New BlueKeep malware proof-of-concept enables full system takeover, warns researcher

The vulnerability has seen Microsoft quickly release patches for end-of-life Windows products

A security expert has demonstrated a working exploit of the BlueKeep vulnerability, enabling attackers to take full control of a system in just 22 seconds.

After creating a proof-of-concept for the vulnerability, a technologist with the moniker 'tZǝɹosum0x0' was able to demonstrate how qiuckly someone can compromise a Windows machine using the vulnerability.

Microsoft issued a rare out-of-support patch last month to fix the Bluekeep vulnerability in Windows XP and Windows Vista, as well as other Windows operating systems, to prevent a repeat of the WannaCry or NotPetya outbreaks.

The exploit chains we've worked so far are XP specific and admittedly clumsy but confirm RCE threat is real

"On May 21, @JaGoTu and I released a proof-of-concept GitHub for CVE-2019-0708. This vulnerability has been nicknamed 'BlueKeep', wrote the researcher in a blog.

"Instead of causing code execution or a blue screen, our exploit was able to determine if the patch was installed."

In an analysis of the exploit, tZǝɹosum0x0 explained how it enables "the scanner to avoid a blue screen and determine if the target is patched or not".

According to tZǝɹosum0x0, the "basic premise of the vulnerability is that there is the ability to bind a static channel named "MS_T120" (which is actually a non-alpha illegal name) outside of its normal bucket"

Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.

Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?

The researcher explained: "This channel is normally only used internally by Microsoft components, and shouldn't receive arbitrary messages.

"There are dozens of components that make up RDP internals, including several user-mode DLLs hosted in a SVCHOST.EXE and an assortment of kernel-mode drivers. Sending messages on the MS_T120 channel enables an attacker to perform a use-after-free inside the TERMDD.SYS driver."

Named CVE-2019-0708, this vulnerability could enable a self-replicating worm or malware to propagate. It affects older versions of Windows such as Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2.

The vulnerability is so potentially potent that it has seen Microsoft release patches for Windows XP and Windows 2003, despite the fact that both have reached end-of-life and are no longer receiving regular updates.

On Twitter, tZǝɹosum0x0 wrote: "In past days, we have a reliable pool spray to create fun+dangerous kernel primitives. The exploit chains we've worked so far are XP specific and admittedly clumsy but confirm RCE threat is real."

The US National Security Agency (NSA) has also weighed in on the vulnerability, saying: "We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw.

"This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability.

"It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems."

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast