As the inquiry into who leaked the proof-of-concept exploit code for the MS12-020 RDP flaw continues, organizations that have not patched their machines yet have a new motivation to do so: A Metasploit module for the vulnerability is now available. 

It’s been a week now since Microsoft released a patch for the RDP bug and the exploit code that was included with the information the company sent to its partners in MAPP (Microsoft Active Protections Program) was found in an exploit on a Chinese download site shortly thereafter. Luigi Auriemma, the researcher who discovered and reported the vulnerability to Microsoft through the TippingPoint Zero Day Initiative, said that the packet found in the exploit code that leaked was a direct copy of the one he submitted with his bug report. 

Officials at ZDI said that they are certain that the code did not leak from their organization. Microsoft officials have said little more than to acknowledge that there seems to be a leak from somewhere within MAPP. The company has not indicated whether that was on their end or from one of the MAPP members. 

Now, there is a working exploit committed to the Metasploit Framework, which is a typically a good indicator that attacks are about to ramp up. Brad Arkin, head of product security and privacy at Adobe, said in a talk recently that when there’s a newly public vulnerability in one of the company’s products, the attacks start with a trickle against high value targets and then increase sharply from there.

“The biggest jump in exploits we see is right after the release of a Metasploit module,” he said. “We’ll see a few attacks a day before that and then it will spike to five thousand a day, and it goes up from there. There’s a correlation between the broader availability of an exploit and more people getting attacked.”

The exploit in Metasploit, like the one that has been circulating online, causes a denial-of-service condition on vulnerable machines. Researchers have been working on developing a working remote code execution exploit for the bug, as well, but none has surfaced publicly yet.

Categories: Uncategorized

Comments (13)

  1. Dave

    This isn’t exactly accurate, a denial of service PoC was placed in the Metasploit Framework. There is no known public exploit out for RCE (remote code execution). This is misleading.

  2. Miley

    Yep, above poster is correct. If you notice it is an aux module, a DoS aux module to be specific. There is *no* remote command execution. Article is misleading, or outright wrong, depending on your side of the fence.

  3. SecBoyUK

    @Dave – Where does it say that there is RCE code in the wild?

    The article states that the Metasploit code is the DoS one based on Luigi Auriemma’s PoC and that “Researchers have been working on developing a working remote code execution exploit for the bug, as well, but none has surfaced pulbicly yet”

    @Nortonisgreat – I hope you’re joking with that comment?

  4. Anonymous

    The confusion is probably in the fact that your title and first line claims that there is an exploit for the RDP flaw. Most competent folks don’t consider DoS PoC an exploit. In this constext, that term is usually reserved for RCE.  

  5. Anonymous

    “Ergo, stating that exploit code exists for the RDP flaw at this point is misleading. “

    I disagree, there is PoC code that exploits a flaw in RDP to cause DoS.  Ergo, exploit code exists and the title and first line are accurate.  The author stated clearly in the article that its not RCE, so I’m not sure what you think is misleading.

    “What percent of the exploit modules there are DoS?”

    Why does it matter what percentage there are?  There are plenty there, why would you assume that just because it is in Metasploit that it is RCE?

    “Most competent folks don’t consider DoS PoC an exploit.”

    Well they should, because it is.  And where did you get the numbers to make that claim?  Or did you just mean the small group of people you talk to?

Comments are closed.