Bluekeep - a sword of Damocles as three exploits detailed and more expected

News by Rene Millman

Security researchers detail three ways to insert data into kernel using Bluekeep and suggest that further exploitation methods are likely to be developed.

Unfortunately it looks like Bluekeep will be the exploit that keeps on giving. Security researchers have warned that more ways for it to wreak havoc on systems be forthcoming.

According to researchers at Palo Alto Networks, hackers could soon devise exploits that are easy to deploy. "We believe that there are other yet-to-be-documented ways to make CVE-2019-0708 exploitation easier and more stable," they said in a blog post.

In the report, researchers detailed various ways to write data into the kernel with Bluekeep. They said that they felt it was important to analyse this vulnerability to understand the inner workings of RDS and how it could be exploited.

They said that the flaw allowed attackers to use the Bitmap Cache protocol data unit (PDU), Refresh Rect PDU, and RDPDR Client Name Request PDU to write data into kernel memory.

The Bitmap Cache protocol data unit (PDU), according to researchers, had several characteristics that made it a good candidate to "write arbitrary data into the kernel if either the number of bitmap keys limit to 169 can be bypassed, or the RDP developers in Microsoft didn’t implement it according to that limit".

The Refresh Rect PDU is designed to notify the server with a series of arrays of screen area "Inclusive Rectangles" to make the server redraw one or more rectangles of the session screen area.

Researchers said when sending Refresh Rect PDU many times, "we can still get a successful kernel pool spray even though there are some unsuccessful pool allocations".

The RDPDR Client Name Request PDU allowed can be sent for multiple times legitimately, for each request the RDP server will allocate a kernel pool to store this information, and most importantly, the content and length of the PDU can be fully controlled by the RDP client. "This makes it an excellent choice to write data into the kernel memory," said researchers.

"Due to its flexibility and exploit-friendly characteristics the Client Name Request PDU can be used to reclaim the freed kernel pool in UAF (Use After Free) vulnerability exploit and also can be used to write the shellcode into the kernel pool, even can be used to spray consecutive client controlled data into the kernel memory."

Rami Kogan, malware analyst at SentinelOne, told SC Media UK that in the past few weeks, his company’s honeypots have started to detect scans searching for Bluekeep vulnerable machines. "At this stage, we haven’t seen exploitation attempts, but the enumeration of such machines indicates that there are "players" who are preparing for the right time to attack (waiting for the exploit to become public?)," he said.

He added that well known IPs of botnets have been on the Internet trying to brute-force the credentials of several exposed protocols like FTP, Telnet, SSH and RDP to login to those machines. 

"It seems that these botnets are expanding their business to also scan the Internet for machines vulnerable to Bluekeep," he said.

Chris Goettl, director of security solutions at Ivanti, told SC Media UK that fact that six security firms have independently reached successful exploitation of BlueKeep makes it pretty likely that a weaponised version of this may be a lot more real than some people might think, even though nobody has detected one of these in the wild yet.

"Numerous possibilities exist for a wormable exploit like BlueKeep. What if it were using something like Emotet, a more sophisticated malware platform? You could have a piece of malware that gets onto a system and it could make intelligent decisions about what it should do next. It could automate those steps and adapt to its environment," he said.

"If it got into a hospital it could switch into ransomware mode. If it got into a financial institution it could go into command-and-control mode and it could start scraping credentials and just stay dormant for the most part, for a long period of time."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews