April 23, 2003. It has already entered its end of life phase on July 13, 2010. Anything critical has to be updated, maintained, and patched. If your mission critical server is still running Windows 2003, then you're doing it wrong. If your mission critical server is still running Windows 2003 and you haven't applied this patch, then you're doing it wrong. I just don't know how big a problem this will be in the real world.

Re:How important is this? (5, Funny)

Tastecicles (1153671) | more than 2 years ago | (#39378247)

... If your mission critical server is still running Windows, then you're doing it wrong...

FTFY. :)

(just to please up the anti-microsoft crowd...)

Re:How important is this? (0)

Anonymous Coward | more than 2 years ago | (#39378713)

yeah there are thousands of local doctors $200,000 xray machines that run happily with linux and their patient management system...oh wait, i mean the local garages Dynometer and Chip tuning works out the box with ubuntu..

except linux does none of these things, take a walk round your town and all these businesses have "mission critical servers" running Windows, those are the kinda people that could be affected by this exploit, the ones that never update, the ones that just use "whatever it came with" they are the people who will come of worse, small businesses from your local town, not the local soul-sucking cubefarm/megacorp/billionaireboysclub in the cities
who can afford to pay for an IT department.

all data is mission critical, depends on what your mission is tho..

Re:How important is this? (-1)

Anonymous Coward | more than 2 years ago | (#39378377)

"If your mission critical server is still running Windows, then you're doing it wrong."

There, fixed that for you.

Re:How important is this? (1)

benzaholic (1862134) | more than 2 years ago | (#39378179)

I of course have not RTFA, but if your organization is running stone-age ERP, or DNS/DHCP, or Active Directory Server, on the machine configured as your RDP host, then it logically follows that this must be the only computer in your entire organization, because nobody with a clue is likely to distribute core apps/services like that.

Re:How important is this? (4, Insightful)

NatasRevol (731260) | more than 2 years ago | (#39378335)

You'd be wrong. Dead wrong.

MS shops do this.
Shops that avoid MS at all costs and give control of it to finance/ms person, who have no clue about security do this.
Small businesses that just don't know better do this.

Re:How important is this? (2)

eldorel (828471) | more than 2 years ago | (#39379475)

Small businesses who know better but can't afford the extra expense of an additional server when they barely use the resources on the primary one do this also. Holy run on sentence batman!

Re:How important is this? (1)

omglolbah (731566) | more than 2 years ago | (#39380779)

Mmmmmm, virtualization

Re:How important is this? (2)

DarkOx (621550) | more than 2 years ago | (#39378971)

Never heard of Microsoft Small Business server have you?

Re:How important is this? (5, Informative)

EliSowash (2532508) | more than 2 years ago | (#39378129)

That really mitigates that risk.

I question your definition of 'mitigates' sir. You are describing systems that are not vulnerable to this particular exploit. If you're infrastucture runs on Linux or Mac or oranges with electrodes sticking out of them, you havn't mitigated dick. You just aren't vulnerable.

Re:How important is this? (1, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#39378701)

Mitigate means "reduces the severity of". If fewer machines are vulnerable, that mitigates some risk.

Re:How important is this? (2)

Alioth (221270) | more than 2 years ago | (#39378983)

*Yet*. The vulnerability according to the original CVE is a double free of memory that ends up calling a function pointer in the already-freed block of data. Now if the exploit can change the address to their shellcode, they have just gained unauthorized access.

This might not be easy to do; it might not be possible on some architectures due to the NX bit, but it's possible it could result in a remote execution vulnerability.

Re:How important is this? (2)

hellkyng (1920978) | more than 2 years ago | (#39379593)

Windows Server 2008 64 bit is vulnerable to the POC, I've confirmed it myself.

Re:How important is this? (1)

gregarican (694358) | more than 2 years ago | (#39380023)

Actually from what I see it appears to be newer versions of Windows [microsoft.com] as well...

XP, Server 2003 (-1)

Anonymous Coward | more than 2 years ago | (#39377733)

You deserve it, it's fucking 2012, upgrade!!!!

Re:XP, Server 2003 (0)

Anonymous Coward | more than 2 years ago | (#39378485)

Sure, just as soon as you send me a check for all the licensing fees.

Re:XP, Server 2003 (1)

Rasperin (1034758) | more than 2 years ago | (#39379325)

Sure, what product do you sell? If I'm interested and it's affordable, I will send you a check in the form of purchasing said product. And if a lot of people like your product they will send you a check for receivable goods or services. Those proceeds will then amount up to this thing called "profit", once you have that you can buy new licenses.

Re:XP, Server 2003 (0)

Anonymous Coward | more than 2 years ago | (#39379403)

Why do i have to pay for you?, You didn't pay for mine, and i own two Windows 7 licences (One Ultimate and one Home Premium).
If you don't want to pay for YOUR licences, then you can complain if you get hacked, if you run XP or 2003 Server, you ran out of support (which you should already know since you buy them), if you don't want to buy new licences, try some free and/or open source OS, i'm sure you'll find out how to set them up, if you don't, i'm pretty sure that they some companies out there are willing to help you, if you pay them.

Remember, nothing is free, not even open source.

Re:XP, Server 2003 (0)

Anonymous Coward | more than 2 years ago | (#39380159)

Sorry is "then you CAN'T complain if you get hacked"

Re:XP, Server 2003 (1)

gregarican (694358) | more than 2 years ago | (#39380059)

Actually newer versions of Windows [microsoft.com] are also included in the patch. Of course learning this would require one to read past the often-incorrect or often-shortsighted summaries :-P

Question: Virtualbox's VRDE/RDP (3, Interesting)

MickyTheIdiot (1032226) | more than 2 years ago | (#39377829)

I haven't found the answer to this yet: Virtualbox uses a flavor of RDP (or backwards compatible to RDP) called VRDE. Someone where I worked said this was a protocol problem, so exploit apply to virtualbox or is this just the implementation of RDP that Microsoft uses?

Re:Question: Virtualbox's VRDE/RDP (1)

Tastecicles (1153671) | more than 2 years ago | (#39378279)

interesting question. Any Virtualbox devs in the house?

Re:Question: Virtualbox's VRDE/RDP (1)

Anonymous Coward | more than 2 years ago | (#39378453)

Tested it on my VirtualBox VMs and it did not work.

Re:Question: Virtualbox's VRDE/RDP (1)

Alioth (221270) | more than 2 years ago | (#39379347)

It's an implementation problem. It depends on whether Virtualbox has the same issue in its implementation. According to the original CVE for the vulnerability, the cause is a double free of some memory, the crash actually occuring when the system reads a function pointer that is no longer valid.

Solution (-1)

Anonymous Coward | more than 2 years ago | (#39377899)

Solution: Don't use buggy windows toy to do real work. Simple.

Re:Solution (2)

MightyMartian (840721) | more than 2 years ago | (#39379863)

I can't imagine anyone with any important data leaving an X session port open balls-to-the-walls to the Internet, so why on Earth would anyone let RDP, particularly the rather weakly-protected pre-Server 2008 variants, run basically naked like that (not that I would allow a Server 2008 Terminal Server or any other RDP service from a newer OS be visible to the outside world).

We have a Windows Terminal Server plus a few workstations that people can remote into, but they have to come in on our VPN. I closed that channel years ago when I looked on one of our DC security logs and saw a stunning number of dictionary attacks against the Terminal Server.

M$ Windoesn't (0, Troll)

DEFFENDER (469046) | more than 2 years ago | (#39377907)

Why are exploits and zero-days in Microsoft products still news? Their product is full to the brim with holes, problems, and exploits. a running tally would be more effective than a news story.

Re:M$ Windoesn't (2)

Abalamahalamatandra (639919) | more than 2 years ago | (#39377971)

Because this one is bigger than usual - I know of quite a few small companies that use RDP as a "poor man's VPN" and open it from their internal server(s) directly to the Internet. Insanely stupid and I've never allowed any SMBs that I've set up to do it, but it definitely happens quite a bit.

Interestingly, scanning for 3389 over the Internet has been quite prevalent for quite awhile. I'm sure there are many, many bad guys out there with big lists of system IP addresses all set to go once this (inevitably) turns into a remote code exploit rather than just a DoS.

Re:M$ Windoesn't (5, Insightful)

DigiShaman (671371) | more than 2 years ago | (#39378315)

Insanely stupid

Aside from this nasty RDP bug, how exactly is this "insanely stupid" any more so than leaving a web server connected to the Internet? I've seen plenty of web servers get rooted and turned into zombie spewing infected machines throwing spam and hosting fake AV advertisements.

For over ten years now, a major exploit of RDP is a first that I can recall. And BTW, the RDP connection is encrypted. With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.

Just because RDP provides a GUI remote desktop and looks more exposed visually doesn't mean it technically is any less secure than other protocols used.

Re:M$ Windoesn't (1)

DigiShaman (671371) | more than 2 years ago | (#39378705)

For clarification, I didn't mean VPN, I meant VNC.

Re:M$ Windoesn't (1)

webheaded (997188) | more than 2 years ago | (#39379965)

I've seen so many exploits with VNC over the years that it is ridiculous. I'm not a huge fan of Microsoft, but if you're trying to tell me that the VNC servers are a more secure product, you're insane. I was once sitting at my computer and actually had a delightful conversation with someone that hacked into my server while I was physically sitting at it. I immediately switched VNC vendors but I'll never forget that. I always kept it up to date so that was rather horrifying. I hear things like this about VNC server ALL THE TIME. There seem to constantly be new exploits like this and I'm not sure why. Maybe because most Linux users are on SSH and most Windows users use RDP?

Maybe it's just the Windows versions, I dunno, but holy shit. The command line is just so crappy and foreign to me in Windows that I can't get anything done without GUI (and I'm quite fast with GUI). Give me good old SSH on a Linux box and I'm good to go but I need my GUI tools in Windows unfortunately. As it is right now, I've got the webserver and whatnot running inside a virtualbox on my Windows machine that runs all my media center software as well as various other kinds of servers (minecraft etc). Quite frankly, it's just easier to RDP into it than anything else because there are several different types of things I need to dick with.

Re:M$ Windoesn't (1)

LordLimecat (1103839) | more than 2 years ago | (#39378733)

With VPN, encryption is iffy at best and may not be enabled by default depending on the client you use.

If you are setting up a VPN on basically any point-and-click interface, encryption will be enabled by default.

Re:M$ Windoesn't (2)

Abalamahalamatandra (639919) | more than 2 years ago | (#39379077)

Well, for starters, because Web servers don't run as SYSTEM for quite some time now.

And in any case, opening up port 80 from the Internet to an internal server, rather than one on a DMZ designed to do nothing but host Web content is just as insanely stupid. Same goes for port 443, even though I've lost count of the number of times people have told me 443 is okay "because it's secure!".

Re:M$ Windoesn't (1)

DarkOx (621550) | more than 2 years ago | (#39379187)

This is by far not the first vulnerability in RDP. I know what you mean though its supposed to be a remote management solution; saying its insanely stupid to expose RDP to the net is like saying its insanely stupid to put SSH on the net.

The truth is minimize you attack surface and pick your poison. Have SSH? good tunnel your RDP, have a VPN? even better use it, want to use RDP? ideally use Microsofts terminal server gateway, if not fine put one 'terminal server' open to the outside and access other boxes thru it don't run your critical infrastructure on that box etc.

The fewer services you have the fewer ways you can be attacked. You probably have to run one more web servers, dns, and mail, most business need some sort of remote access solution, pick ONE vpn, terminal services gateway, citrix, ssh, and the administrative people might need a back door should the remote access solution fail for emergencies. My advice on that good old fashion modem listing on an unpublished phone number; and very strong passwords.

Re:M$ Windoesn't (1)

aztracker1 (702135) | more than 2 years ago | (#39379531)

I recall seeing a handful of OpenSSL/SSH vulnerabilities over the years as well... IMHO RDP is no more/less dangerous.. though I was planning on closing off VNC/RDP access and tunneling via SSH myself... I tend to stay on top of these issues more than a lot of small/home office types though.

Re:M$ Windoesn't (-1)

Anonymous Coward | more than 2 years ago | (#39378183)

Probably for the same reasons that asshats like you still can't get over typing MS as "M$."

And I'm serious about that. Think about it. The same kind of "thought" process that makes you go out of your way to call it M$ is what makes this newsworthy. If you were over the whole Microsoft thing and have really moved on, you wouldn't have even have bothered with this thread. Instead you've demonstrated that you still have a stick up your ass about MS and let it burden you. To each their own but if you've really moved on you would have totally glossed over this thread with a shrug.

I don't go back to the Chevy dealer years after a bad experience with one of their products because I've moved on to something better. I don't need to take it out on every Chevy owner I see either. I'm much better for it.

Re:M$ Windoesn't (2, Insightful)

Rasperin (1034758) | more than 2 years ago | (#39379665)

I'm sorry, mod parent up, so freaking right not even funny.

Was going to post anon, but to hell with my Karma, if you can't recognize that Microsoft isn't the same company it was 12 years ago you are part of the problem and not part of the solution. Not saying they are the best at anything, that's in the eye of the beholder. I'm just saying that Windows 7 (while needing it's code optimized like KDE4 had) is a far superior OS to Windows XP and Windows XP wasn't a bad platform to start off with. In 1999 (when it was released) it was far superior to linux in many ways and it was far worst in others. Today, the same case applies, however MS is actually now contributing to the OS community, working with the development community (see Kinect, their Sony reaction only lasted a few days).

Want to talk about Security, there are 13 known rootkits for Linux which rootkit (the application that scans for them) can't detect. There are viruses, there are kernel dumps, and worst of all there is LIBHELL, this look familiar?
$ someapp
Someapp can't find libboost.so.14
$ find / -name "libboost.so.*"
/usr/lib/libboost.so.15
$ yes QQ
QQ
QQ
QQ
QQ
QQ
^C
$

or my favorite one
Couldn't find /boot perhaps run fschk without -j or -f?
root$ ls /boot
grub boot ...
root$ :'(
>)';
Couldn't find command: :'( )':

So yeah, Linux has it's own stability and security issues, some that make me want to throw myself off a 30floor building sometimes, but I love it too, but I think Microsoft puts out an upstanding product and so does Linux.

I really don't know why I was so verbose, esp with the BS commands.

Re:M$ Windoesn't (-1)

Anonymous Coward | more than 2 years ago | (#39378223)

why are people still using it?

Who uses RDP without a VPN? (4, Insightful)

Kenja (541830) | more than 2 years ago | (#39378153)

I have never seen RDP open to the world. If you do that, you're asking for issues regardless of any exploit.

Re:Who uses RDP without a VPN? (-1)

Anonymous Coward | more than 2 years ago | (#39378255)

Who uses RDP and Windows at all? If you do that, you're asking for issues regardless of any exploit.

Re:Who uses RDP without a VPN? (0)

Anonymous Coward | more than 2 years ago | (#39378445)

MS Terminal Server. Duh!

Re:Who uses RDP without a VPN? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39378415)

Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.

I've closed this hole many times at new clients.

Re:Who uses RDP without a VPN? (4, Insightful)

parlancex (1322105) | more than 2 years ago | (#39379195)

Then you don't have much exposure to the MANY SMB's that are setup like this. I even know of some otherwise competent consultants that do this. Stating that the traffic is secure.

I've closed this hole many times at new clients.

Ah yes, another incompetent *nix admin with his head in the sand. Since this was posted as AC I know you're probably trolling but I'll bite. Since the RDP changes starting with Windows Vista and Server 2008 (pre-R2, even) the RDP connection handshake resembles that of TLS, SSH, and other VPN protocols, utilizing RSA, certificate based identity verification, and AES (with keys transmitted during the RSA encrypted during setup).

If modern RDP is insecure, I have really bad news for SSH, e-commerce and the entire fucking world that uses TLS.

Re:Who uses RDP without a VPN? (0)

Anonymous Coward | more than 2 years ago | (#39379467)

SSH Nor RDP should be open to the world. Security is a process not a thing, and good security process demands that you require VPN access before RDP or SSH.

Re:Who uses RDP without a VPN? (2)

Abalamahalamatandra (639919) | more than 2 years ago | (#39379503)

Wow. Shill much?

First of all, your ever-so-awesome RDP changes that started with Vista don't seem to have helped a ton here, unless you took the non-default step of turning on NLA which breaks accessing the server from XP clients that haven't had an upgrade to the RDP client.

Secondly, given the choice between opening RDP to a Windows box or SSH to a Linux box, I'll place my bets on SSH any day of the week. OpenSSH was designed from the start to be a highly-secure protocol. It has, of course, had to evolve over the years to stay ahead of threats just as RDP has. But looking at the history of RDP and the changes that MS has had to make to the protocol, I think it's pretty clear at this point that "giving the user a remote graphical interface" was quite a bit higher of a priority than security from the beginning.

Encryption != security. Thanks for proving my earlier point about people often making that mistake.

Re:Who uses RDP without a VPN? (0)

Anonymous Coward | more than 2 years ago | (#39379673)

It's not that RDP is inherently insecure. It's that the service is insecure. It's highly unlikely that such an exploit exists in OpenSSH, but anything is possible.

Re:Who uses RDP without a VPN? (1, Funny)

parlancex (1322105) | more than 2 years ago | (#39378553)

Who uses a VPN without a VPN? If you connect to a VPN without first tunneling it through a secure VPN, you're just asking for issues regardless of any exploit.

Re:Who uses RDP without a VPN? (2)

NatasRevol (731260) | more than 2 years ago | (#39378717)

This:
for i in {1..254}; do nc -v -n -z -w 1 207.46.130.$i 3389; done
will scan Microsoft's public IP space for RDP.

Feel free to test it on your infrastructure.

Re:Who uses RDP without a VPN? (1)

webheaded (997188) | more than 2 years ago | (#39380001)

I run mine on a completely non-standard port via port forwarding at the router. :D

Extra security through obscurity, yes, but hey, most people only bother with the low hanging fruit. It's already encrypted and me not using that port probably stops a shit ton of attacks.

The same people who use SSH without a VPN? (2, Insightful)

Sycraft-fu (314770) | more than 2 years ago | (#39379477)

There is no particular reason RDP needs to be behind a VPN any more than any other protocol. It is fully encrypted, does secure password exchange and all that jazz. Same as SSH. So if you run any SSH servers that are open to the world, well there's your answer.

If you are all VPN all the time, ok, though I will caution you to carefully check your setup, VPN is often a false sense of security (particularly since in many configurations it punches through the user's NAT and host based firewall and can expose them). However if you are ok with things like SSH to your UNIX systems but not RDP to your Windows systems that just means you have a poor understanding of the protocols.

Re:The same people who use SSH without a VPN? (1)

MightyMartian (840721) | more than 2 years ago | (#39379899)

That applies to Server 2008/Windows 7 RDP (maybe Vista, not sure about that). The versions found in Windows 2000, XP and Server 2003 are not nearly as secure.

Re:Who uses RDP without a VPN? (1)

Anonymous Coward | more than 2 years ago | (#39379929)

Important to note that this is a "no authorization required" vulnerability. Merely the correct sequence of malformed packets leads to a kernel-level remove code execution. If RDP is listening to the port and it recieves this sequence.... *bork* The BSOD mentioned is just a crude proof of concept in the wild. Be afraid of the attacks that DO NOT BSOD, and in fact leave no real trace.

Re:Who uses RDP without a VPN? (0)

Anonymous Coward | more than 2 years ago | (#39380067)

Are you kidding?? Try this right now:

nmap -iR 1000 -T5 --open -p 3389 -P0

That just returned 15 open ports for me. So based on that rather small sample 1.5% of hosts on the internet have that port open. There are millions out there!!

Re:Who uses RDP without a VPN? (0)

Anonymous Coward | more than 2 years ago | (#39380287)

Unless you're knowledgeably firewalling it to the proper degree. But, posters and readers on /. wouldn't be capable of that, right?

Re:Who uses RDP without a VPN? (1)

Rich0 (548339) | more than 2 years ago | (#39380707)

Sure, but all it takes is some code getting run anywhere on a corporate LAN to run through it like wildfire. Firewalls are an obvious layer of protection, but you can't have big security holes on the other side, otherwise you're talking worm city.

Re:Who uses RDP without a VPN? (1)

kangsterizer (1698322) | more than 2 years ago | (#39380741)

Well you should start nmap then. I see 3389 open every-f-where. Seriously.

Just think web hosting on windows. That's not SSH. That's RDP. Everywhere.

Another story about bad bad Windows and M$ (0)

simula67 (2518552) | more than 2 years ago | (#39378329)

Can we pleeeeease go back to hating Microsoft now?

Re:Another story about bad bad Windows and M$ (1)

DeathFromSomewhere (940915) | more than 2 years ago | (#39378459)

Did we ever really stop? ;)

Caring = 0 (-1, Troll)

JustAnotherIdiot (1980292) | more than 2 years ago | (#39378841)

Microsoft Windows XP and Windows Server 2003

Update. I have no sympathy for people using 10+ year old operating systems.

Who, Who??? (-1)

Anonymous Coward | more than 2 years ago | (#39378917)

Why do people use windows servers? i dont understand

Re:Who, Who??? (1)

aztracker1 (702135) | more than 2 years ago | (#39379597)

I use them mainly for IIS, because I happen to work with .Net based web applications... And IIS is a path of less resistance than shoehorning a solution into Mono/Linux. That said IIS is a pretty damned nice web server. There's also AD and Exchange. Those are probably the biggest reasons to run windows based servers.

Have fun (3, Informative)

koan (80826) | more than 2 years ago | (#39378973)

Re:Have fun (3, Interesting)

hellkyng (1920978) | more than 2 years ago | (#39379619)

That code is not real, it was a fake release from yesterday. Actual POC code is available in a number of places though and looks very similar.

Ouch... (1)

gregarican (694358) | more than 2 years ago | (#39379729)

I tried to go to the March 2012 Microsoft Security Bulletin on their website and got a 404 Error. Guess they're updating it with new info? BTW I tested the sample Ruby code that was published and the BSOD worked like a champ on a couple of my older boxes here at work. Good thing I don't use RDP on any Internet-facing hosts. Only through a VPN...

Oops, BSOD, gotta reboot again... (0)

Anonymous Coward | more than 2 years ago | (#39380497)

So in other words, most XP users won't even realize the exploit...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?