Category: Vulnerability

BlueKeep RDP, the new EternalBlue ?

I’m back,

Today I will talk about the BlueKeep RDP vulnerability in few words.

Like you probably know, this new vulnerability affect :

  • Windows 2003
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

Not like the EternalBlue exploit, this new vulnerability don’t use SMBv1 but the RDP functionnality under Windows.

Actually the exploit remain not public but you can find some PoC on github anyway like this one :

https://github.com/Ekultek/BlueKeep

To be clear, some guys said that you need a physical access to the server, disconnect it to exploit the vulnerability… the reality is different.

If you read the PoC source code, the vulnerability is exploited via a malformed packet who lead to a remote code execution on the target.

Ekultek, the author of the PoC explained in his source code that the generation of the payload is difficult anyway especially when ASLR is involved with it.

Like he said, he’s not shared this part of the methodology to avoid to watch the world burning.

The american NSA also asked to all companies to update their system and I’m totally agree with that.

Actually, one metasploit module is available, this module is shared between researchers and remain private but for how many time ?

Like you probably know, the ms17-010 module for EternalBlue can be exploited in few seconds, I think it will be the same situation for this one.

Finally, the full PoC is available here :

https://github.com/Ekultek/BlueKeep/blob/master/bluekeep_poc.py

You can also check if your server is vulnerable with the rdpscan tool from Robert Graham :

https://github.com/robertdavidgraham/rdpscan

On 4 June 2019, another related RDP security vulnerability (CVE-2019-9510) was reported by the CERT Coordination Center at the Carnegie Mellon University.

This flaw may affect Windows 10 1803, Windows Server 2019 or newer systems using RDP, but is considered less of a problem than the BlueKeep flaw. No patches for the flaw are currently available and workarounds have been reported.