[German]A security researcher has developed another Metasploit for due BlueKeep vulnerability in Windows Remote Desktop Services. Currently it is not released yet, because the developer considers the whole thing too risky (because of nearly one million unpatched systems).
BlueKeep is a critical vulnerability (CVE-2019-0708 ) that can be used to take over systems. Windows XP to Windows 7 and their server counterparts are at risk. Systems from Windows 8 are not vulnerable to the BlueKeep vulnerability.
Microsoft has been offering security updates to close this vulnerability for affected Windows systems since May 14, 2019 – even for the long-forgotten versions such as Windows XP or Windows Server 2003 (see my blog post Critical update for Windows XP up to Windows 7 (May 2019)).
The vulnerability is considered critical, Microsoft (BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia), and the US CERT have issued warnings. However, there are still a large number of systems that are still unpatched, although the vulnerability has been known since mid-May 2019 and updates are available. I had reported in the blog post Nearly 1 million Windows machines with BlueKeep vulnerability on this issue.
MetaSploit for BlueKeep
Until now, only security companies such as antivirus manufacturers had a proof of concept for exploiting the vulnerability – which was not publicly available. A network scanner for the RDP vulnerability is also available (see my blog post How To: BlueKeep-Check for Windows). What is missing so far is a working metasploit for penetration tests. A metasploit is an approach developed by security researchers for penetration testing to exploit security vulnerabilities and thus prove the vulnerability of a system.
Now a security researcher seems to have finished a metasploit. The module was developed by Zǝɹosum0x0, who announced it on Twitter.
Rough draft MSF module. Still too dangerous to release, lame sorry. Maybe after first mega-worm?
PATCH #BlueKeep CVE-2019-0708
35c2571801b3b6c4297ed362cf901dc4e907ff32a276fb6544a2b9d0f643f207 pic.twitter.com/y0g9R9HNnc
— zǝɹosum0x0 (@zerosum0x0) 4. Juni 2019
The Metasploit is still a draft. However, due to the danger for a large number of systems that are still unpatched, this draft will not be released publicly. The security researcher has linked a video within the above tweet that shows a successful use of the Metasploit on a Windows 2008 machine. After the Metasploit extracted the credentials for the target system with the Mimikatz tool, full control over the system was achieved.
The security researcher told Bleeping Computer that the same exploit works for both Windows 7 and Server 2008 R2 because the two operating systems are "essentially identical, except for some additional programs on the server. However, I am sceptical about the practical exploitability under Windows 7, as most systems do not run remote desktop services – in my scans within my network, the Windows 7 systems were not reachable for the rdpscan tool.
Although Windows Server 2003 is also vulnerable to BlueKeep, the Metasploit team could not trigger the bug and exploit it on this operating system. BTW: @zerosum0x0 is a security researcher who helped develop this BlueKeep scanner.
Tip: How to check systems for security against BlueKeep is described in my blog post How To: BlueKeep-Check for Windows. Maybe it helps.
Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows