Securing business data

Blog Item

The Security Train - BlueKeep: It's about time we had a chat


The sun's shining, its 6.30am and I am on a train heading to London....must be time for the security train....(literally can hear your excitement from here).

Following the last post "Beware of the Crops" we had a couple of people write to us from the actual Internet (email I think they call it) letting us know they enjoyed the post, so thanks! One email however stood out above the others, one reader had taken the time to take the concept a little further and attempted using it within OpenOffice and LibreOffice as well, it didn't occur to me when we wrote the tool that other word processors that have a vaguely shared/similar code base going way back might handle cropped images in the same way...turns out they do, so hats off to you sir for contributing.

Onto today's post however and you may have noticed a lot has been said in the community recently about a lovely bit of exploit goodness known as BlueKeep which is a pretty powerful exploit that affects remote desktop services; successful exploitation can gain remote code execution with system level favorite kind :)

So what actually is it? well lets first start with the need to knows, then if your still awake...we can get to how it works...

Firstly the vulnerability affects exposed remote desktop servers (RDP) on the following operating systems:

  1. Windows 2003
  2. Windows XP
  3. Windows 7
  4. Windows Server 2008
  5. Windows Server 2008 R2

You will note a number of these operating systems are out of support and will no longer be updated via traditional means, so if you are running any of these still....for the love of all things..just ask yourself "why"? as there is in most cases always another way, be bold...cost of change will always be a consideration, but the cost of a successful breach could be much much more. With that little lecture over, Microsoft consider this vulnerability to be so severe that they themselves have gone out of their way to provide individual patches for these outdated systems here:

So...not that I condone the use of these dated systems...but if you really must, there are manual patches which can be applied.

The vulnerability itself has been doing the rounds for the last few months, it first popped up in May and many people including myself held off posting about it for some time for a number of reasons, but recently the exploit code has been bundled into a number of easily usable tools such as metasploit putting the use of the vulnerability squarely in reach of...well anyone..

The exploit itself is a perfect candidate for being built into worms and other malware alike, similar to the exploits that made WannaCry so devastating a few years back, although nothing has been detected thus far it remains something many people are keeping a close eye on.

At its root, the exploit makes use of a "Use After Free" bug within the termdd.sys RDP kernel driver, use after free bugs for those that don't know are hard to explain, but the basic concepts involve attempts to access memory after it has been freed for use. The pointer in question will have at some point, pointed at a memory location. Said location has since been freed. But the original pointer is still referenced elsewhere and can be used again, but this can be pointed to an entirely new memory allocation that can do...well...whatever we want...insert imagination here.

By opening up a MS-T120 channel specially crafted packets can then be sent to the offending service causing the condition to trigger. Exploitation of this condition has been made somewhat easy with its introduction to the metasploit framework with active functional modules now available.

So what should you do to protect yourselves? well...the usual really, make sure you are fully patched and up to date, if you need to download and apply the aforementioned patches, set a time frame aside to do so. Following that make sure that the service (RDP) is only exposed in a limited fashion, it rarely if ever needs to be exposed to the entire Internet...make sure said interfaces are only available to trusted management networks, via a VPN...or Jump Box....this goes for internally as well, RDP for critical internal servers also doesn't need exposing to the entire network - keep it to the management layers where possible.

Right - the trains pulling in so I better end the article here, thanks for the read, see you again soon no doubt! oh - and feel free to email hearing your thoughts, comments, questions etc. Speak soon!

If you would like to know more about how you may be vulnerable to attack, why not enquire about our free Penetration Testing Training sessions CLICK HERE.


 Andy Swift - Head of Offensive Security   Andy Swift is, Head of Offensive Security at CNS Six Degrees
and has written countless articles on information security.
He has a particular speciality in Malware and Virus Analysis. 
Andy holds Global Industrial Cyber Security Professional (GICSP) status,
certifying his expertise in ICS Security Essentials for Engineering,
Operating Technology and Cyber.

Andy Swift - Head of Offensive Security            

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere