Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

BlueKeep - RDP vulnerability exploitation tracking

Recommended Posts

A track of BlueKeep CVE-2019-0708 scanners and exploits.

Scanners

https://github.com/zerosum0x0/CVE-2019-0708 - first uploaded May 22nd 2019

https://www.rapid7.com/db/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep - first uploaded May 25th 2019

Remote code execution exploits

Unreleased

Technical writeups

@0xeb_bp has released a technical writeup.  It doesn't contain code but it does make clear how to reach exploitation, at least on XP.

0xeb_bp_BlueKeep_Technical_Analysis.pdf

 

Share this post


Link to post

I've added @0xeb_bp's write up above, with PDF, which shows how to abuse IcaChannelInputInternal.

Share this post


Link to post
10 minutes ago, Quentyn Taylor said:

shall we start a poll as to how long it will be .....

Haha. I still think it will be a little while before there’s a public RCE exploit as the information in last few days would need piecing together. 

Share this post


Link to post
Posted (edited)

heard a rumor that sodinokibi is moving laterally with BlueKeep

connected with this tweet 

 

Edited by james mckinlay

Share this post


Link to post
49 minutes ago, james mckinlay said:

heard a rumor that sodinokibi is moving laterally with BlueKeep

connected with this tweet 

 

I dunno about this, I had a quick look and it doesn't appear to do anything with BlueKeep.

I've seen a cryptomining botnet doing BlueKeep scanning, they don't have an exploitation module tho.

Share this post


Link to post
Posted (edited)

Apparently Watchbog is integrating something related to Bluekeep...

Edited by Tiago Henriques

Share this post


Link to post
Posted (edited)

Somewhat duplicative of Twitter awareness, but just in case:

See thread. Full PoC, it appears.

Edited by Royce Williams

Share this post


Link to post
1 hour ago, Royce Williams said:

Somewhat duplicative of Twitter awareness, but just in case:

See thread. Full PoC, it appears.

I wouldn’t worry too much about that - he’s talking about the PDF I linked up thread. It still needs work to piece it into a working exploit. 

  • Like 1

Share this post


Link to post

Yeah they’re selling the exploit, maybe Dave Aitel can create the next WannaCry. 

Share this post


Link to post
13 hours ago, Tiago Henriques said:

Apparently Watchbog is integrating something related to Bluekeep...

They clarified this one, it doesn’t include a BlueKeep exploit: 

 

Share this post


Link to post

Yep. The Immunity exploit is crap as it’s Win7 32 bit single core only (ie no desktop or laptop in a decade), the coming Metasploit module is Win7/2008 32 and 64 bit multi core supported. 

They may hold off release tho, dunno. Part of the reason this hasn’t been exploited is the exploits have been pretty crap so far. 

Share this post


Link to post

For info - I've seen the thing where ACSC say they 'confirm' 'potential exploitation' of BlueKeep, but I think they're just talking about the non-public Metasploit module.

Share this post


Link to post

It's out now. Happy Friday. 

https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

Quote

Today, Metasploit is releasing an initial public exploit module for CVE-2019-0708, also known as BlueKeep, as a pull request on Metasploit Framework. The initial PR of the exploit module targets 64-bit versions of Windows 7 and Windows 2008 R2. The module builds on proof-of-concept code from Metasploit contributor @zerosum0x0, who also contributed Metasploit’s BlueKeep scanner module and the scanner and exploit modules for EternalBlue. Metasploit’s exploit makes use of an improved general-purpose RDP protocol library, as well as enhanced RDP fingerprinting capabilities, both of which will benefit Metasploit users and contributors well beyond the context of BlueKeep scanning and exploitation.

 

Share this post


Link to post

I've seen this being exploited in the wild (low skilled threat actor). has anyone else witnessed this? I've got this in the lab working against 7 SP1 on a vm.

 

 

Share this post


Link to post

I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.

  • Like 1

Share this post


Link to post

Posted this to twitter while i was playing over the weekend - 

 

Easy way to calculate the NPP address for targets if you can replicate the infrastructure. 

I identified the address for AWS Instances tested on everything from T2 small to T3 extra large so assuming its the same for all instance types and sizes. 

 

  • Like 2

Share this post


Link to post
On 9/9/2019 at 12:29 PM, Kevin Beaumont said:

I haven't seen anything in my honeypots, just the usual RDP bruteforce stuff.

My palo is offline at the minute so can't see anything. I'm asking people with bigger networks 🙂

Share this post


Link to post

Ok, from what I've seen is that people are using passive sources e.g. binaryedge to then hit boxes (clearly they won't know the offsets so likelihood of BSOD is high rather than compromise). I'll try and get a honeypot/s up this weekend

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

  • Similar Content

    • By Kevin Beaumont
      CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.
      Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

      The scanning traffic is taking place across the whole internet it appears, spray and pray style.
      The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:
      Timeline
      May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

      June 4th 2019 - Vendor updates advisory to correct impacted versions
      August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.
      August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.
      August 17th 2019 - Another exploit, checks if vulnerable before exploit.
      August 21nd 2019 - Exploitation seen in wild.
    • By Tim Corless
      Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
      Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! 
      According to shodan and some google dorks, there are quite a lot still vulnerable
       
    • By Kevin Beaumont
      CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 
      I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

       
      Timeline
      24th April 2019 - Vendor advisory.
      14th August 2019 - TLP Rainbow post.
      20th August 2019 - exploit posted publicly.
      22nd August 2019 - exploitation in wild.
      Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    • By Kevin Beaumont
      Two researchers have a talk upcoming at DefCon about SSL VPN vulnerabilities, and they've started (although not in the talk) by detailing a unauthenticated remote code execution vulnerability in Palo-Alto GlobalProtect, their VPN system: http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
      The short version is:
      - Bad vulnerability
      - Actually exploitable
      - Because it's on both your VPN and firewall box (Palo-Alto do both), the attacker owns your network via the internet
      - They released a patch for the issue a year ago, but didn't issue a CVE or tell people about the issues for whatever reason - so you want to check if you actually run a vulnerable version still.
      Vendor advisory here after I tweeted about it: https://securityadvisories.paloaltonetworks.com/Home/Detail/158
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy