A security researcher has published a detailed guide that shows how to execute malicious code on Windows computers still vulnerable to the critical BlueKeep vulnerability. The move significantly lowers the bar for writing exploits that wreak the kinds of destructive attacks not seen since the WannaCry and NotPetya attacks of 2017, researchers said.
As of three weeks ago, more than 800,000 computers exposed to the Internet were vulnerable to the exploit, researchers from security firm BitSight said last week. Microsoft and a chorus of security professionals have warned of the potential for exploits to sow worldwide disruptions. The risk of the bug, found in Microsoft’s implementation of the remote desktop protocol, stems from the ability for attacks to spread from one vulnerable computer to another with no interaction required of end users.
“A pretty big deal”
One of the only things standing in the way of real-world attacks is the expertise required to write exploits that remotely execute code without crashing the computer first. Several highly skilled whitehat hackers have done so with varying levels of success, but they have kept the techniques that make this possible secret. Much of that changed overnight, when a security researcher published this slide deck to Github.
“It basically gives a how-to guide for people to make their own RCE,” independent research Marcus Hutchins told Ars, using the abbreviation for remote code execution. “It’s a pretty big deal given that now there is almost no bar to stop people publishing exploit code.”
The explainer significantly lowers the bar even to developers who are “not very skilled at all,” Hutchins said. That’s because it shows how to solve one of the most vexing problems in successfully gaining code execution from BlueKeep—successfully carrying out an exploitation technique known as a heap spray against the vulnerable remote desktop service.
“Most of the bar comes from the need to reverse engineer the RDP protocol to find out how to heap spray,” Hutchins said. “The author explains all this, so all that’s really needed is to implement the RDP protocol and follow their lead. Only a basic understanding is enough. Most likely, what will happen now the bar is lowered [is] more people will be able to exploit the bug; thus, more chance of someone posting full exploit code publicly.”
The slides are written almost entirely in Chinese. They reference a 2019 Security Development Conference, and one of them shows the name of Chinese security firm Tencent KeenLab. Two of the slides also contain the word “demo.” This page gives an overview of the conference presentation and identifies Tencent security researcher Yang Jiewei as the speaker.
Representatives from Github and Tencent didn’t immediately respond to a request for comment. This post will be updated if a reply comes later. Github terms of service appeared to give no indication it barred the post. Anyone who hasn’t patched the vulnerability, tracked as CVE-2019-0708, should do so immediately. Patches can be downloaded here.
Jake Williams, a co-founder of Rendition Infosec and a former exploit writer for the National Security Agency, mostly agreed with Hutchins’ assessment of the Github post.
“It’s significant,” Williams said of the deck. “It’s the most detailed publicly available technical documentation we’ve seen so far. It seems to indicate that they showed a proof of concept, but they didn’t publish it.”
Like Hutchins, Williams is among the whitehats who have written a BlueKeep exploit that remotely executes code successfully. Hutchins’ proof-of-concept, Williams said, is more reliable than his exploit, which still suffers from crashes.
Williams said he doubted the new details would help less-skilled exploit writers develop crash-free bugs. As Williams’ PoC demonstrates, even when exploits effectively hone a successful heap spray technique, they still may not be effective enough to prevent a at least some crashes.
“I don’t think anybody who had a working exploit before will have one now,” Williams said.
“Will some system crashes bother them?”
Williams said he previously expected there to be publicly available exploits no later than the middle of next month, when the Black Hat and Defcon security conferences in Las Vegas conclude. The new insights could shorten this predicted timeline.
Hutchins agreed that the new insights aren’t likely to help low-skilled hackers eliminate crashes, but he continued to argue that it drastically lowers the bar for less reliable code-execution. While crashes are often a hurdle for people writing exploits used in espionage and financially-motivated hacking, they’re less of a hindrance for people whose goal is disruption or sabotage.
“My concern,” Hutchins said, “is that WannaCry was extremely destructive, and if someone is willing to cause that level of destruction, will some system crashes bother them?”