Was Windows RDP code leak an inside job?
- By 1105 Media Staff
- Mar 20, 2012
Despite it's best laid plans to fix a "critical" Windows Remote Desktop Protocol (RDP) vulnerability, Microsoft may not have been able to get the patch for it out before cyber criminals got to it.
In fact, it appears that hackers may have had the jump on Microsoft even as it released the patch in its March security update.
A researcher noted that the timing of the release of some proof-of-concept (POC) code, which had not been publicly available, suggests an internal leak. The appearance of that code in the wild a mere two days after Microsoft's RDP fix offers a clue.
Meanwhile, ThreatPost reports that a Metasploit — an open-source attack framework — is available for the vulnerability, which could cause a denial-of-service condition on vulnerable computers, and that the vulnerability could be exposing up to 5 million machines.
Italian security researcher Luigi Auriemma, who discovered the Windows Remote Desktop Protocol (RDP) flaw, explained this scenario in a blog post last week. He originally had sold his POC code to Hewlett-Packard in May of 2011 as part of HP's TippingPoint's Zero Day Initiative program. HP subsequently turned it over to Microsoft in June of that same year.
Microsoft modified his data packet into executable code that could take advantage of the RDP flaw in November. However, many lines of code -- including Auriemma's data packet -- later appeared in the exploit code that was released on Thursday on a Chinese Web site. While Auriemma admits that it was his data packet that was found online, he claims no responsibility for the leak.
"No details and proof-of-concept were released by me after the releasing of the patch," he wrote. "I was waiting some days and I was really curious to know who would have been able to spot the one-day (like a simple poc) first. After all it was the bug and the challenge of the moment so why [ruin] the party."
He theorized that the leak must have occurred after Microsoft sent its executable code to its partners to create "antivirus signatures." Microsoft agrees with that contention.
"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," wrote Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."
Auriemma provided some advice about the RDP flaw and POC exploit, describing it as a "use-after-free" memory management bug. While he said his exploit is basic, an experienced hacker would have no problem turning it into a working attack.
"Having access to the patches already makes it possible to deduce the vulnerability details via bindiffing (i.e. comparing the patched binaries to unpatched binaries), but concluding how to trigger the vulnerability is not always so straight-forward," Auriemma wrote. "Having a PoC available, obviously, makes this very clear."
It is strongly recommended that those who have not installed Microsoft's security bulletin MS12-020 fix do so as soon as possible. And if that's not possible, Microsoft has provided a workaround in that bulletin.