[Owasp-natal] Repassando: Microsoft Patch Tuesday, March 2012: Beware the RDP's of March

Noilson Caio caiogore em gmail.com
Sexta Março 16 02:35:57 UTC 2012

fonte: spiderlabs

In *Back to the Future Part 2*, the bad next-door neighbor kid gets hold of
an almanac from the future when his future self takes the Delorean back in
time and gives it to him. I don't know about you, but if I ever see a
Delorean parked out front, I'm putting NVD on a stack of Zip Disks and
heading back to meet my 2001 self.

MS12-020 would be somewhere near the top of the stack. It's this month's
top-priority bulletin and involves unauthenticated Remote Code Execution on
XP and newer systems running Remote Desktop Protocol (RDP). I'm not sure it
would work in 2001 -- only the still-supported Windows XP SP3 is listed as
vulnerable -- but it would be worth a shot. Then, of course, I would tell
everyone about it really quickly via "net send" no doubt, after I turned
their listeners on. It's just that important.

Otherwise, there are 4 Important updates and 1 Moderate, including another
Remote Code Execution issue, some Privilege Escalation, and a Remote
Denial-of-Service. Thanks to Space Rogue for helping out with this month's

*MS12-020 / KB2671387*

*Vulnerabilities in Remote Desktop Could Allow Remote Code Execution*


*Remote Desktop Protocol Vulnerability, CVE-2012-0002*

This first CVE is the one we primarily need to worry about here. Time
travel jokes aside, it's scary to think this has been hanging around for
very long, but it appears to affect RDP across both server and desktop
operating systems, including XP and 2003. Those of you that rely solely on
RDP for remote administration, without requiring VPN access, should patch
immediately or find another way to handle remote access. If TCP port 3389
is exposed to the Internet, you should really do something about this,
like, this afternoon, or at least before dinner. Because getting hacked is
bad for digestion.

The only upside here is that there are no known exploits in the wild. This
is being done via coordinated disclosure, thankfully, but no doubt there's
some serious IDA Pro and Bindiff going on against that patch. Several
Intrusion Detection System vendors, Trustwave included, are releasing
detection logic to coincide with this release.

*Terminal Server Denial of Service Vulnerability, CVE-2012-0152*

Similarly, this vulnerability involves sending a sequence of specially
crafted packets to the RDP service, but in this case the attacker simply
takes down the service. This issue does not appear to take down the whole
system, it just knocks the RDP service offline. Actually this one could be
the same basic vulnerability as above, just without getting executable code
onto the stack.

*MS12-017 / KB2647170*

*Vulnerability in DNS Server Could Allow Denial of Service*


*DNS Denial of Service Vulnerability, CVE-2012-0006 *

If you're running DNS on various flavors of Windows Server 2003 or 2008 you
will want to apply this update.  Without it an attacker can send you a
specially crafted DNS query that could crash the DNS service and force it
to restart. Repeating the attack could cause a DNS denial of service, which
obviously wouldn’t be good. Microsoft hasn’t seen this in the wild yet at
all but that’s no reason to slack off and delay updating.

Note: You won’t see this update in Microsoft’s Auto Update Service unless
the server actually has DNS enabled.

*MS12-018 / KB2641653*

*Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of


*PostMessage Function Vulnerability, CVE-2012-0157

Privilege escalation can always be nasty and it’s the same here, any local
authorized user could exploit this vulnerability to run arbitrary code in
kernel mode. Of course once you have that capability you can do all sorts
of nasty things including creating new accounts with full admin rights.
This one affects just about everything from XP SP3 up to Server 2008 R2,
even on Itanium. The vulnerability lives in the kernel mode driver
win32k.sys, which does everything from managing keyboard input to
controlling window displays.

While Microsoft has not seen this being actively exploited in the wild, the
insider threat is often underestimated and this is a perfect example of the
damage that a trusted employee could do.

*MS12-019 / KB2665364*

*Vulnerability in DirectWrite Could Allow Denial of Service*


*DirectWrite Application Denial of Service Vulnerability, CVE-2012-0156

This vulnerability is only listed as "moderate" but it’s still pretty
interesting. One of the DirectX APIs is DirectWrite, a rendering engine
used to output high quality text, resolution-independent outline fonts,
Unicode text, and other things.  This vulnerability could allow an attacker
to crash an application such as Windows Live Messenger or even Windows
Internet Explorer 9 if the attacker can get the application to attempt to
render a specially crafted sequence of Unicode characters. An attacker
could do this with a standard phishing email containing a link to web page
with the characters or by sending an Instant message with the characters.
According to Microsoft this doesn’t do anything except crash the
application, and it hasn’t been seen in the wild yet. But it may be only a
hop, skip, and a jump before someone turns this into something more
nefarious, so install the patch before they do.

*MS12-021 / KB2651019*

*Vulnerability in Visual Studio Could Allow Elevation of Privilege*


*CVE-2012-0008, Visual Studio Add-In Vulnerability

Similar to the Insecure Library Loading vulnerability below, but affecting
Visual Studio 2008/2010, and without the pajamagrams. The issue is that a
local user can sneak an "Add-In" into the path Visual Studio uses. When VS
is run by a local admin, that code is also run automatically with admin
privileges. To fix, the patch fixes some decision-making about where
Add-Ins can be loaded.

The details on this one are a bit hazy because it's not being seen in the
wild, but it's worth updating, especially on multi-user machines where
Visual Studio is loaded.

*MS12-022 / KB2651018*

*Vulnerability in Expression Design Could Allow Remote Code Execution*


*CVE-2012-0016, Expression Design Insecure Library Loading Vulnerability

It's another DLL Injection scenario, we seem to be getting these regularly
on Patch Tuesday. This one affects all versions (1-4) of Microsoft
Expression Design, an illustration program. It's tough to decide whether to
re-explain Insecure Library Loading each time, so when in doubt I usually
write haiku:

*Path to DLL*

*Not specific by default*

*CWD beckons*

And for completeness, the above converted to Japanese, to Korean, and back:

*The path of the DLL, by default, is not unique motioned for pajamagrams.*

Yeah, that pretty much says it all.

" Eu quero saber como renomear um arquivo " ele diz.
Por favor, é dia de pagamento, não é?! Mas eu estou de bom humor.
" Claro. Basta dar 'rm' e o nome do arquivo "
" Obrigado "

Noilson Caio T. de Araújo
Linux Professional Institute Certification
Novell Certified Linux Administrator (CLA)
Novell Data Center Technical Specialist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120315/91305ef3/attachment.html>

More information about the Owasp-natal mailing list