A weaponized exploit for the BlueKeep vulnerability has been published online by security researchers at Rapid7 and Metasploit.
BlueKeep – CVE-2019-0708 – is a wormable remote kernel use-after-free vulnerability affecting the remote desktop protocol on older versions of Windows, including Windows 7 and Windows Server 2008 R2. The latest Windows versions (Windows 8, Windows 10) are unaffected.
If exploited, an attacker could remotely execute arbitrary code and exploit other vulnerable computers on the network in a similar manner to the WannaCry ransomware attacks of 2017. Despite the seriousness of the vulnerability and the potential for a catastrophic cyberattack, many businesses have been slow to apply the patch to correct the flaw. A scan for vulnerable devices in mid-August suggests there are around 750,000 devices that have not had the patch applied and are still vulnerable to attack. The patch was issued by Microsoft on May 2019 Patch Tuesday.
One of the researchers, who operates under the moniker Zerosum0x0, had previously demonstrated how a vulnerable device could be exploited. In the video posted online, the researcher was able to achieve a full device takeover in just 22 seconds. Due to the risk of the exploit being used in real-world attacks, full details of the exploit were not released at the time. Several other researchers and security firms have developed proof-of-concept exploits for the BlueKeep flaw but none of those exploits have been weaponized to date.
It is the slow rate of patching that prompted the researchers to release the weaponized BlueKeep exploit. They believe that it is better for them to release the exploit than keep it private as the release will raise awareness about the seriousness of the threat and will encourage users to apply the patch to prevent the exploit from being used. The exploit has been uploaded to Rapid 7’s Metasploit framework and published on GitHub.
While the weaponized exploit could be used in real-world attacks to achieve remote code execution, the researchers have placed a limit on the exploit. The exploit will only work on Windows 7 and Windows Server 2008 R2 and a specific target must be manually inserted for the exploit to work. That means it cannot be used in automated attacks. Further, it would not be possible to use the exploit to move from machine to machine.
Rapid7 notes that in order to use the exploit, an attacker would need to have some knowledge of how Windows kernel memory is laid out, as this needs to be specified for the exploit to work.
According to Rapid7, “The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.”
The exploit has been tested and shown to work on unpatched devices running 64-bit Windows 7 and Windows Server 2008 R2 and will allow an attacker to remotely execute code with the highest level of privileges.