MS12-020: dilution of RDP worms
On Tuesday, Microsoft released another patch of patches, and among them MS12-020 , which has a critical status, especially attracted our attention. Vulnerability allows to execute arbitrary code on a remote system with the power of a specially crafted RDP packet. All versions of MS Windows, including 64-bit versions, are affected by this vulnerability. In fact, two vulnerabilities CVE-2012-0002 (RCE in RDP) and CVE-2012-0152 (DoS in Terminal Server) were closed within the MS12-020 patch. We are more interested in the first vulnerability, since it is much more dangerous and may lead to the emergence of network worms that will actively exploit it (at the moment I do not know about the cases of its use in malicious programs).
By the way, the vulnerability MS11-065 (August 2011), which allowed DoS (WinXP / 2003), was recently closed and was noticed in the same rdpwd.sys driver in which CVE-2012-0002 was found. These changes can be tracked by timestamps in rdpwd.sys before and after the patch. Also in the official change lists for MS11-065 and for MS12-020 .
')
Actually, the main changes were seen in the HandleAttachUserReq () function, the decompiled version of which looks like this:
When comparing the corrected driver and driver before the patch, it is clear that there were not so many changes.
You can see that additional checking and freeing up memory using ExFreePoolWithTag () is added :
Now let's look at the decompiled version of these changes:
It is the absence of this check that can lead to the possibility of remote memory acquisition and the possibility of unauthorized code execution. And code execution takes place in the kernel.
A good analysis of CVE-2012-0152 (DoS in Terminal Server) can be found here .
Argued that there is already a working exploit:
Perhaps this is just a fake, but, according to our forecasts, a public exploit will most likely appear next week as part of Metasploit, which will cause a chain reaction of its appearance in malware.
By the way, the vulnerability MS11-065 (August 2011), which allowed DoS (WinXP / 2003), was recently closed and was noticed in the same rdpwd.sys driver in which CVE-2012-0002 was found. These changes can be tracked by timestamps in rdpwd.sys before and after the patch. Also in the official change lists for MS11-065 and for MS12-020 .
')
Actually, the main changes were seen in the HandleAttachUserReq () function, the decompiled version of which looks like this:
When comparing the corrected driver and driver before the patch, it is clear that there were not so many changes.
You can see that additional checking and freeing up memory using ExFreePoolWithTag () is added :
Now let's look at the decompiled version of these changes:
It is the absence of this check that can lead to the possibility of remote memory acquisition and the possibility of unauthorized code execution. And code execution takes place in the kernel.
A good analysis of CVE-2012-0152 (DoS in Terminal Server) can be found here .
Argued that there is already a working exploit:
Perhaps this is just a fake, but, according to our forecasts, a public exploit will most likely appear next week as part of Metasploit, which will cause a chain reaction of its appearance in malware.
Source: https://habr.com/ru/post/140025/
All Articles