Patch Management, TDR

Exploit for gaping Microsoft RDP hole may have gotten help

March 16, 2012

The security researcher who discovered the dangerous and "wormable" Windows Remote Desktop Protocol (RDP) vulnerability patched earlier this week now believes that Microsoft may have accidentally leaked proof-of-concept exploit code that fell into the hands of Chinese hackers.

Luigi Auriemma came to this conclusion after finding similarities between the packets used in his initial find and the proof-of-concept (PoC) that emerged Thursday on a Chinese website. (Symantec on Friday confirmed that a PoC had been published that could lead to a denial-of-service condition).

Auriemma said he discovered the bug last May and reported his find to TippingPoint's Zero Day Initiative (ZDI) bug bounty service, which then handed over the information in August to Microsoft to develop a fix. On Tuesday, Microsoft released a patch, which came with a warning that the software giant expected to see a code-execution exploit released within 30 days.

It took about two days for a proof-of concept to appear, Auriemma said.

"It was very late here in Italy, so at the moment, I thought that these 'Chinese hackers' were really similar to me," Auriemma, wrote in a post on his blog.

But soon he discovered too many similarities between the published PoC and the one that he sent ZDI so the service could test the vulnerability, he said. As further proof, the posted code appears modeled after the PoC that Microsoft developed in November for internal tests, and which was likely distributed to partners as part of the Microsoft Active Protections Program (MAPP). The software giant shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered.

"[The PoC published on the Chinese site] contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma wrote.

Based on the evidence, Auriemma said he thinks those responsible for creating the publicly available PoC were the beneficiaries of a leak.

"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote. "The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."

MAPP members must meet certain criteria before joining and sign non-disclosure agreements.

It should be noted that there has yet to be a code-execution exploit developed, which is far more severe than an attack that could trigger the so-called "blue screen of death" and force a restart. But Auriemma said the PoC already published could give rise to a more reliable, dangerous exploit.

"This PoC is the starting point for writing a real exploit," Auriemma told SCMagazine.com in an email. "That's why all the security world was looking and waiting for it."

Auriemma has since released his own proof-of-concept for the vulnerability because the code is circulating anyway.

UPDATE: In a Friday afternoon EST statement, Yunsun Wee, director of the Microsoft Trustworthy Computing Group, said the company is "actively investigating the disclosure of shared Microsoft Active Protections Program (MAPP) vulnerability details and will take the necessary actions to protect customers. Given that a proof-of-concept code is publicly available, we recommend customers apply the security update (MS12-020) as soon as possible to be protected.”

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee wrote in a blog post.

ZDI denied any responsibility.

It tweeted: "We are 100 percent confident that the leaked info regarding MS12-020 did not come from the ZDI. For further information, please query Microsoft."

prestitial ad