####################################################################### Details about the ms12-020 proof-of-concept leak by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org twitter: http://twitter.com/luigi_auriemma Last update: 16 Mar 2012 16:40 +0001 initial write-up 16 Mar 2012 21:46 +0001 Microsoft response points to MAPP leak 18 Mar 2012 01:44 +0001 some grammar fixes and a couple of notes 21 Jun 2012 forgot to say that Microsoft has found the guilty This document would like to act as a personal reference to the story and will be updated as soon as I will have new details so stay tuned and check the above date. Please be patient because I'm trying to retrieve more information and making the point of the situation too! ####################################################################### The ms12-020 patch was released the 13 Mar 2012 (CVE-2012-0002). The bug was found by me in May 2011 and reported to Microsoft by ZDI/TippingPoint in August 2011. No details and proof-of-concept were released by me after the releasing of the patch, I was waiting some days and I was really curious to know who would have been able to spot the 1day (like a simple poc) first. After all it was the bug and the challenge of the moment so why ruining the party :) My plan was to release the details after some days or weeks, immediately after someone would have reached the solution because I follow the full-disclosure philosophy so the releasing of my advisory and PoC WAS planned in any case. It was just a matter of "when". Between 15 and 16 Mar someone released a precompiled console executable called "rdpclient.exe" somewhere on a chinese website (is http://115.com/file/be27pff7 the first location?). The program is a basic and poorly written proof-of-concept of the vulnerability and uses pre-built packets. After checking the packet dumped from the executable (the first python PoC http://pastebin.com/UzDKcCQy) I noticed that the pre-built packet was the same one I sent to ZDI for quickly testing the vulnerability. It was very late here in Italy (05:00) so at the moment I thought that these "chinese hackers" were really very similar to me :) Too much similars indeed, because the doubt was confirmed some minutes later when I gave a better look at the "rdpclient" executable. Why I know it's the same packet? The packet was captured during a quick RDP session and modified by hand in the following details making it unique: - the vulnerability location (maxChannelIds), obviously :) - the hostname was changed to "HOST" - the guid was set to zeroes - the BER numbers were converted from 8 to 32bit for easier debugging and so modifying the fields of the original packet - something else I don't remember So yes, the pre-built packet stored in "rdpclient.exe" IS mine. No doubts. The executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center: http://www.microsoft.com/security/msrc/default.aspx In short it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their "partners" (MAPP http://www.microsoft.com/security/msrc/collaboration/mapp.aspx) for the creation of antivirus signatures and so on. The other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment. The information retrieved by other people in the moment I'm writing seem to confirm the MAPP hypothesis. I don't understand why they gave a similar ugly proof-of-concept to their partners without even adding details or a header/copyright or writing it better or "beautifying" it a bit. Being the proof-of-concept the central point of ms12-020 and the last missing piece of the puzzle sought and waited by anyone in the security scene (no Poc, no party) it was obvious that made no longer difference releasing my advisory so that's it and the proof-of-concept: http://aluigi.org/adv/termdd_1-adv.txt http://aluigi.org/poc/termdd_1.dat Note that the advisory is almost the original one I sent to ZDI in May 2011 since I have performed no additional analsys after having reported it and I don't know the details of the research performed internally by ZDI or Microsoft (unfortunately, because I had interest in them). ---------------------- Some personal thoughts ---------------------- Personally I'm very happy about what happened because releasing my details was my target in any case and for sure this story will be not forgotten shortly but there are some bad points: - I considered the ms12-020 frenzy as a challenge so I was really interested in knowing how much time was necessary by the community to reverse the Microsoft patch and writing a proof-of-concept "for real" from scratch... I mean who would have won the "contest". being the first known public proof-of-concept just my original packet we have no real winner... oh well in reality seems that the winner is just myself. the next challenge is the writing of a reliable exploit but it's not my field. - Microsoft has spread the potential starting point for an unauthenticated kernel level worm... weren't they here to protect the users??? it's obvious that they claimed and expected an exploit within 30 days if they do the initial job. - if the author of the leak is a Microsoft employee... bad for him :) - if the author of the leak is one of the MAPP partners... it's the epic fail of the whole system, what do you expect if you give the PoC to your "super trusted" partners? Anyway really a cool story, now waiting for a possible reliable exploit and evolution of the facts. I'm trying to stay updated on the story as much as possible so if you have an important news maybe send me a tweet (@luigi_auriemma). ----------------------- 16 Mar 2012 21:46 +0001 ----------------------- Microsoft initial response confirms that the responsible of the leak was one of the MAPP partners: http://blogs.technet.com/b/msrc/archive/2012/03/16/proof-of-concept-code-available-for-ms12-020.aspx Would be interesting to know when Microsoft gave the proof-of-concept to its partners because the public leak was what we saw but personally I can't know the exact date, for example if it was the same day of the releasing of the patch (13 Mar) or even some days before for giving some time to the partners for preparing their filters in the moment of the patch. In the meantime we have a week-end and a proof-of-concept available which means many free time to study the vulnerability (exploit writers) and administrators far away. A little note about the various BSOD reported by people and a general security rule to remember which is applicable to any vulnerability: The fact that a "public" remote code execution exploit (RCE) is not known yet doesn't mean it's unexistent, it means only that nobody has interest in releasing it because who spends many time and effort exploiting a vulnerability has a real interest in doing it (for example economic or accessing a system for other purposes). If a RCE exploit is not reliable at 100% or fails for tons of technical reasons you get just the crash of the vulnerable software (a BSOD in this case) but if it works correctly the victim sees almost nothing and in the case of bugs that lead to a maximum level of privileges like this one it's even possible to stay completely hidden in the system (I'm not saying that it's "easy", I'm just saying that it's technically possible). I repeat, it's only a general rule to keep in mind. ----------- 21 Jun 2012 ----------- The 03 May 2012 Microsoft has posted the results of their internal investigation: http://blogs.technet.com/b/msrc/archive/2012/05/03/mapp-update-taking-action-to-decrease-risk-of-information-disclosure.aspx The partner that did the leak was Hangzhou DPTech Technologies. #######################################################################