March 19, 2012

Leak of MS12-020 working proof of concept

Lei Li

On March 15, a working Proof of Concept (PoC) for MS12-020 that attempts to exploit CVE-2012-0002 was published by a Chinese hacker group named Silic Group Hacker Army. The original code was written in Ruby and Python, and an executable file was uploaded to a free online storage service, 115 netdisk.


Luigi Auriemma, the first to find this vulnerability, said the pre-built packets used in this PoC were the same as the ones he submitted to the HP TippingPoint Zero Day Initiative (ZDI, a partner of Microsoft) as part of the verification process to obtain his bug bounty in August 2011. Microsoft TechNet Blog has also confirmed that the details of the PoC code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners.

MS12-020 patches a pair of bugs in Windows Remote Desktop Protocol (RDP), a component that lets users remotely access a PC or server. A vulnerable function called HandleAttachUserReq() in rdpwd.sys could be exploited by special RDP packages. The leaked POC code could start a denial of service attack (DoS) on the internet that targets systems running Windows with the RDP service enabled, resulting in the blue screen shown here:


Customers who have deployed MS12-020 are protected from attempts to exploit CVE-2012-0002. Websense works with Microsoft and is an active member of Microsoft MAPP.


We will continue to monitor this situation to see if the exploit evolves to allow remote code execution.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.