Connect with us

Hi, what are you looking for?



BlueKeep Exploit Added to Metasploit

An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7’s Metasploit framework. 

An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7’s Metasploit framework. 

Tracked as CVE-2019-0708, the targeted vulnerability was addressed by Microsoft with its May 2019 Patch Tuesday updates. Within weeks, security researchers observed the first scans for the flaw, and it didn’t take long for attacks targeting it to emerge.

Industrial and medical products were also found to be at risk. Security researchers also discovered that the rate at which admins were patching systems had diminished significantly after just several months, with over 750,000 systems still vulnerable in mid-August.

Commonly referred to as BlueKeep, the vulnerability is a remote kernel use-after-free bug that impacts Windows’ Remote Desktop Protocol. The flaw could be abused by attackers to execute arbitrary code and take over a vulnerable machine by sending specially crafted requests via RDP. 

“The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution,” Rapid7 explains. 

Available in open source, the newly added Metasploit module was ported from a Python external module to a native Ruby one to take advantage of the RDP and other library enhancements in the framework. 

At the moment, the module targets 64-bit versions of Windows 7 and Windows Server 2008 R2. For the latter, a “registry entry needs to be modified to enable heap grooming via the RDPSND channel,” but alternate channels enabled by default on Windows might also be used, if researched. 

At the moment, the user needs to supply additional target information to use the module, otherwise the target host might crash. 

Advertisement. Scroll to continue reading.

“The module implements a default fingerprint-only TARGET option that just checks for a vulnerable host and displays some initial information about the specific target OS, but the user will need to specify a more exact target based on secondary recon, or until further improvements in this module enable more accurate determination of the target kernel memory layout at runtime,” Rapid7 notes. 

While there are specific targets for bare-metal, Virtualbox, VMware, and Hyper-V, additional variables in target environments may shift the base address for grooming, the company also says. 

Related: BlueKeep Patching Efforts Sink: 750,000 Systems Still Vulnerable

Related: DHS Issues Alert for Windows ‘BlueKeep’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

David Chétrit has been appointed the CEO of Kudelski Security.

More People On The Move

Expert Insights