{"id":83720,"date":"2016-12-13T18:22:36","date_gmt":"2016-12-13T12:52:36","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=83720"},"modified":"2016-12-13T19:27:40","modified_gmt":"2016-12-13T13:57:40","slug":"remote-desktop-protocol-vulnerability-cve-2012-0002-not-dead-yet","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/remote-desktop-protocol-vulnerability-cve-2012-0002-not-dead-yet\/","title":{"rendered":"The Remote Desktop Protocol Vulnerability &#8211; \u2018CVE-2012-0002\u2019 is not dead yet!"},"content":{"rendered":"<p>On March 13, 2012, Microsoft disclosed the details of a \u2018critical vulnerability\u2019 called Remote Desktop Protocol Vulnerability &#8211; <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-2012-0002\">CVE-2012-0002<\/a> in its <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms12-020.aspx\">bulletin<\/a>. And even four years after this vulnerability was patched, it is still being exploited in the wild by attackers to carry out \u2018Remote Code Execution\u2019 on their victims computers.<\/p>\n<p>Affected Operating Systems:<\/p>\n<ul>\n<li>Microsoft Windows XP SP2 and SP3<\/li>\n<li>Windows Server 2003 SP2<\/li>\n<li>Windows Vista SP2<\/li>\n<li>Windows Server 2008 SP2, R2, and R2 SP1<\/li>\n<li>Windows 7 Gold and SP1<\/li>\n<\/ul>\n<p>Reportedly, various exploit framework and public advisories are known to host reliable exploit code for the vulnerability (CVE-2012-0002). This helps even the most novice of hackers to exploit this vulnerability &#8211; all they have to do is fingerprint the victim&#8217;s machine that is having the RDP port 3389 open.<\/p>\n<p><strong>Vulnerability<\/strong><\/p>\n<p>While handling the &#8216;maxChannelIds&#8217; field of the &#8216;ConnectMCSPDU&#8217; request, a \u2018use-after-free vulnerability\u2019 is triggered leading to a remote code execution in the RDP server. The complete technical disclosure of this vulnerability can be found <a href=\"https:\/\/aluigi.altervista.org\/adv\/termdd_1-adv.txt\">here<\/a>.<\/p>\n<figure id=\"attachment_83721\" aria-describedby=\"caption-attachment-83721\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-83721 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt-1024x466.png\" alt=\"Fig 1. CVE-2012-0002\" width=\"1024\" height=\"466\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt-1024x466.png 1024w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt-300x136.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt-768x349.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt-789x359.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RDP_exploit_pkt.png 1321w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-83721\" class=\"wp-caption-text\">Fig 1. CVE-2012-0002<\/figcaption><\/figure>\n<p><strong>IPS Hits Trend<\/strong><\/p>\n<p>As observed in Quick Heal Labs, below is the trend of the exploitation of this vulnerability over the last four months.<\/p>\n<figure id=\"attachment_83722\" aria-describedby=\"caption-attachment-83722\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-83722 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2016\/12\/RD_hits-1024x135.png\" alt=\"Fig 2. Exploitation of CVE-2012-0002\" width=\"1024\" height=\"135\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RD_hits-1024x135.png 1024w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RD_hits-300x40.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RD_hits-768x102.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RD_hits-789x104.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2016\/12\/RD_hits.png 1278w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-83722\" class=\"wp-caption-text\">Fig 2. Exploitation of CVE-2012-0002<\/figcaption><\/figure>\n<p>&#8211; 11 Nov and 12 Dec 2016 shows a spike in the activity.<\/p>\n<p><strong>Recent Threat Actors<\/strong><\/p>\n<p>As observed, the machines affected by CVE-2012-0002 were connected to the Internet and had the RDP port 3389 open for outside access. Keeping ports of important services open to external access is an extremely unsafe practice and we strongly recommend against it.<\/p>\n<p>Following are some of the attackers\u2019 IPs that were observed to exploit the vulnerability (CVE-2012-0002).<\/p>\n<p><strong>Attacker IP<\/strong><br \/>\n\u2022 183.207.184.195<br \/>\n\u2022 123.30.236.140<br \/>\n\u2022 124.65.37.50<br \/>\n\u2022 188.247.20.104<br \/>\n\u2022 202.130.106.17<br \/>\n\u2022 46.100.50.204<br \/>\n\u2022 62.210.211.86<br \/>\n\u2022 80.58.182.245<br \/>\n\u2022 61.160.166.23<br \/>\n\u2022 120.27.7.118<\/p>\n<p>Most of the above IPs have been blacklisted on various online malicious IP scanners such as <a href=\"https:\/\/www.abuseipdb.com\">www.abuseipdb.com<\/a><\/p>\n<p>Example &#8211; <a href=\"https:\/\/www.abuseipdb.com\/check\/62.210.211.86\">https:\/\/www.abuseipdb.com\/check\/62.210.211.86<\/a><\/p>\n<p><strong>Quick Heal Detections<\/strong><\/p>\n<p>Quick Heal has released below the IPS detection for CVE-2012-0002.<\/p>\n<ul>\n<li>VID-00114: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability<\/li>\n<li>VID-00116: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability<\/li>\n<li>VID-00117: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability<\/li>\n<\/ul>\n<p>Furthermore, many ransomware attacks were carried out using RDP brute force attempts. And to deal with these attacks, the below IPS detections were released recently.<\/p>\n<ul>\n<li>VID-01087: RDP Brute force attack detection<\/li>\n<li>VID-01088: RDP Brute force attack detection<\/li>\n<li>VID-01089: RDP Brute force attack detection<\/li>\n<li>VID-01090: RDP Brute force attack detection<\/li>\n<li>VID-01092: RDP Brute force attack detection<\/li>\n<\/ul>\n<p>Despite being patched four years ago, the vulnerability (CVE-2012-0002) is still being used by attackers to target unpatched Remote Desktop Service on Windows Operating systems. This only warrants the need for users to keep their OS updated with all the recommended security updates and use a multilayered security software such as <a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-total-security\">Quick Heal<\/a>.<\/p>\n<p><strong>Also Read:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.quickheal.com\/is-your-remote-desktop-system-safe-from-bruteforce-attacks\/\">Is your Remote Desktop System safe from Brute Force Attacks?<\/a><\/li>\n<li><a href=\"https:\/\/blogs.quickheal.com\/troldesh-ransomware-brute-forcing-its-way-into-systems\/\">Troldesh Ransomware brute-forcing its way into systems<\/a><\/li>\n<li><a href=\"https:\/\/blogs.quickheal.com\/worm-morto-spreading-via-rdp\/\">Worm Morto Spreading via RDP<\/a><\/li>\n<\/ul>\n<p><strong>ACKNOWLEDGMENT<\/strong><\/p>\n<p><strong>Subject Matter Expert<\/strong><br \/>\n&#8211; Pradeep Kulkarni (Threat Research &amp; Response Team)<br \/>\n&#8211; Swapnil Mahajan (Product Development Team)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On March 13, 2012, Microsoft disclosed the details of a \u2018critical vulnerability\u2019 called Remote Desktop Protocol Vulnerability &#8211; CVE-2012-0002 in its bulletin. And even four years after this vulnerability was patched, it is still being exploited in the wild by attackers to carry out \u2018Remote Code Execution\u2019 on their victims computers. Affected Operating Systems: Microsoft [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":83735,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,24,5],"tags":[240,1380,1173,157,74,50,89,47,38],"class_list":["post-83720","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-malware","category-security","tag-brute-force-attack","tag-cve-2012-0002","tag-exploit","tag-ips","tag-microsoft-patch","tag-ransomware","tag-rdp","tag-security","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83720"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=83720"}],"version-history":[{"count":11,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83720\/revisions"}],"predecessor-version":[{"id":83740,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/83720\/revisions\/83740"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/83735"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=83720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=83720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=83720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}