Wednesday, March 28, 2012

A little about MS12-020

Great history on the vulnerability by the original Italian researcher: http://aluigi.org/adv/ms12-020_leak.txt
He sold the bug to ZDI with a DoS POC, they reported to MS and the bug is suspected to have leaked through a MAPP partner to Chinese entity and surfaced as the rdpclient.exe

Small companies: Firewall off all remote access to 3389
Enterprise: Scan and test, deploy signatures, alert SOC and start monitoring campaign during lockdown efforts

Snort signatures (untested):

alert tcp any any -> $HOME_NET 3389 (msg:”Potential MS12-020 RDP DoS attempt – MaximumParatmers”; flow:to_server,established; content:”|03 00|”; depth:2; content:”|7f 65 82 01 94|”; distance:24; within:5; content:”|30 19|”; distance:9; within:2; content:”|30 19|”; distance:25; within:2;content:”|30 1c|”; distance:25; within:2; byte_test:1,=,255,2,relative; reference:cve,2012-0002; classtype:attempted-dos; sid:1000031; rev:1;)

alert tcp any any -> $HOME_NET 3389 (msg:”Potential MS12-020 RDP DoS attempt – MaximumParatmers”; flow:to_server,established; content:”|03 00|”; offset:0; depth:2;content:”|7f 65 82 01 94|”;distance:24;within:5;byte_jump:1,10,relative;byte_jump:1,1,relative;byte_test:1,=,255,4,relative; reference:cve,2012-0002; classtype:attempted-dos; sid:1000026;rev:1;priority:1;)