3

I'm doing some exercises in the lab. My vuln. scanner detects MS12-020 on a few machines.

The report indicates that this could be exploited to allow the execution of code remotely.

To me this would mean that there must be some way to upload a persistence module to it (if I'm wrong forgive my naivete, I'm only second year student).

However the only exploit available on metasploit performs a DoS by crashing the system. So far Google has only shown me results that do the same (DoS).

Can anything juicier be done with this vulnerability? Is there an exploit that actually allows the execution of some arbitrary code on the machine or is it only possible to make it crash?

Juicy
  • 1,407
  • 4
  • 16
  • 31

2 Answers2

4

At this stage there is only known DoS exploits available for it. There is no public exploit what will lead to remote code execution.

Peleus
  • 3,827
  • 2
  • 18
  • 20
  • 2
    I would say it is unlikely we will see a remote code execution exploit for MS12-020. Microsoft rated it as likely to be exploited at the time of release, but a lot of researchers spent a lot of time working on exploits, and nothing came of it. – bdg Jan 13 '14 at 01:26
4

This bug was a bit famous for some drama: http://threatpost.com/ms12-020-rdp-code-leak-mystery-deepens-microsoft-remains-silent-031612

HP ZDI, or Zero Day Initiative, buys bugs from researchers. They implement protection in their product then report the issues to the vendor. The more important the issue the more they pay. This bug had a Proof-of-Concept leak during the phase where Microsoft was vetting the code. If you look hard enough you can find copies of it still floating around.

If you can't and wanted to research it more yourself Metasploit has a module that causes a DoS: http://www.rapid7.com/db/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids You can use a kernel debugger to figure out what is causing the crash and craft the exploit to take control of the service instead.

dmaynor
  • 458
  • 2
  • 3