Sophos Creates PoC for BlueKeep Exploit to Take Control of Devices

Another remote desktop protocal exploit has been discovered by Sophos, highlighting the “serious threat” BlueKeep poses to organizations who continue to run Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. 

According to a blog post by researcher Andrew Brandt, the exploy works in a “completely fileless fashion” and provides full control of a remote system without having to deploy any malware. It also doesn't require an active session. 

“The development of this exploit came about as the result of an arduous process of reverse-engineering the patch released by Microsoft in May to examine what it was trying to fix,” explained Brandt. “Microsoft themselves did not release any information about BlueKeep to companies that are part of its MAPP program – other than a request that everyone install the update with minimal delay.” He further confirmed that Microsoft considers the BlueKeep vulnerability “so dire,” they have released patches to protect “end of life” operating systems such as Windows XP.

Sophos will not be releasing the PoC to the public out of an abundance of caution. If someone was able to weaponize the PoC, any of the machines currently vulnerable to BlueKeep would instantly become targets of opportunity for an attacker who could leverage the method to deliver malware or, well, do anything that the administrative owner of a vulnerable Windows computer could do with that computer.

Interestingly, Sophos’ proof of concept is not just a denial of service attack (DoS). In the past, other security analysts have created their own PoC code to crash windows, rendering the computer unusable until it reboots. Brandt confirms that the team at its labs built a code that allows an attack to launch a command shell that appears prior to login on the Windows login screen. “Our researcher who worked on developing the exploit PoC chose to use a technique that was somewhat different than the publicly-released PoC code,” he wrote. 

A SophosLabs video shows a researcher replacing an executable called utilman.exe (part of the Windows operating system and responsible for enabling and disabling accesibility features) with another trusted Windows component, the command shell, cmd.exe. This is classified as T1015 according to the MITRE ATT&CK framework. 

Then a user can invoke the accessibility functions from either an icon on the login screen, or with the Windows+U key combination. Utilman.exe, launched by winlogon.exe, has SYSTEM level privileges.

“With very little effort, a malicious threat actor could fully automate the whole attack chain, including synthetically ‘typing’ commands into the shell, or simply passing commands to the shell,” confirmed Brandt. “It would allow rapid-fire attacks targeting any system hosting RDP to the outside world. The attackers are not choosy about who they target, and some percentage of machines will be vulnerable.”

According to Net Market Share, 3.75% of devices still use legacy operating systems such as Windows XP.

What’s hot on Infosecurity Magazine?