Did Microsoft Partner Lead Windows RDP Exploit Code?

The subject of a "critical" patch for a Windows Remote Desktop Protocol (RDP) vulnerability included in this month's security update involved some proof-of-concept (POC) code that was not publicly available, suggesting that the leak came from an internal source.  The "code in the wild" just two days after Microsoft's RDP fix offers a clue as to the original.

Italian security researcher Luigi Auriemma discovered the Windows RDP flaw; he explained the scenario in a blog post last week. Originally he had sold his POC code to Hewlett-Packard in May of 2011 as part of HP's TippingPoint's Zero Day Initiative program. HP then turned it over to Microsoft a month later.

Microsoft modified his data packet into executable code that could take advantage of the RDP flaw in November. However, several lines of code (including Auriemma's data packet) appeared in the exploit code that was released last Thursday on a Chinese Web site. Although Auriemma admits that it was his data packet posted online, he says he is not responsible for the leak.

"No details and proof-of-concept were released by me after the releasing of the patch," he wrote. "I was waiting some days and I was really curious to know who would have been able to spot the one-day (like a simple poc) first. After all it was the bug and the challenge of the moment so why [ruin] the party."  Auriemma theorized that the leak must have occurred after Microsoft sent its executable code to its partners to create "antivirus signatures."

Microsoft concurs.  "The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," wrote Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

Auriemma described the RDP flaw and POC exploit as a "use-after-free" memory management bug. He said his exploit is basic, but an experienced hacker would have no problem turning it into a working attack.

"Having access to the patches already makes it possible to deduce the vulnerability details via bindiffing (i.e. comparing the patched binaries to unpatched binaries), but concluding how to trigger the vulnerability is not always so straight-forward," Auriemma wrote. "Having a PoC available, obviously, makes this very clear."

Enterprises that haven't installed Microsoft's security bulletin MS12-020 fix should do so right away; if that is not possible, use the workaround Microsoft provides in the bulletin.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.