BlueKeep RCE Exploit Module Added to Penetration Testing Tool

Security outfit Immunity has included a fully working BlueKeep exploit in their CANVAS automated pentesting utility with the release of version 7.23, on July 23.

BlueKeep is a remote code execution (RCE) vulnerability present in the Windows Remote Desktop Protocol (RDP) service which enables remote unauthenticated attackers to run arbitrary code, to launch denial of service attacks, and, potentially, to take control of vulnerable systems.

While the news of a publicly available RCE exploit for BlueKeep might give some Windows admins WannaCry-style nightmares, the fact that an Immunity CANVAS subscription with early updates start at $32,480 should put their mind at ease. Slightly.

This is because one should not forget about cracked versions or the occasional threat actor with enough funding to get their hands on this commercially available BlueKeep RCE exploit, with potentially disastrous results given the vulnerability's wormable nature, as Microsoft described it.

The CANVAS BlueKeep exploit pentest module

Immunity's CANVAS automated exploitation system is the first one to include a BlueKeep module which can achieve remote code execution, namely to open a shell on vulnerable Windows hosts, as BleepingComputer was informed by Immunity Inc, the company behind the pentest tool.

"It’s important for organizations to understand their actual risk and determine if their defenses are effectively protecting them," said Dave Aitel, Chief Security Technical Officer at Cyxtera and CEO of Immunity before it was acquired by Cyxtera.

"Our objective is to help customers solve their risk problems. It’s not just about BLUEKEEP – there will always be another vulnerability that comes along and puts you at risk."

The company decided to add a fully working RCE exploit to its penetration testing tool and not just a scanner to find vulnerable machines to "help customers solve their risk problems. It’s not just about BLUEKEEP – there will always be another vulnerability that comes along and puts you at risk."

"Many modern systems do anomaly detection on network traffic, or endpoint behavioral analysis to catch exploitation of flaws like BLUEKEEP. Testing these kinds of systems requires a working RCE exploit," added Aitel.

"Likewise, simply doing a demo to upper management of “Here is us hacking our systems” is a common use for red teams as they gather support to replace or upgrade their systems," said Aitel. "The end goal should be addressing the entirety of risk rather than focusing on any single exploit."

The development process of the CANVAS RDP library and exploit took roughly two months and, according to Cyxtera's Chief Security Technical Officer they're getting more stable with each version.

"We continue to work on this exploit and will release new versions as it evolves," concluded Aitel.

You can watch the CANVAS 7.23 BlueKeep module in action in the video demo embedded below:

BlueKeep PoC exploits and scanners

Microsoft patched the BlueKeep RDP bug found to impact older Windows versions, from Windows XP, Windows Vista, and Windows 7 to Windows Server 2003 and Windows Server 2008, as part of the company's May Patch Tuesday.

Since Microsoft issued security updates to fix the BlueKeep flaw, several security vendors and researchers created and demoed multiple proof-of-concept exploits for the vulnerability.

Some of the researchers also developed tools designed to scan for unpatched Windows machines without the bad side effects [1, 2], as well as detection rules such as the BlueKeep signature the NCC Group created by for the Suricata intrusion detection and prevention system.

A new Watchbog malware variant updated to include a BlueKeep scanner module was discovered by Intezer researchers in July. The threat actors behind the Watchbog refused to tell BleepingComputer what was the purpose of collecting info on all unpatched Windows systems they can find.

However, Intezer Labs' analysis says that a possible goal would be to attack them as part of a future campaign or to sell the list of exposed hosts to third party vendors for profit.

Users of BlueKeep-vulnerable devices urged to patch

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a list of BlueKeep mitigation measures in June, while at the same time announcing that it achieved RCE after exploiting an unpatched Windows 2000 computer.

CISA's warning was the fourth one for users of vulnerable Windows devices to patch and/or upgrade them after two others were published by Microsoft [12] and another one by the U.S. National Security Agency.

CISA also urges Windows admins and users to review the Microsoft Customer Guidance for CVE-2019-0708 and the Microsoft BlueKeep Security Advisory.

Related Articles:

New Echobot Botnet Variant Uses Over 50 Exploits to Propagate

Zero-Day Bug in KDE 4/5 Executes Commands by Opening a Folder

URGENT/11 VxWorks RTOS Vulnerabilities Found, Critical Systems Affected

BlueKeep Scanner Discovered in Watchbog Cryptomining Malware

Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution