Solved

The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

Posted on 2012-03-25
9
592 Views
Last Modified: 2012-04-03
The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

how can remote hacker use this?

if know the port 3389/tcp, how can they do and use it?
0
Comment
Question by:scarlettbutler7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
9 Comments
 
LVL 27

Expert Comment

by:masnrock
ID: 37762507
There is a very fine line in terms of discussing this. Without going into the details too deeply, people who understand very well how certain network protocols work analyze how data transfer occur and how the programs that are supposed to process that data treat it.

T
0
 
LVL 27

Expert Comment

by:masnrock
ID: 37762516
There are also a number of tools that can be utilized to test whether machines possess vulnerabilities. However, I will not delve too deeply into those details. Assuming you're on the defensive side of things, I would go ahead with the patching, then research more into things later.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37765386
If the RDP protocol is not properly fixed, a attacker can send a specially craft RDP packet that abuses the way RDP handles in-memory operations and when these operations are disturbed in this certain fashion it allows you to insert a certain amount of instruction in this memory buffer and execute allowing what is called a "remote vulnerability" . Specifically, In this case. Uninitialized code or improperly initialized code to say the least. Meaning if it is not initialized properly it does not set a defined value and can be altered if the conditions are met.

Since RDP is open on 3389 as a default slaves port. This makes a very attractive exploit on the market since it is built-in the system and allows interactive sessions. If this is on a server with terminals services running many of these sessions. A attack like this will go unnoticed pretty easily.

I already have the exploit to this pesky problem and have already seen the side effects. There are attacks already seen underway starting with china who has picked up on this rather quickly.

I hope your not looking for a exact explanation of how it works. You wont get those details unless your a security researcher like myself who has the "need to know". The difficulty level involved with this type of exploit is rather high and requires a greater understanding of not only the system internals, but also is well versed in reverse engineering. The difficulty level for someone not in the field is very hard to understand even when given exact details.

The experience needed to understand how it works it works and how to properly execute it in this difficult boundaries requires a understanding level of about 2 PHD's in Computer Security or Computer Science equivalent that directly relates to this field of work.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 37765908
the exploit is in the wild as we speak, patch your systems.  Somehow between Microsoft and its security partners the proof of concept code got into the hands of the bad guys and code using the Proof of Concept coding has surfaced in the bad guy's web sites for sale.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 500 total points
ID: 37766142
As true as recommending to patch as soon as possible is. It's still not answering the question.  The truth is it's been in the wild for a few months already and now it's finally in the papers because of the slip. Microsoft had a long history of being very slow at releasing real information for these topics. They want to get as many details as possible before even attempting to alert anyone about the fact it's real an out there. On top of that they dont even want people to know it exists. The longer they can keep a lid on it the less $100,000 they have to spend for each new flaw found and time spent figuring out how to safely patch the flaw in question.

I already have 4 versions of this exploit already for work. One PoC in the wild is actually old news turned new because of recent heat placed on MS. They don't include that this exploit is also directly related with a Chinese rootkit being spread around. I for a fact know that's not reported in the news.. I have the binary dropper and locations to PoC on that subject...

The slipped PoC is from the FBI, btw. The infector that exploits this downloads this rootkit from a blank purple looking site after being exploited and then also makes a "Uh-oh!" sound the minute after you get exploited. Kills all antivirus and corrupts the service memory location after you boot back into the system while the AV application attempts to load on bootup. I took a snapshot of that as well. I don't need to go into raw details here.
As for the selling part, I am not sure about being sold on bad guys sites. That would have happened long before the fact. Anyone with common sense can just packet sniffer a PoC and they have the first stage of the exploit. That makes the exploit free and available to anyone. Anyone who buys leftover exploits is a fool. I can't honestly see that happening.

Unless it's on a few unnamed kiddie spawning sites. Anyways, enough with my news flash. Hope you learn a little something new.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37785596
There's no problem here. Executing technical details are hard to come by and definitely will not be discussed.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question