The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

Posted on 2012-03-25
Last Modified: 2012-04-03
The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

how can remote hacker use this?

if know the port 3389/tcp, how can they do and use it?
Question by:scarlettbutler7
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 28

Expert Comment

ID: 37762507
There is a very fine line in terms of discussing this. Without going into the details too deeply, people who understand very well how certain network protocols work analyze how data transfer occur and how the programs that are supposed to process that data treat it.

LVL 28

Expert Comment

ID: 37762516
There are also a number of tools that can be utilized to test whether machines possess vulnerabilities. However, I will not delve too deeply into those details. Assuming you're on the defensive side of things, I would go ahead with the patching, then research more into things later.
LVL 15

Accepted Solution

Russell_Venable earned 500 total points
ID: 37765386
If the RDP protocol is not properly fixed, a attacker can send a specially craft RDP packet that abuses the way RDP handles in-memory operations and when these operations are disturbed in this certain fashion it allows you to insert a certain amount of instruction in this memory buffer and execute allowing what is called a "remote vulnerability" . Specifically, In this case. Uninitialized code or improperly initialized code to say the least. Meaning if it is not initialized properly it does not set a defined value and can be altered if the conditions are met.

Since RDP is open on 3389 as a default slaves port. This makes a very attractive exploit on the market since it is built-in the system and allows interactive sessions. If this is on a server with terminals services running many of these sessions. A attack like this will go unnoticed pretty easily.

I already have the exploit to this pesky problem and have already seen the side effects. There are attacks already seen underway starting with china who has picked up on this rather quickly.

I hope your not looking for a exact explanation of how it works. You wont get those details unless your a security researcher like myself who has the "need to know". The difficulty level involved with this type of exploit is rather high and requires a greater understanding of not only the system internals, but also is well versed in reverse engineering. The difficulty level for someone not in the field is very hard to understand even when given exact details.

The experience needed to understand how it works it works and how to properly execute it in this difficult boundaries requires a understanding level of about 2 PHD's in Computer Security or Computer Science equivalent that directly relates to this field of work.
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 37765908
the exploit is in the wild as we speak, patch your systems.  Somehow between Microsoft and its security partners the proof of concept code got into the hands of the bad guys and code using the Proof of Concept coding has surfaced in the bad guy's web sites for sale.
LVL 15

Assisted Solution

Russell_Venable earned 500 total points
ID: 37766142
As true as recommending to patch as soon as possible is. It's still not answering the question.  The truth is it's been in the wild for a few months already and now it's finally in the papers because of the slip. Microsoft had a long history of being very slow at releasing real information for these topics. They want to get as many details as possible before even attempting to alert anyone about the fact it's real an out there. On top of that they dont even want people to know it exists. The longer they can keep a lid on it the less $100,000 they have to spend for each new flaw found and time spent figuring out how to safely patch the flaw in question.

I already have 4 versions of this exploit already for work. One PoC in the wild is actually old news turned new because of recent heat placed on MS. They don't include that this exploit is also directly related with a Chinese rootkit being spread around. I for a fact know that's not reported in the news.. I have the binary dropper and locations to PoC on that subject...

The slipped PoC is from the FBI, btw. The infector that exploits this downloads this rootkit from a blank purple looking site after being exploited and then also makes a "Uh-oh!" sound the minute after you get exploited. Kills all antivirus and corrupts the service memory location after you boot back into the system while the AV application attempts to load on bootup. I took a snapshot of that as well. I don't need to go into raw details here.
As for the selling part, I am not sure about being sold on bad guys sites. That would have happened long before the fact. Anyone with common sense can just packet sniffer a PoC and they have the first stage of the exploit. That makes the exploit free and available to anyone. Anyone who buys leftover exploits is a fool. I can't honestly see that happening.

Unless it's on a few unnamed kiddie spawning sites. Anyways, enough with my news flash. Hope you learn a little something new.
LVL 15

Expert Comment

ID: 37785596
There's no problem here. Executing technical details are hard to come by and definitely will not be discussed.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Resolve DNS query failed errors for Exchange
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question