BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover


A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine. Reverse engineer Zǝɹosum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover. “Still too dangerous to release, lame sorry,” he tweeted. “Maybe after first mega-worm?” An [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn’t include the credential-harvesting – so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it’s wormable – and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>). The concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch. The new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Zǝɹosum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved. The National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation. “It is likely only a matter of time before remote exploitation code is widely available for this vulnerability,” the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. “NSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.” The danger isn’t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE. To boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there’s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions. Some are finding patching to be an onerous process given that many older machines are in production environments where the required reboot – taking mission-critical systems offline — just isn’t feasible. > But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and …….. > > — Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>) Nonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,” Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”