Tips for an Information Security Analyst/Pentester career - Ep. 75 -Stay current (BlueKeep early exploit)

General considerations

This time I want to talk about how important it is for security professionals to keep up with new vulnerabilities and their related exploits, and in general to stay current.

This is a quickly changing world and things change at a yet faster pace in information security, every single second, so it's paramount for you to keep up.

This is a priority both for blue teamers and red teamers.

Blue teamers need to know the latest vulnerabilities for them to know how to defend against them.

Red teamers like myself need to update their attack vectors to be able to exploit a vulnerability and show their customers its real impact before bad guys get to do it.

BlueKeep vulnerability (CVE-2019-0708)
 

Here I want to specifically talk about the latest PoC exploit for the RDP BlueKeep vulnerability (CVE-2019-0708).

Rapid7 plans to add it to Metasploit, and the testing for it is still in progress. However, you can grab right now an early version on Github. 

I've reported this finding all over the place in my pentests, and now this exploit has suddenly changed the game.

This stresses, once again, how important it is for security professional to stay current. In fact, so far I had reported BlueKeep as a high finding, because it wasn't directly exploitable, as no exploits were available.

Now, with this new exploit, BlueKeep has become a critical finding because, under the right conditions, it allows an attacker to obtain a SYSTEM shell on the target machine.

That's why keeping up to date is so important.

If pentesters don't stay current, they might keep reporting it as a high finding, and this wrong advice could cause the client's network to get compromised, when this situation could be solved by simply installing a patch.

BlueKeep exploit

The BlueKeep exploit (windows/rdp/cve_2019_0708_bluekeep_rce) must, as of now, be manually added to Metasploit, following the instructions available here.

It's a very early and very unstable exploit at this point in time, as it can easily cause the target to crash, following to a Blue Screen of Death.

For this reason, BlueKeep exploit, for now, should be run in a test environment only, like I did in the video.

The exploit provides a list of targets and so far you need to set up the right target manually for it to work.

If I could give the guys at Rapid7 a suggestion, I'd review the list of targets, because it only includes Windows versions of VMware, forgetting about VMware Fusion.

Network setup (VMware Fusion 11.5.0):

A) attacking machine: Kali Linux 2019.1 (bridged mode)

B) target machine: Windows Server 2008 R2 (bridged mode)

I performed several unsuccessful attempts to exploit the target machine.

BlueKeep exploit crashed repeatedly the target machine, generating multiple Blue Screens of Death (BSODs).

However, I don't easily give up, so I could eventually get a shell by tweaking Windows Server 2008 registry (as described here), selecting target no. 5 and setting grooming size to 100 in the exploit options.

At the end of the day, my grit was rewarded.

SUCCESS!!

I was eventually able to get a shell on the machine.

I had set up a normal Windows shell at first and then I re-exploited the target to obtain a Meterpreter shell as SYSTEM.

Wrap-up

BlueKeep is a very clear example of why security professionals must stay current and keep up with the constant changes seamlessly disrupting the info sec game every day.

That's the hardest part of this job but it’s needed, as security professionals seamlessly face changes.

You need to be ready for what’s round the corner, in order to improve your professional career and protect your clients to the best of your abilities.