Exploit For Ms12-020 RDP Bug Moves to Metasploit

ID THREATPOST:E067CFBFA163616683563A8ED34648FE
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:35


As the inquiry into who leaked the proof-of-concept exploit code for the MS12-020 RDP flaw continues, organizations that have not patched their machines yet have a new motivation to do so: A Metasploit module for the vulnerability is now available.

It’s been a week now since Microsoft released a patch for the RDP bug and the exploit code that was included with the information the company sent to its partners in MAPP (Microsoft Active Protections Program) was found in an exploit on a Chinese download site shortly thereafter. Luigi Auriemma, the researcher who discovered and reported the vulnerability to Microsoft through the TippingPoint Zero Day Initiative, said that the packet found in the exploit code that leaked was a direct copy of the one he submitted with his bug report.

Officials at ZDI said that they are certain that the code did not leak from their organization. Microsoft officials have said little more than to acknowledge that there seems to be a leak from somewhere within MAPP. The company has not indicated whether that was on their end or from one of the MAPP members.

Now, there is a working exploit committed to the Metasploit Framework, which is a typically a good indicator that attacks are about to ramp up. Brad Arkin, head of product security and privacy at Adobe, said in a talk recently that when there’s a newly public vulnerability in one of the company’s products, the attacks start with a trickle against high value targets and then increase sharply from there.

“The biggest jump in exploits we see is right after the release of a Metasploit module,” he said. “We’ll see a few attacks a day before that and then it will spike to five thousand a day, and it goes up from there. There’s a correlation between the broader availability of an exploit and more people getting attacked.”

The exploit in Metasploit, like the one that has been circulating online, causes a denial-of-service condition on vulnerable machines. Researchers have been working on developing a working remote code execution exploit for the bug, as well, but none has surfaced publicly yet.