There is a confirmed legitimate working exploit for the MS12-020 RDP vulnerability in Windows circulating already and researchers say it is capable of either crashing or causing a denial-of-service condition on vulnerable machines. Microsoft has warned customers about the possibility of the exploit surfacing quickly and advised them to patch the flaw immediately. The researcher who discovered the vulnerability said that the packet he included in his original advisory was found in the exploit, raising the specter of a data leak somewhere in the pipeline.
The exploit surfaced on a Chinese download site in the last couple of days and researchers have been able to confirm that it causes a blue screen of death on some systems and a DoS condition on other versions of Windows. Experts have said that the RDP bug, which was discovered by Luigi Auriemma, has the potential to be used as the basis for a large-scale worm and the existence of a working exploit is the first step down that road. The exploit will produce a BSOD on Windows 7 and a DoS on Windows XP.
The security research community was buzzing on Friday morning with the news that the exploit from the Chinese site contained an exact copy of the information Microsoft sent out to the members of its Microsoft Active Protection Program (MAPP). That program grants early access to vulnerability and patch information to a select, vetted group of security and antimalware companies, allowing them to prepare defenses for the bugs that Microsoft will patch each month. When the MAPP program began four years ago, Microsoft said that it would take precautions to guard against the possibility of a leak of that valuable information, but didn’t spell out what those measures might be.
“The amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this,” Mike Reavey of the Microsoft Security Response Center told Threatpost editor Ryan Naraine in 2008.
Listen Digital Underground podcast: Ryan Naraine on Exploit Mitigations and the MS12-020 RDP Bug
That window now appears to be as small as ever. Microsoft released its patch on Tuesday and the exploit code was found on the Chinese site that same day. MAPP members get the data on soon-to-be-patched flaws a day or more before the patches are released to the public. This month, the MAPP info went out about 24 hours before the patch release.
Microsoft officials were unavailable for comment on Friday morning.
Auriemma said that the exploit code found on the Chinese site contains the exact packet that he sent to TippingPoint’s Zero Day Initiative in his original advisory on the vulnerability. ZDI engineers typically confirm the bug, work up a protection signature for TippingPoint’s appliances and then send the data on to the affected company, in this case Microsoft.
In an email interview, Auriemma said he had no doubts that the code in the exploit was his and that the code leak came from Microsoft.
“The packet I gave to ZDI was unique because I modified it by hand. There are no doubts on this thing,” he said. “Microsoft is the source of the leak, probably during the distribution to MAPP partners, but I still have some doubts.”
In addition to the code from Auriemma, researchers said that there was additional information in the exploit found on the Chinese site that was only available to MAPP members. One researcher said that he was positive that there had been a leak somewhere along the chain, but wasn’t sure where it had occurred.
Auriemma said on his Web site that once he discovered that the proof-of-concept code that was available contained his packet, he decided to release his original advisory with the full information in it.
“Now that my proof-of-concept is out (yeah rdpclient.exe is the poc written by Microsoft in November 2011 using the example packet I sent to ZDI) I have decided to release my original advisory and proof-of-concept packet written the 16 May 2011,” he said.
Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP data provided by Microsoft.