The Remote Desktop Protocol Vulnerability – ‘CVE-2012-0002’ is not dead yet!

On March 13, 2012, Microsoft disclosed the details of a ‘critical vulnerability’ called Remote Desktop Protocol Vulnerability – CVE-2012-0002 in its bulletin. And even four years after this vulnerability was patched, it is still being exploited in the wild by attackers to carry out ‘Remote Code Execution’ on their victims computers.

Affected Operating Systems:

• Microsoft Windows XP SP2 and SP3
• Windows Server 2003 SP2
• Windows Vista SP2
• Windows Server 2008 SP2, R2, and R2 SP1
• Windows 7 Gold and SP1

Reportedly, various exploit framework and public advisories are known to host reliable exploit code for the vulnerability (CVE-2012-0002). This helps even the most novice of hackers to exploit this vulnerability – all they have to do is fingerprint the victim’s machine that is having the RDP port 3389 open.

Vulnerability

While handling the ‘maxChannelIds’ field of the ‘ConnectMCSPDU’ request, a ‘use-after-free vulnerability’ is triggered leading to a remote code execution in the RDP server. The complete technical disclosure of this vulnerability can be found here.

IPS Hits Trend

As observed in Quick Heal Labs, below is the trend of the exploitation of this vulnerability over the last four months.

– 11 Nov and 12 Dec 2016 shows a spike in the activity.

Recent Threat Actors

As observed, the machines affected by CVE-2012-0002 were connected to the Internet and had the RDP port 3389 open for outside access. Keeping ports of important services open to external access is an extremely unsafe practice and we strongly recommend against it.

Following are some of the attackers’ IPs that were observed to exploit the vulnerability (CVE-2012-0002).

Attacker IP
• 183.207.184.195
• 123.30.236.140
• 124.65.37.50
• 188.247.20.104
• 202.130.106.17
• 46.100.50.204
• 62.210.211.86
• 80.58.182.245
• 61.160.166.23
• 120.27.7.118

Most of the above IPs have been blacklisted on various online malicious IP scanners such as www.abuseipdb.com

Example – https://www.abuseipdb.com/check/62.210.211.86

Quick Heal Detections

Quick Heal has released below the IPS detection for CVE-2012-0002.

• VID-00114: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability
• VID-00116: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability
• VID-00117: [MS12-020] Microsoft RDP Remote Code Execution Vulnerability

Furthermore, many ransomware attacks were carried out using RDP brute force attempts. And to deal with these attacks, the below IPS detections were released recently.

• VID-01087: RDP Brute force attack detection
• VID-01088: RDP Brute force attack detection
• VID-01089: RDP Brute force attack detection
• VID-01090: RDP Brute force attack detection
• VID-01092: RDP Brute force attack detection

Despite being patched four years ago, the vulnerability (CVE-2012-0002) is still being used by attackers to target unpatched Remote Desktop Service on Windows Operating systems. This only warrants the need for users to keep their OS updated with all the recommended security updates and use a multilayered security software such as Quick Heal.

Also Read:

• Is your Remote Desktop System safe from Brute Force Attacks?
• Troldesh Ransomware brute-forcing its way into systems
• Worm Morto Spreading via RDP

ACKNOWLEDGMENT

Subject Matter Expert
– Pradeep Kulkarni (Threat Research & Response Team)
– Swapnil Mahajan (Product Development Team)