The Importance of MS12-020: Remote Desktop Sessions at Risk

Written by: Dianne Lagrimas

Remote Desktop Protocol (RDP) is a feature that ships with most Microsoft operating system versions. Its primary use is to facilitate an easy connection between two computers over a network. Specifically, it provides a graphical user interface for a computer connecting to another computer. A typical scenario where Remote Desktop Protocol is used is when a network administrator attempts to assist another computer user for program installation, all while the computer user being assisted is currently logged on to the computer. In this scenario, the network administrator runs the RDP server (termed Remote Desktop Services) while the computer user runs the RDP client (Remote Desktop Connection).

In its default state, the RDP feature is open to attacks that cybercriminals can use to execute code remotely on systems with enabled RDP. In March 2012, Microsoft released a patch addressing an RDP vulnerability that when exploited, may allow remote code execution .

This article takes a look on the reported RDP vulnerability, as well as Trend Micro solutions that stop cybercriminals at their tracks.

What is the Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability?

A particular flaw in the way the Remote Desktop Protocol parses or reads a sequence of packets in memory. Anyone wanting to exploit this flaw can send an initial sequence of specially crafted packets. RDP is not able to process the specially crafted packets in memory. This is where a remote attacker sends a code that triggers access to an object that either failed to initialize , or an object that has been already deleted. Hence, the flaw exists.

What happens when a code is executed?

Depending on the code sent, an attacker can execute malware, run or open programs and applications, or completely control the affected computer. Cybercriminals may use exploited computers for malicious operations.

Are there threats exploiting the RDP vulnerability?

As of this writing, Trend Micro researchers found a proof-of-concept (PoC) code that exploits this vulnerability. The said PoC is a hacking tool that is capable of launching a denial of service (DoS) attack on a target system by using the Remote Desktop Protocol vulnerability.

Detected by Trend Micro as DDOS_DUCAU.A, this hacking tool first tests whether the RDP is enabled on a target system. It can then be programmed to launch a denial of service attack.

If there are no other attacks, why should I be concerned?

Vulnerabilities may not be as prominently reported as spam messages, malware or botnets, but exploits targeting vulnerabilities are as dangerous as these threats. Exploits are designed to take advantage of flaws found on software, website applications, or servers, or operating systems that may lead to various threat scenarios, the most severe of which is either execution of malware or enabling a remote user to execute commands. Once users encounter sites that contain exploits, the effect can be immediate.

Compromised Dutch Site Leads to Exploit

Just recently, the popular Dutch news site nu.nl was compromised by a specific attacker who exploited a vulnerability found on the site’s content management system (CMS). Users who visited the site during the compromise are lead to a malicious script that loads various exploit. These exploit results to the infection of users’ systems. This incident shows that by just visiting a compromised site, users can become susceptible to the payload.

I’m using a Windows PC at home and at work. Are my computers at risk?

By default, RDP is NOT enabled on systems. It is highly likely that your home computer is safe from any attacks that use the RDP vulnerability. Additionally, systems that are protected by a firewall are not at risk.

However, it is probable that RDP is enabled on networked computers to enable faster assistance to users over the network. Your IT administrator, or the office IT staff, is the best people to determine whether your work computer is at risk. RDP enablement will be visible to them.

What can I do to make protect my computer from RDP exploits?

Make sure that Microsoft and/or Windows Updates are turned on. This way, updates and patches from Microsoft are automatically downloaded and installed on your computer. Applying patches supplied by vendors prevents attackers from leveraging vulnerabilities. Customers should also consider blocking access RDP (TCP port 3389) or monitoring traffic scans and abnormalities on that specific port.

Are Trend Micro users protected from this threat?

Trend Micro products ensure that your computer is safe from attacks that may use the RDP vulnerability. Trend Micro detects and prevents the PoC DDOS_DUCAU.A, a hacking tool that exploits the RDP vulnerability. On certain systems are not required to use desktop sharing, Trend Micro Deep Security and IDF customers can turn off remote desktop sharing by applying the rule 1002508 – Application Control For RDP. Rule 1004949 - Remote Desktop Vulnerability (CVE-2012-0002) protects from exploitation of the said vulnerability. In addition, Trend Micro protects customers via Trend Micro Threat Management Services using the following TDA patterns:

  • Network Content Inspection Pattern (NCIP) 1.11595
  • Network Content Correlation Pattern (NCCP) 1.11579

For more information about these solutions, please refer to this Malware Blog entry.