Solved

The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

Posted on 2012-03-25
9
581 Views
Last Modified: 2012-04-03
The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

how can remote hacker use this?

if know the port 3389/tcp, how can they do and use it?
0
Comment
Question by:scarlettbutler7
  • 3
  • 2
9 Comments
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
There is a very fine line in terms of discussing this. Without going into the details too deeply, people who understand very well how certain network protocols work analyze how data transfer occur and how the programs that are supposed to process that data treat it.

T
0
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
There are also a number of tools that can be utilized to test whether machines possess vulnerabilities. However, I will not delve too deeply into those details. Assuming you're on the defensive side of things, I would go ahead with the patching, then research more into things later.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
Comment Utility
If the RDP protocol is not properly fixed, a attacker can send a specially craft RDP packet that abuses the way RDP handles in-memory operations and when these operations are disturbed in this certain fashion it allows you to insert a certain amount of instruction in this memory buffer and execute allowing what is called a "remote vulnerability" . Specifically, In this case. Uninitialized code or improperly initialized code to say the least. Meaning if it is not initialized properly it does not set a defined value and can be altered if the conditions are met.

Since RDP is open on 3389 as a default slaves port. This makes a very attractive exploit on the market since it is built-in the system and allows interactive sessions. If this is on a server with terminals services running many of these sessions. A attack like this will go unnoticed pretty easily.

I already have the exploit to this pesky problem and have already seen the side effects. There are attacks already seen underway starting with china who has picked up on this rather quickly.

I hope your not looking for a exact explanation of how it works. You wont get those details unless your a security researcher like myself who has the "need to know". The difficulty level involved with this type of exploit is rather high and requires a greater understanding of not only the system internals, but also is well versed in reverse engineering. The difficulty level for someone not in the field is very hard to understand even when given exact details.

The experience needed to understand how it works it works and how to properly execute it in this difficult boundaries requires a understanding level of about 2 PHD's in Computer Security or Computer Science equivalent that directly relates to this field of work.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
the exploit is in the wild as we speak, patch your systems.  Somehow between Microsoft and its security partners the proof of concept code got into the hands of the bad guys and code using the Proof of Concept coding has surfaced in the bad guy's web sites for sale.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 500 total points
Comment Utility
As true as recommending to patch as soon as possible is. It's still not answering the question.  The truth is it's been in the wild for a few months already and now it's finally in the papers because of the slip. Microsoft had a long history of being very slow at releasing real information for these topics. They want to get as many details as possible before even attempting to alert anyone about the fact it's real an out there. On top of that they dont even want people to know it exists. The longer they can keep a lid on it the less $100,000 they have to spend for each new flaw found and time spent figuring out how to safely patch the flaw in question.

I already have 4 versions of this exploit already for work. One PoC in the wild is actually old news turned new because of recent heat placed on MS. They don't include that this exploit is also directly related with a Chinese rootkit being spread around. I for a fact know that's not reported in the news.. I have the binary dropper and locations to PoC on that subject...

The slipped PoC is from the FBI, btw. The infector that exploits this downloads this rootkit from a blank purple looking site after being exploited and then also makes a "Uh-oh!" sound the minute after you get exploited. Kills all antivirus and corrupts the service memory location after you boot back into the system while the AV application attempts to load on bootup. I took a snapshot of that as well. I don't need to go into raw details here.
As for the selling part, I am not sure about being sold on bad guys sites. That would have happened long before the fact. Anyone with common sense can just packet sniffer a PoC and they have the first stage of the exploit. That makes the exploit free and available to anyone. Anyone who buys leftover exploits is a fool. I can't honestly see that happening.

Unless it's on a few unnamed kiddie spawning sites. Anyways, enough with my news flash. Hope you learn a little something new.
0
 
LVL 15

Expert Comment

by:Russell_Venable
Comment Utility
There's no problem here. Executing technical details are hard to come by and definitely will not be discussed.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now