BlueKeep ‘Mega-Worm’ Looms as Fresh PoC Shows Full System Takeover

bluekeep mega worm working exploit

A working exploit for the critical remote code-execution flaw shows how an unauthenticated attacker can achieve full run of a victim machine in about 22 seconds.

A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.

Reverse engineer Zǝɹosum0x0 tweeted about his success on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.

“Still too dangerous to release, lame sorry,” he tweeted. “Maybe after first mega-worm?”

An earlier proof-of-concept (PoC) from McAfee showed a successful RCE exploit, but didn’t include the credential-harvesting – so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.
The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.

The concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.

The new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Zǝɹosum0x0. The researcher said that it took time to develop the exploit, but clearly it can be achieved.

The National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.

“It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the NSA said in an advisory on Tuesday. “NSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

The danger isn’t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts largely caused systems to crash before they could achieve RCE.

To boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its May Patch Tuesday Security Bulletin (and there’s a micropatch out there too), researchers said last week that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.

Some are finding patching to be an onerous process given that many older machines are in production environments where the required reboot – taking mission-critical systems offline — just isn’t feasible.

Nonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.

“It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft warned in an advisory. “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

 

Suggested articles

Discussion

  • Rob on

    'An earlier proof-of-concept (PoC) from McAfee showed a successful RCE exploit, but didn’t include the credential-harvesting – so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.' I'm not sure about that. Enabling NLA would have prevented the new RCE POC from being executed too - the credentials were only harvested AFTER the RCE exploit was run. If NLA was enabled on the target machine, Zǝɹosum0x0 would have had to know the credentials BEFORE they ran the exploit.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.