A public exploit module for the BlueKeep Windows vulnerability has been added today to the open-source Metasploit penetration testing framework, developed by Rapid7 in collaboration with the open-source community.
BlueKeep is a wormable remote code execution (RCE) security flaw discovered in the Windows Remote Desktop Protocol (RDP) service which enables unauthenticated attackers to run arbitrary code remotely, to launch denial of service attacks, and, in some cases, to take full control of unpatched systems.
The newly released Metasploit BlueKeep exploit module is built using proof-of-concept code from Metasploit contributors zǝɹosum0x0 and Ryan Hanson, and it is designed to currently target only the 64-bit versions of Windows 7 and Windows 2008 R2.
"By default, Metasploit’s BlueKeep exploit only identifies the target operating system version and whether the target is likely to be vulnerable," said Metasploit senior engineering manager Brent Cook.
"The exploit does not currently support automatic targeting; it requires the user to manually specify target details before it will attempt further exploitation."
"All of the information required for exploitation has already leaked out in weeks past and at least a dozen privately held exploits have been announced," zǝɹosum0x0 told BleepingComputer when asked if users should be concerned that threat actors will soon be using the exploit.
"It has been a concern for many months to patch this vulnerability, and like previous wormable Windows bugs, it will probably still be a concern for untold years to come."
The release of this public BlueKeep exploit comes on the heels of an increased number of attacks targeting RDP servers, with BinaryEdge currently detecting more than 1,000,000 unpatched machines visible on the Internet.
Shodan also provides a dashboard for tracking BlueKeep vulnerable systems, with per country statistics. Just in the US alone, for instance, there are currently 71,977 unpatched servers.
Rapid7's own plot of daily RDP activity shows the progressively increasing BlueKeep-related activity observed since October 2018.
"Metasploit’s exploit makes use of an improved general-purpose RDP protocol library, as well as enhanced RDP fingerprinting capabilities, both of which will benefit Metasploit users and contributors well beyond the context of BlueKeep scanning and exploitation," Cook also added.
He also warns that "If an intrusion prevention system interrupts in-progress BlueKeep exploitation simply because it detects a payload signature against an unpatched target, breaking that network connection will likely crash the target as a side effect, since the exploit code is actually triggered by a network disconnect."
More details on how Metasploit’s new BlueKeep exploit identifies targets, the way it can be used, and about what users can do to avoid having their machines crashing after their IPS detects a Metasploit payload, are available in Cook's blog post and in this Metasploit Framework pull request.
BlueKeep scanners and exploits
Security outfit Immunity has also included a fully working BlueKeep exploit in the 7.23 version of their CANVAS automated pen-testing utility on July 23.
The company decided to add a fully working RCE exploit to its penetration testing tool and not just a scanner to find vulnerable machines to "help customers solve their risk problems," said the company at the time. "It’s not just about BLUEKEEP – there will always be another vulnerability that comes along and puts you at risk."
New Release - CANVAS 7.23: This release features a new module for the RDP exploit, BLUEKEEP. Check out our video demonstration here: https://t.co/azCuJp1osI #bluekeep #cve20190708 #exploit
— Immunity Inc. (@Immunityinc) July 23, 2019
Microsoft patched the critical RCE vulnerability tracked as CVE-2019-0708 and impacting Windows XP, Vista, 7, Server 2003, and Server 2008 on May 14.
Several researchers developed and demoed multiple proof-of-concept exploits for the vulnerability after Microsoft issued security updates to patch the BlueKeep flaw.
Some of them created tools designed to scan for unpatched Windows devices without the bad side effects [1, 2], as well as detection rules like NCC Group's Suricata BlueKeep signature. Intezer researchers also discovered a new Watchbog malware variant including a BlueKeep scanner module in July.
To top it all off, in August, Microsoft patched two other wormable remote code execution (RCE) flaws — tracked as CVE-2019-1181 and CVE-2019-1182 —found in the Remote Desktop Services (RDS) on August 13 and affecting all in-support versions of Windows.
Users urged to patch their BlueKeep-vulnerable machines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a list of BlueKeep mitigation measures in June as part of an alert to patch all BlueKeep-vulnerable devices, at the same time announcing that it achieved RCE after successfully exploiting a vulnerable Windows 2000 computer.
CISA's warning was the fourth one to patch and/or upgrade vulnerable computers after two others were issued by Microsoft [1, 2] and another one by the U.S. National Security Agency.
CISA also urged all Windows admins and users to review the Microsoft BlueKeep Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708.
Update September 06, 17:08 EDT: Cook provided the following response when asked if the new Metasploit exploit module would allow threat actors greater access to info to create their own exploits and what were the reasons behind Rapid 7's decision to release the module.
Metasploit is an open-source exploitation toolkit that can be used by anyone. The information in the exploit module provides further understanding of attack techniques and how to mitigate them. This holds true for every module and technique added to Metasploit Framework. This module particularly benefits defenders who rely on open-source tooling for testing and prioritizing security risks.
We recognized that other researchers have also independently developed working exploits for this vulnerability, and given the public information that has accumulated so far, we felt it was important to help security practitioners demonstrate the direct risk associated with this vulnerability and encourage implementing mitigations.
The module today contains limitations that prevent its direct use for wide-scale automatic exploitation, but we do expect that other knowledge from the security community to complete the picture at some point.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now