Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

Posted on 2012-03-25
Medium Priority
Last Modified: 2012-04-03
The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

how can remote hacker use this?

if know the port 3389/tcp, how can they do and use it?
Question by:scarlettbutler7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 31

Expert Comment

ID: 37762507
There is a very fine line in terms of discussing this. Without going into the details too deeply, people who understand very well how certain network protocols work analyze how data transfer occur and how the programs that are supposed to process that data treat it.

LVL 31

Expert Comment

ID: 37762516
There are also a number of tools that can be utilized to test whether machines possess vulnerabilities. However, I will not delve too deeply into those details. Assuming you're on the defensive side of things, I would go ahead with the patching, then research more into things later.
LVL 15

Accepted Solution

Russell_Venable earned 2000 total points
ID: 37765386
If the RDP protocol is not properly fixed, a attacker can send a specially craft RDP packet that abuses the way RDP handles in-memory operations and when these operations are disturbed in this certain fashion it allows you to insert a certain amount of instruction in this memory buffer and execute allowing what is called a "remote vulnerability" . Specifically, In this case. Uninitialized code or improperly initialized code to say the least. Meaning if it is not initialized properly it does not set a defined value and can be altered if the conditions are met.

Since RDP is open on 3389 as a default slaves port. This makes a very attractive exploit on the market since it is built-in the system and allows interactive sessions. If this is on a server with terminals services running many of these sessions. A attack like this will go unnoticed pretty easily.

I already have the exploit to this pesky problem and have already seen the side effects. There are attacks already seen underway starting with china who has picked up on this rather quickly.

I hope your not looking for a exact explanation of how it works. You wont get those details unless your a security researcher like myself who has the "need to know". The difficulty level involved with this type of exploit is rather high and requires a greater understanding of not only the system internals, but also is well versed in reverse engineering. The difficulty level for someone not in the field is very hard to understand even when given exact details.

The experience needed to understand how it works it works and how to properly execute it in this difficult boundaries requires a understanding level of about 2 PHD's in Computer Security or Computer Science equivalent that directly relates to this field of work.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37765908
the exploit is in the wild as we speak, patch your systems.  Somehow between Microsoft and its security partners the proof of concept code got into the hands of the bad guys and code using the Proof of Concept coding has surfaced in the bad guy's web sites for sale.
LVL 15

Assisted Solution

Russell_Venable earned 2000 total points
ID: 37766142
As true as recommending to patch as soon as possible is. It's still not answering the question.  The truth is it's been in the wild for a few months already and now it's finally in the papers because of the slip. Microsoft had a long history of being very slow at releasing real information for these topics. They want to get as many details as possible before even attempting to alert anyone about the fact it's real an out there. On top of that they dont even want people to know it exists. The longer they can keep a lid on it the less $100,000 they have to spend for each new flaw found and time spent figuring out how to safely patch the flaw in question.

I already have 4 versions of this exploit already for work. One PoC in the wild is actually old news turned new because of recent heat placed on MS. They don't include that this exploit is also directly related with a Chinese rootkit being spread around. I for a fact know that's not reported in the news.. I have the binary dropper and locations to PoC on that subject...

The slipped PoC is from the FBI, btw. The infector that exploits this downloads this rootkit from a blank purple looking site after being exploited and then also makes a "Uh-oh!" sound the minute after you get exploited. Kills all antivirus and corrupts the service memory location after you boot back into the system while the AV application attempts to load on bootup. I took a snapshot of that as well. I don't need to go into raw details here.
As for the selling part, I am not sure about being sold on bad guys sites. That would have happened long before the fact. Anyone with common sense can just packet sniffer a PoC and they have the first stage of the exploit. That makes the exploit free and available to anyone. Anyone who buys leftover exploits is a fool. I can't honestly see that happening.

Unless it's on a few unnamed kiddie spawning sites. Anyways, enough with my news flash. Hope you learn a little something new.
LVL 15

Expert Comment

ID: 37785596
There's no problem here. Executing technical details are hard to come by and definitely will not be discussed.

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question