BlueKeep

BlueKeep: Detecting and Remediating a Critical and Wormable Remote Code Execution Vulnerability - OPSWATOPSWAT

BlueKeep is a critical software vulnerability in the Microsoft Windows Operating System that exploits Microsoft's implementation of Remote Desktop Services.

By establishing an RDP connection with the target server while opening an MS_T120 channel, an unauthenticated attacker can send crafted data that allows them to execute arbitrary code with system privileges.

Here are example steps:

A channel is created with the name MS_T120 in Slot 11, which opens the default channel MS_T120 at Slot0x1F[31] because a function is called and returns a pointer for MS_T120 at both Slot11 and Slot0x1F
An attacker sends crafted data to channel MS_T120 and termdd.sys responds with an error message and closes the channel, freeing the MS_T120 structure and clearing the pointer at user-controlled Slot 11 but not at Slot 0x1F.
When the connection is terminated, a function tries to access a freed structure through the pointer at Slot 0x1F, leading to a use-after-free condition.

Due to how widely spread BlueKeep is, there is a module that allows you to easily exploit it using Metasploit.

Linux

msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set rhosts <target_host>
run

PreviousEternalBlue NextZerologon

Last updated 1 year ago