Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

The Race for MS12-020

So if you missed our previous blog post on the MS Patch Tuesday earlier this week, or missed any of the several dozen news articles, there was a pretty serious hole patched up in the latest update from Redmond. Microsoft calls it 'critical' and numbered it MS12-020. It is a hole in RDP or the Remote Desktop Protocol, you know, what you use to see the screen of all those remote servers you have in the server room so you don't have to get up and walk across the office into that cold noisy place to tweak some minor setting on a system. Or maybe you use RDP to check on that system at home while you are in the office, or on the system at the office while you are at home, or at the other office. Pretty damn useful, and a pretty damn big hole.

Now Microsoft has released a patch for this so a lot of people say, "Great, I'll just apply the patch." But the thing is, a LOT of people won't apply the patch, because they didn't hear about the hole or they don't care. So they are sitting there with their servers and workstations blowing in the breeze so to speak, just waiting for someone to come by and exploit this nice RDP hole.

Ahh, but that's the other problem. While Microsoft has released a patch to fix the hole, they didn't actually tell anyone where the hole was. So now the race is on, by both good guys and bad guys alike. Some people are saying that the bad guys already now where the hole is and are exploiting it secretly. The good guys want to know where the hole is so they can scan for it, use it in penetration tests, and generally protect people.

The first thing we noticed was an analysis of the patch. If you compare the patch to the original you can find out what it was that changed. This gives you a real good idea of where to start looking for the hole. And there are a whole bunch of people actively looking for this hole, a bunch of them are hanging out on IRC (Freenode #ms12-020)

The race for a working exploit of MS12-020 is so dramatic there is even a bounty for the fist working Metasploit module for this hole. When we last checked it was up to $1451. The first person to create a successful proof of concept (PoC) in the popular pentesting tool, Metasploit, takes it all.

But there is some other stuff out there too, as we came across a website in China talking about the vulnerability with a screenshot that looks like they might actually have a working exploit for MS12-020. However, the surrounding text makes it seem unclear. So we are unsure of what to make of this post yet.

And then there was a post to pastebin that claimed to be a working exploit. If you looked closely however you could see at the top in the comments the email address was listed as sabu@fbi.gov. That makes things a little suspicious but if you actually attempted to run what was posted you could have put yourself into a world of hurt, as it did not appear to be a working exploit of MS12-020, but instead had traces to an Apache exploit from 2008.

So if you haven't installed the MS12-020 yet, by all means, do so immediately! If you looking for the hole yourself, be careful and look closely at what gets posted.