Exploit code published for RDP worm hole; Does Microsoft have a leak?

Exploit code published for RDP worm hole; Does Microsoft have a leak?

Summary: The code publication has set off alarm bells in the corridors at Redmond because there are clear signs that Microsoft's pre-patch vulnerability sharing program has been breached or has suffered a major leak.


UPDATE:  Microsoft confirms MAPP exploit code leak

Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft's MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft's implementation of the RDP protocol.

follow Ryan Naraine on twitter

It also sets of alarm bells in the corridors at Redmond because there are clear signs that Microsoft's pre-patch vulnerability sharing program has been breached or has suffered a major leak.

[ SEE: Microsoft makes daring vulnerability sharing move ]

The program, called MAPP ( Microsoft Active Protections Program), provides vulnerability data and triggers to anti-virus, intrusion prevention/detection and corporate network security vendors about 24 hours before the patch is released.  The program provides detection guidance ahead of time to help security vendors reproduce the vulnerabilities and ship signatures and detection capabilities without false positives.

Microsoft says it has strict guidelines to ensure the data doesn't fall into the wrong hands but, in this case, my sources tell me the Chinese hackers had access to MAPP information even before the patch was released.

"I can say with 100% certainty that MAPP information got into the wrong hands," said a security researcher with access to the MAPP information.

[ SEE: Microsoft: Expect exploits for critical Windows worm hole ]

This was confirmed by Luigi Auriemma, the security researcher credited by Microsoft with finding and reporting the RDP code execution vulnerability.  On Twitter, Auriemma said the a packet stored in the Chinese proof-of-concept was the "EXACT ONE" he provided to TippingPoint ZDI (Zero Day Initiative), the company that bought the rights to the bug information.

Auriemma suggest there was a clear leak somewhere along the line, publicly pointing fingers at Microsoft and ZDI.

In an interview, Auriemma told me there is no doubt whatsoever that the Chinese proof-of-concept came from Microsoft.  "The packet I gave to ZDI wasn't just a simple fuzzed packet. I modified at some points to make it unique," he explained, noting that the Chinese code contained the packet "as is."

(click image for full size to see code snippet)

Auriemma said he never provided an exploitable proof-of-concept to Microsoft and speculates that the code was written by the MSRC to help during the triage and bug-testing process.  But he's very clear that there's a leak (or breach?) at Microsoft.

"There are some parts that are not just some bytes modification.  I did some unique things to make debugging easier. I referred to the BER numbers (numbers with a dynamic size).  They were 8-bit originally and I converted them to 32-bit with the result that the packet increased its size. So, it's my packet," Auriemma said.

Officials from Microsoft and ZDI were not available for comment at press time.

A confirmed MAPP leak would be a big black eye for Microsoft because the program is considered a jewel in the company's efforts to secure the Windows ecosystem.  In 2008, when the program was launched, I warned that it was a risky move because of the likelihood that information flowing through MAPP could be siphoned off and sold to malicious attackers.

At the time, Microsoft acknowledged the risk but insisted it would lock down access to the program and implement measures to identify potential leaks.  Participants in the program must sign NDAs and have a significant enough customer base for protection-oriented software.

Following the publication of the Chinese PoC, which currently crashes vulnerable Windows installations, Auriemma published his own advisory with technical details of the vulnerability.

UPDATE:  Microsoft confirms MAPP exploit code leak

* More to come...

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Exploit?

    There is a difference between exploit and trigger.. This is not an exploit, it is a trigger. But that wouldn't sound as cool in the headline I suppose.
  • Still...

    ... The patch is out there for you to install. You have no one to blame but yourself if something ahppens at home or at work. Get the word out for people to install this patch ASAP.
    The one and only, Cylon Centurion
    • Huh?

      Microsoft won't install it for me? And then reboot my servers when I'm not looking? Maybe install a few statistics snoops and maybe an NSA back door while they're at it?
      • Oh, oh, oh!

        You don't know what's really in those patches do you? They never say and they don't let you look at them. You just have to trust them. So count me down and pretend it isn't a problem.
      • Yea OK

        I'll be sending you a coupon for a large roll of tin foil, enough to make at least 100 hats. That way Microsoft cannot take control of your mind while you are asleep.
      • Paranoid, much?

        Ya. Let's see how long your Windows servers last without updates.
      • Nope

        Longer than an unpatched Linux server would at least:


      • SLES10 = Linux Kernel 2.6.16..

        Ya.. What kernel version does SLES10 use? 2.6.16? No wonder it's exploitable.
        I'm running the latest kernel (3.2.9) on my Gentoo Linux boxes. Running an extinct kernel is suicide.
      • So it's OK to run an "old" version of Windows but not Linux?

        Simba7: [i]What kernel version does SLES10 use? 2.6.16? No wonder it's exploitable. I'm running the latest kernel (3.2.9) on my Gentoo Linux boxes. Running an extinct kernel is suicide.[/i]

        Why is that?
      • Why do you think, ye?

        NT (rhetorical question)
    • Completely impractical

      You obviously don't work at a large company. Patches must be rigorously tested before they are applied. I can't imagine that any company which has machines that handle financial transactions will simply apply a patch to their production servers because the OS vendor says it's a fix. A vendor "fix" can break a custom application.
      • RE: Completely impractical

        [i]Patches must be rigorously tested before they are applied.[/i]

        And in the meantime, workarounds detailed in Microsoft Security Bulletin MS12-020 can be applied:
        o "Disable Terminal Services, Remote Desktop, Remote Assistance, and Windows Small Business Server 2003 Remote Web Workplace feature if no longer required"
        o "Block TCP port 3389 at the enterprise perimeter firewall" (and, possibly, port 4125 on Windows Small Business Server 2003)
        o "Enable Network Level Authentication on systems running supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2"
        Rabid Howler Monkey
      • Work Around is impractical or ineffectual

        @Howler Monkey - I don't know about you, but I know that in the last year I have been repeatedly asked to allow some IT wombat to take control of my hardware and "fix" it remotely using the same services you believe should be disabled if even only temporarily.

        Also. blocking TCP ports may make you feel better but is completely ineffectual. Did everyone update their HP Workgroup Printer firmware yet? - I bet not not and if not, you may have several devices inside your perimeter that are compromised, can tunnel out and provide full network access to your enterprise. Or did you all miss the presentation regarding how malware can be embedded in a Postscript file that hijacks an HP printer using LPR commands. HP released new firmware to correct this, but I am willing to bet money that many organizations have been ignorant or not diligent in patching this...

        Hopefully the last workaround can or has been applied before an attack can occur. That's quite a bit of hoping for all of the users of Windows that could be affected.
      • Still remember

        In the days Microsoft discovered this "Internet thing", an security advisory read sort of (from memory):

        "If you want to be sure your Windows is safe from remote exploits, it is best to disconnect it from the network"

        To which everyone was adding ".. and to make it absolutely safe, it is best to turn it off".

        Of course, one cannot just blindly install patches, by anyone, without testing. And.. disabling the very service, for which you run that particular server is not practical too. It is about as good advice as "turn power switch off to be safe".
      • Fix

        Enabling NLA is a fast and low impact fix.
      • Sure, danbi. Though I admit that

        taking that phrase from a Linux tutorial, and changing it to "Windows" is more proof that MS steals stuff from everyone else. ;)
        William Farrel
      • Not really

        >A vendor "fix" can break a custom application.

        A security flaw can break everything, permanently. Better the custom app has an issue than that the system is compromised and data leaked. Besides, 99% of the time it's common sense that the patch won't break anything. An RDP patch, for instance, isn't going to bring down a financial application.
    • So, if someone shoots you

      If someone shoots you, then you are to blame for not moving faster and still staying at the trajectory of the bullet?

      How does it sound: we write buggy software, but here is a patch to install. We hope it makes this bug go away. We won't promise there are no more bugs.

      Has anyone estimated what is the real cost of this all-time patching of Microsoft software? In wasted work time, in down time (lots of restarts), in electricity and network bandwidth?
      • Is it your implication Microsoft is the only one who writes software with..

      • Speaking of mixed metaphors...

        Your argument is the person who built your house should go to jail because you were injured when someone driving a semi barreled off the road and into your bedroom.

        The virus and worm writers are the culprits here.