Tips for an Information Security Analyst/Pentester career - Ep. 79- Stay Current (BlueKeep Update)

In Episode 75, I talked about an early exploit version released by Rapid7 for the BlueKeep vulnerability, affecting RDP (CVE-2019-0708), and I mentioned development for this exploit was underway, so we could expect a stable version soon.

Here we are.

A much more stable version of the BlueKeep exploit has been released.

The exploit comes with the latest version of Metasploit, so you don't need any longer to add it manually.

You simply have to run the apt install metasploit-framework -y command to get the latest version.

I used the same Windows Server 2008 R2 vulnerable machine as in Episode 75.

I ran the new exploit unsuccessfully multiple times, and it's very stable. I only got two BSODs, due to a wrong LHOST parameter.

The exploit requires for you to choose targets manually, but adjusting the return address is no longer needed. The list of possible targets doesn't include yet VMware Fusion, which I believe is a serious oversight.

I could get a shell by choosing Windows meterpreter 64-bit reverse shell as a payload and target 5 (in my case).

Implications 

BlueKeep becomes now a critical vulnerability and a major threat to several organizations, as it can be exploited in a very fast and reliable way, guaranteeing to the attacker a SYSTEM shell in a matter of seconds.

Patch management and system hardening policies are paramount.

Organizations need to take action NOW.

If there's no absolute need to have an externally facing RDP server, take it down or restrict access to it to trusted IPs only, or from behind a VPN.

Unsecured RDP servers are an entry point for ransomware into your network, so take them down or restrict access to them, NOW.

Don't procrastinate, or you're in for a lot of pain and possible lawsuits and class actions.