Solved

The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

Posted on 2012-03-25
9
591 Views
Last Modified: 2012-04-03
The remote windows host can allow arbitrary code execution CVE-2012-0002 CVE-2012-0152

how can remote hacker use this?

if know the port 3389/tcp, how can they do and use it?
0
Comment
Question by:scarlettbutler7
  • 3
  • 2
9 Comments
 
LVL 25

Expert Comment

by:masnrock
ID: 37762507
There is a very fine line in terms of discussing this. Without going into the details too deeply, people who understand very well how certain network protocols work analyze how data transfer occur and how the programs that are supposed to process that data treat it.

T
0
 
LVL 25

Expert Comment

by:masnrock
ID: 37762516
There are also a number of tools that can be utilized to test whether machines possess vulnerabilities. However, I will not delve too deeply into those details. Assuming you're on the defensive side of things, I would go ahead with the patching, then research more into things later.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37765386
If the RDP protocol is not properly fixed, a attacker can send a specially craft RDP packet that abuses the way RDP handles in-memory operations and when these operations are disturbed in this certain fashion it allows you to insert a certain amount of instruction in this memory buffer and execute allowing what is called a "remote vulnerability" . Specifically, In this case. Uninitialized code or improperly initialized code to say the least. Meaning if it is not initialized properly it does not set a defined value and can be altered if the conditions are met.

Since RDP is open on 3389 as a default slaves port. This makes a very attractive exploit on the market since it is built-in the system and allows interactive sessions. If this is on a server with terminals services running many of these sessions. A attack like this will go unnoticed pretty easily.

I already have the exploit to this pesky problem and have already seen the side effects. There are attacks already seen underway starting with china who has picked up on this rather quickly.

I hope your not looking for a exact explanation of how it works. You wont get those details unless your a security researcher like myself who has the "need to know". The difficulty level involved with this type of exploit is rather high and requires a greater understanding of not only the system internals, but also is well versed in reverse engineering. The difficulty level for someone not in the field is very hard to understand even when given exact details.

The experience needed to understand how it works it works and how to properly execute it in this difficult boundaries requires a understanding level of about 2 PHD's in Computer Security or Computer Science equivalent that directly relates to this field of work.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 37765908
the exploit is in the wild as we speak, patch your systems.  Somehow between Microsoft and its security partners the proof of concept code got into the hands of the bad guys and code using the Proof of Concept coding has surfaced in the bad guy's web sites for sale.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 500 total points
ID: 37766142
As true as recommending to patch as soon as possible is. It's still not answering the question.  The truth is it's been in the wild for a few months already and now it's finally in the papers because of the slip. Microsoft had a long history of being very slow at releasing real information for these topics. They want to get as many details as possible before even attempting to alert anyone about the fact it's real an out there. On top of that they dont even want people to know it exists. The longer they can keep a lid on it the less $100,000 they have to spend for each new flaw found and time spent figuring out how to safely patch the flaw in question.

I already have 4 versions of this exploit already for work. One PoC in the wild is actually old news turned new because of recent heat placed on MS. They don't include that this exploit is also directly related with a Chinese rootkit being spread around. I for a fact know that's not reported in the news.. I have the binary dropper and locations to PoC on that subject...

The slipped PoC is from the FBI, btw. The infector that exploits this downloads this rootkit from a blank purple looking site after being exploited and then also makes a "Uh-oh!" sound the minute after you get exploited. Kills all antivirus and corrupts the service memory location after you boot back into the system while the AV application attempts to load on bootup. I took a snapshot of that as well. I don't need to go into raw details here.
As for the selling part, I am not sure about being sold on bad guys sites. That would have happened long before the fact. Anyone with common sense can just packet sniffer a PoC and they have the first stage of the exploit. That makes the exploit free and available to anyone. Anyone who buys leftover exploits is a fool. I can't honestly see that happening.

Unless it's on a few unnamed kiddie spawning sites. Anyways, enough with my news flash. Hope you learn a little something new.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37785596
There's no problem here. Executing technical details are hard to come by and definitely will not be discussed.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question