ms12-020 mistery: the packet stored in the "chinese" rdpclient.exe PoC is the EXACT ONE I gave to ZDI!!! @thezdi? @microsoft? who leaked?
March 18, 2012 9:20 AM   Subscribe

Included in this month's Patch Tuesday was MS12-020, which is a remote exploit in Microsoft's widely deployed Remote Desktop Protocol (RDP). Microsoft projected an exploit would be out 'within a month', but a Proof-of-Concept (PoC) appeared on a Chinese website within a few days. Professionals are concerned. The discoverer of the vulnerability noted that the PoC included the exact packet he had crafted to help Microsoft understand he issue; this points to a leak in the MAPP early vulnerability sharing program. A full remote exploit isn't out yet, but is expected soon.
posted by These Premises Are Alarmed (33 comments total) 8 users marked this as a favorite
 
So, this FPP has me totally confused.

I thought an exploit was a bad thing, and that patches were issued to disable exploits.

So, Patch Tuesday had... what? An exploit that was being downloaded, or a patch?

A full remote exploit... what? isn't out yet, but is expected soon?

I know that the actual lede of this FPP is supposed to be about the apparently leak in the exploit-reporting system which China apparently has access to, allowing them to use exactly the material being reported to develop an exploit...

But I'm really horribly confused about exactly what is available for downloading, what should be expected soon, and whether or not any of this is actually desirable.
posted by hippybear at 9:41 AM on March 18, 2012 [1 favorite]


Patch was released for a discovered vulnerability. No exploit for that vulnerability has been seen in the wild yet, although proof-of-concept code has been posted to some Chinese website.
posted by ryanrs at 9:43 AM on March 18, 2012 [2 favorites]


I've decided to not worry about ths at all, as is my Sunday morning perogative.
posted by datter at 9:45 AM on March 18, 2012 [1 favorite]


1) researcher submits proof of concept code to MS. POC code simply crashes the target box.
2) MS releases patch to public.
3) MS releases POC code to various "partners" to aid in penetration testing.
4) Code suspiciously like POC code appears on Internet.
5) Now that POC code is out in the wild, expect more full featured exploits that do more than just crash the box.
posted by Ad hominem at 9:47 AM on March 18, 2012 [4 favorites]


BTW, I would expect that POC code would have emerged even without a leak as hackers etc. simply reverse engineer the patch.
posted by Ad hominem at 9:49 AM on March 18, 2012


No. It's very unlikely that an analysis of the patch would yield exactly the same exploit packet as was used in the proof-of-concept code.
posted by ryanrs at 9:52 AM on March 18, 2012


I would expect that POC code would have emerged even without a leak

Although Microsoft itself is saying there might be a leak...
posted by hippybear at 9:53 AM on March 18, 2012


If you can access your computer remotely, someone else can as well.
posted by tommasz at 9:56 AM on March 18, 2012 [1 favorite]


The weird thing about this is not that there was a vuln, or a patch, or a proof of concept attack on the vuln, but that there is a leak from MAPP.
posted by Threeway Handshake at 9:56 AM on March 18, 2012 [8 favorites]


The only way three people can keep something secret is if two of them are dead.
posted by infinitewindow at 9:59 AM on March 18, 2012 [1 favorite]


I'm sorry, but it's just plain blindingly obvious that something like MAPP will leak, and leak frequently. Even if this leak didn't come from MAPP, there are surely tons of leaks from it.

The problem here is that suits can't imagine a world without giving some kind of preference to their "partners", so they build programs like that... and delusional structures that let them pretend it's not a stupid idea.
posted by Hizonner at 10:09 AM on March 18, 2012 [1 favorite]


Dan Kaminky had some interesting thoughts on this. You can also do a check of your system at rdpcheck.com. Turn off RDP if you are not using it!

And yes. The big thing here is the MAPP leak - that's what's gotten so many security researchers up in a tizzy about this.
posted by gemmy at 10:13 AM on March 18, 2012 [2 favorites]


Yeah it is clear there is probably a leak. MAPP was set up specifically because companies were wasting time reverse engineering patches, so it isn't an inherently stupid idea. Once a patch is out there is pretty much a race to reverse it so might was will give legit infosec companies a leg up.

I'd like to know when MAPP partners got the POC from MS. Was it leaked immediately or have MAPP partners had this for a while? Has it been kicking around for months? Is there already a exploit out there?
posted by Ad hominem at 10:16 AM on March 18, 2012


I thought an exploit was a bad thing, and that patches were issued to disable exploits.

Yes but bad people will reverse engineer the patch to find the details of the vulnerability and then use that knowledge to attack other computers which don't yet have the patch installed.

If you run Microsoft Update then you don't have anything to worry about.
It tends to be companies with a lax policy for applying security patches who run into problems with these things.
posted by Lanark at 10:19 AM on March 18, 2012


I've decided to not worry about ths at all, as is my Sunday morning prerogative.

I've decided not to worry about it immediately, because I don't have port 3389/tcp open to the internet, full stop. If you want a console on one of my boxes, you need to have a VPN tunnel.

It doesn't mean I don't have to worry about it -- if I leave this hole unpatched and someone gets in through some other route, not patching means I've given them a great tool to keep digging with.

If you run Microsoft Update then you don't have anything to worry about.

Other than a patch breaking something critical. You may find that acceptable, I don't -- a patch breaking a production system can't be used.

Patches need to be tested first. In fact, this particular patch is in test for us right now, I expect it'll be moving to production pretty quickly, though, given that it appears the worst-case flaw is loss of RDP, and we have other ways to admin machines if needed -- VMware consoles and various ILOM systems for physical hardware -- or, worst worst case, there are crash carts in the data center.
posted by eriko at 10:25 AM on March 18, 2012


Yep, my production servers won't get this for a while. It will first be deployed to "security lab" computers" to ensure that it do not have any side effects. Then they have to have everyone sign off on a deployment date. Then I have to be online to do testing after the deployment.

Security patches have broken production apps many times in the past, yu can't just deploy them and hope for the best.
posted by Ad hominem at 10:27 AM on March 18, 2012


If you run Microsoft Update then you don't have anything to worry about.

If you run straight Windows Update on production servers, you probably should consider a new line of work.
posted by Threeway Handshake at 10:31 AM on March 18, 2012 [11 favorites]


Even running a single machine I've been burned by trusting the updates. They do break stuff, and the stock response seems to be, "yeah, we thought the patch might do that. Sucks to be you."
posted by Karmakaze at 10:55 AM on March 18, 2012


As long as there have been restricted access lists for sharing exploits among an elite few, there have been leaks from those lists. Zardoz, CORE, FIRST, Infohax, the list goes on & on. I'm a little surprised it was this fast but not very. It's an important vulnerability, at least theoretically (it remained to be seen whether arbitrary remote code execution can actually be teased from it, last I read). Whoever shares it can extract great value in exchange for it, with relatively low risk of exposure given the number of people & groups it was distributed to. Or it could've been outright theft from someone snooping into mailspools. Either way its value had a limited time attached once the patch was released. So no, I'm not really surprised it happened this way, this fast. History repeats itself, as it always has.
posted by scalefree at 11:03 AM on March 18, 2012


DING DING DING! Threeway handshake wins the prize! (and given your username, I've been champing at the bit to talk shop with you!)
posted by roboton666 at 11:53 AM on March 18, 2012


If you run Microsoft Update then you don't have anything to worry about.

If you run straight Windows Update on production servers, you probably should consider a new line of work.


I was writing that for people with home PCs (who are probably completely confused by this thread) I would hope that anyone responsible for running windows servers will know how to use WSUS.
posted by Lanark at 12:32 PM on March 18, 2012


Lanark: "I would hope that anyone responsible for running windows servers will know how to use WSUS."

I suspect that misses the point that was being made.
posted by wierdo at 12:49 PM on March 18, 2012


What point was being made?
posted by koeselitz at 1:27 PM on March 18, 2012


I was making no hidden points.
This is all a tangent though. This story is about a leak, not some patch for an rdp vulnerability.
posted by Threeway Handshake at 1:34 PM on March 18, 2012 [1 favorite]


Windows exploits make baby Linus smile. :)
posted by jeffburdges at 2:29 PM on March 18, 2012 [1 favorite]


If you run windows on production servers...
posted by mullingitover at 2:30 PM on March 18, 2012 [3 favorites]


The only way three people can keep something secret is if two of them are dead.

Personally, I blame the fencepost.
posted by dhartung at 2:49 PM on March 18, 2012


I'm still astounded that RDP is widely open directly to the internet. This is the default with a lot of cloud providers, which is just kinda, weird, honestly.

Yeah, if you fire up a windows EC2 server, RDP is the default. There are some mentions of maybe-you-might-think-about-a-VPN but no clear obvious route for doing so.

If you fire up a Linux EC2 server, secure key super shell something or other (excuse my linux-fu) is the default and is much better.
posted by memebake at 2:50 PM on March 18, 2012


I'm going to turn off RDP for my desktop machines. Because I had no idea that such a thing was enabled by default, and it just strikes me as dumb.

But it appears that a simple residential router (NAT) makes it impossible for strangers to access the RDP port anyway.
posted by Western Infidels at 3:11 PM on March 18, 2012


If you fire up a Linux EC2 server, secure key super shell something or other (excuse my linux-fu) is the default and is much better.

I've often wondered about how people manage Windows servers - do people really connect to them through RDP to configure them? I guess they must, lacking a usable text-based shell and ssh...
posted by Jimbob at 6:02 PM on March 18, 2012


RDP is disabled by default on Windows 7 and XP. Not sure about earlier OS versions, but I doubt many people are running 98 or 3.1.

This FPP isn't going to make a lot of sense to folks outside the IT field, especially if the focus of the post was the leak of exploit code.
posted by dejah420 at 6:31 PM on March 18, 2012


do people really connect to them through RDP to configure them

Well, yes and no. You can configure most anything on windows using group policies and you can do most other shit using WinRM or WMI. In this day and age everything is a preconfigured image or everything is slipstreamed in to physical install media. Even in the olden days people used stuff like Dameware to manage Windows. It isn't like windows sysadmins are RDPed into 1000 machines messing with ini files with notepad. But if I, being a simple developer, need to check the eventlog or something I RDP in.
posted by Ad hominem at 6:51 PM on March 18, 2012 [2 favorites]


I've often wondered about how people manage Windows servers - do people really connect to them through RDP to configure them?

For some tasks. There are huge variety of other tools as well, notably WMI and group policy based tools.

I guess they must, lacking a usable text-based shell and ssh...

They have both, of course, as if that was the only "proper" way to configure a computer. Bias much?
posted by kjs3 at 5:12 AM on March 19, 2012


« Older (Cutting the) Bee's Knees (out from under them)   |   "Try as I could, I couldn't get past the first... Newer »


This thread has been archived and is closed to new comments