ms12-020 saga: PoC exploit on pastebin and online rdp vulnerability scan: rdpcheck.com
So then again, rolling and checking istherdpexploitoutyet.com found an interesting thing; they link to a PoC on pastebin, and apparently it messes up your box, I wonder how many people lost boxes on that one, but they link to another cool site rdpcheck.com they scan you back to check if you are vulnerable to RDP exploit, they even check you don’t use disposable addresses which is very interesting and cool.
So I put my gmail address and click test, I don’t have any RDP at my home address but I wanted to see how they do it with closed ports, then I’ll setup an exploitable RDP and let them scan me :) and update this post!
After you click on test you will receive something on the email like this (IP Address removed):
IP address tested: XXX.XXX.XXX.X
Time of test: Sat, 24 Mar 2012 14:50:38 EST
Result: RDP Port Filtered (Inconclusive)
Hmmm… We were unable to determine if we could access Remote Desktop Protocol from the Internet on it’s standard port. When we tested there was no response. This generally means that there is a firewall configured to be invisible – which is a good thing – but it can also be caused by network issues, ISP filtering, etc.
Because of this we cannot make a confident assessment of your exposure.
To err on the safe side you should assume that this means that your network is potentially vulnerable to exploitation of the MS12-020 RDP vulnerability from the Internet and is likely to contain unpatched systems.
Here’s a few things you can do…
Patch ALL of your Windows systems with the MS12-020 patch from Microsoft. To do this simply run Windows Update until it no longer suggests updates, or you can manually download Microsoft security bulletin and patches from Microsoft’s advisory here.
Check that you’ve patched ALL of your systems. Not just the Internet facing ones. When this vulnerability gets turned into an self-propagating RDP worm you’ll thank us for this advice.
Close off port Remote Desktop Services (RDP) to the Internet. RDP runs on TCP port 3389. If this means nothing to you, ask your I.T. guy.
Disable RDP on machines that don’t need it. RDP is fantastically useful, but if you don’t need it, turn it off.
Give your I.T. guy a smack on the wrist and tell him/her to stop running Remote Desktop Protocol on the Internet. This is a risky practice, superbug or no superbug, because it gives full access to a machine. Use a VPN for remote access instead.
From Microsoft: “Consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.” Some of the tips here are a part of this general advice. If you need more help with this get in touch via our contact form.
This is pretty cool and useful at least for the average joe :)
I still wonder … IS THE RDP EXPLOIT OUT YET!?!?!?!?