Pierluigi Paganini September 07, 2019

Maintainers of the open-source Metasploit penetration testing framework have added a public exploit module for the BlueKeep Windows flaw.

There is a surprise for Metasploit users, maintainers of the open-source penetration testing framework have added a public exploit module for the BlueKeep Windows flaw.

The BlueKeep vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be triggered without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The Metasploit BlueKeep exploit module is based on the proof-of-concept code from the security researchers zǝɹosum0x0 and Ryan Hanson. It has been developed to target only the 64-bit versions of Windows 7 and Windows 2008 R2.

“Today, Metasploit is releasing an initial public exploit module for CVE-2019-0708, also known as BlueKeep, as a pull request on Metasploit Framework. The initial PR of the exploit module targets 64-bit versions of Windows 7 and Windows 2008 R2.” explained Metasploit senior engineering manager Brent Cook. “The module builds on proof-of-concept code from Metasploit contributor @zerosum0x0, who also contributed Metasploit’s BlueKeep scanner module and the scanner and exploit modules for EternalBlue.” 

Experts pointed out that the exploit does not currently support automatic targeting, this means that experts have to manually provide target details.

Unfortunately, the number of unpatched machines exposed online is very high, querying the BinaryEdge service it is possible to find more than 1,000,000 unpatched systems.

Recently, experts observed a significant increase in the number of attacks targeting RDP servers, below a graph shared by Rapid7.

The module leverages an improved general-purpose RDP protocol library, as well as enhanced RDP fingerprinting capabilities.

Experts warn of possible side effects associated with the use of this module with Metasploit payload detection tools.

“All that said, there’s one important caveat for Metasploit payload detection tools, such as those that alert on generic meterpreter payloads in network traffic: If an intrusion prevention system interrupts in-progress BlueKeep exploitation simply because it detects a payload signature against an unpatched target, breaking that network connection will likely crash the target as a side effect, since the exploit code is actually triggered by a network disconnect.” continues Cook.

Rapid7 suggests reading the previous analysis to have more info on profiles of attacker activity and detailed recommendations on defending against BlueKeep exploitation,

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]