CVE-2019-0708: BlueKeep
Last updated
Last updated
BlueKeep is a critical RDP vulnerability in Windows systems that allows attackers to remotely execute arbitrary code without authentication, potentially gaining full access to the system and network. Disclosed by Microsoft in May 2019, the exploit targets the RDP protocol, exploiting a flaw in kernel memory. A patch was released on May 14, 2019, but many systems, including Windows XP, Vista, 7, and Server 2008 R2, remained vulnerable at the time. Over 1 million systems worldwide were at risk when the vulnerability was discovered.
The vulnerability in question affects Microsoft’s Remote Desktop Services (formerly Terminal Services), which allows users to remotely access a Windows system using the Remote Desktop Protocol (RDP) over port 3389/TCP. The exploit leverages a flaw in the "MCS Connect Initial and GCC Create" request, part of the RDP connection sequence. Specifically, it targets the creation of virtual channels, where a use-after-free vulnerability in the RDP kernel driver (termdd.sys) can be exploited by sending crafted data to the "MS_T120" channel. This results in arbitrary code execution with administrative privileges.