Remote execution of arbitrary code in the RDP protocol

Remote execution of arbitrary code in the RDP protocol




We learned about a dangerous vulnerability in the RDP protocol: Microsoft prepared emergency patch for a vulnerability identified as CVE-2019-0708, which allows to execute arbitrary code on the target system.

A remote code execution vulnerability exists in Remote Desktop Services (previously called Terminal Services) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability uses pre-authentication and does not require user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

The vulnerability (CVE-2019-0708) for Windows, 2008, Windows Server 2008 R2, and Windows Server 2008. Windows XP and Windows 2003 operating systems for Microsoft.

To exploit the vulnerability, an attacker needs to send a specially crafted request to the remote desktop service of the target systems via RDP.

Interesting is the fact that this or similar vulnerability was sold in the “darknet” at least since last September:

SELLER, [09/30/18 12:54]
RDP RCE Exploit

description:
This is a bug in RDP protocol.
Windows remotely who enables RDP.

vulnerability type:
Heap overflow

affected versions:
Windows 2000/XP/2003/Vista/7/2008 (R2)

privilege level obtained:
SYSTEM privilege

reliability:
90% for one core/30% for multiple core

exploitation length:
around 10 seconds

Possible buyer, [09/30/18 12:58]
affected versions:
Windows 2000/XP/2003/Vista/7/2008 (R2)
Lol

Possible buyer, [09/30/18 12:58]
is it pre-auth or post-auth vuln?

SELLER, [09/30/18 12:59]
Pre

Possible buyer, [09/30/18 12:59]
for how much they/he/she sells it?

SELLER, [09/30/18 12:59]
500

SELLER, [09/30/18 12:59]
Shared

Possible buyer, [09/30/18 12:59]
500k USD?

SELLER, [09/30/18 13:00]
So u can guess it was sold few times.
SELLER, [09/30/18 13:00]
Yes

Operating this vulnerability allows you to write malicious software similar to WannaCry, detected exactly 2 years ago .
This vulnerability is pre-authentication and requires no user interaction. In the words of the global security system, it is wormable. > The vulnerability is so serious that Microsoft released patches even for unsupported OS versions - Windows XP and Windows 2003.

Source text: Remote execution of arbitrary code in the RDP protocol