Vulnerabilities | Ethical Hacking

CVE-2019-0708

RDP Remote Code Execution Vulnerability

CVE-2019-0708, also known as Bluekeep, affects Windows machines that have the Remote Desktop Protocol enabled. It is a Use-After-Free vulnerability that has the potential to result in total compromise of the victim machine.

weaponized-bluekeep-exploit-released-sho

Vulnerabilities: About

USE AFTER FREE

MEMORY CORRUPTION FLAWS

Use After Free vulnerabilities are a category of memory corruption flaws that can be exploited by attackers to execute arbitrary code.

Use After Free is when a pointer is used to try accessing memory even after being freed, which can cause a running program to crash and could cause the execution of arbitrary code or even give the attacker full capabilities of remote code execution.

HOW BLUEKEEP WORKS

A FLAWED KERNEL DRIVER

The vulnerability stems from a Use After Free bug in the RDP kernel driver, TermDD.sys, which allows an attacker can an open RDP channel called 'MS_T210' as it is not checked for duplicates.

Using this opened RDP channel, an attacker can send special data to cause remote code execution to take over the computer.

PRE-REQUISITES

OPERATING SYSTEM & REGISTRY VALUE

A proof-of-concept module was created and added on the Metasploit Framework to exploit Bluekeep. The module requires the victim machine to run on the Windows 7 SP1 or Windows Server 2008 R2 operating systems.

It also requires us to set the following the value of the registry key HKLM\\SYSTEM\\CurrentControlSet\\ Control\\TerminalServer\\ WinStations\\RDP-Tcp\\fDisableCam to 0 (which is 1 by default). If this is not done, the victim machine would crash and the exploit would not work.

PRE-REQUISITES

REMOTE DESKTOP PROTOCOL (RDP) ENABLED

Go to Network Setup

Return Home