Heads up: There’s a working, free (but stunted) BlueKeep exploit making the rounds

Topic

New Reply

Remember BlueKeep? That’s the wormable hole in Windows Remote Desktop. We’ve talked about it a lot since it first came up in May. @NetDef just posted
[See the full post at: Heads up: There’s a working, free (but stunted) BlueKeep exploit making the rounds]

8 users thanked author for this post.

Microfix, Chessie, Nibbled To Death By Ducks, fernlady, geekdom, NetDef, jburk07, SueW

Reply | Quote

Replies

[OscarCP]

According to Cimpanu’s article:

“The developers of the Metasploit penetration testing framework have released today a weaponized exploit for the BlueKeep Windows vulnerability.

While other security researchers have released defanged BlueKeep proof-of-concept code in the past, this exploit is advanced enough to achieve code execution on remote systems, infosec experts who reviewed the Metasploit module have told ZDNet.”

Question: why shouldn’t the Metasploit developers be sent to jail?

Or even a better question, in my opinion, could be this one: why do some (presumably) sane Internet security experts choose to divulge to the four corners of the Earth information that can help, in any way, cybercriminals, including operational demo malware, on potentially very serious security threats such as this one?

I am prepared to admit that it might even be a good idea to do it, but I have never seen why this is so actually explained. Therefore, I shall be thankful for links to Web sites’ articles where my question is answered, or thankful to anyone who is kind enough to explain this here, in a reply.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 5 years, 9 months ago by OscarCP.

3 users thanked author for this post.

Nibbled To Death By Ducks, TaskForce141, Carl D

Reply | Quote

“Question: why shouldn’t the Metasploit developers be sent to jail?”

That option SHOULD be in the mix when the FBI comes a-knocking at their door…and an offer to drop charges if they turn on the bad guys and work WITH the good guys.

“Or even a better question, in my opinion, could be this one: why do some (presumably) sane Internet security experts choose to divulge to the four corners of the Earth information that can help, in any way, cyber criminals, including operational demo malware, on potentially very serious security threats such as this one?”

Well, as someone famous once said, “Follow The Money”. 99.5% of the time in our society, there’s your reason.In this case it’s keeping people scared to death so they throw tons of money at AV and Anti-Malware vendors so they can sleep at night.

It’s a mutually beneficial and really sick game/loop in which, as Carl said well, we are not the Colonel, but the “Plucked Users”.

And once they get a definition in their system, look out, it’s there to stay. Recently my wife’s Android phone got a Sprint network update, after which the Eset vendor’s A/V scan threw a fit. The update tweaked the “Settings.APK” to allow a more convenient screen layout and a few network bug fixes. For the next several days I went to Virustotal.com and ran it through 60 engines. The hit rate was a consistent 8%, and has stayed there. I also went back and forth with Eset’s Eastern Europe HQ via email, (“We don’t have phone tech support for viruses,”) (Uh, you’re an AV outfit…) pointing out that it probably was a false positive, as 5 sparrows out of 60 do not Malware make.  No good. Downloaded several Big Name AV/Malware packs and ran them directly on her phone; all came up negative. The phone exhibits none of the symptoms they had their hair on fire about. I got so disgusted I actually joined the Virustotal.com community (not a bad thing to do, even if it IS owned by Gungle).

And “From so simple a beginning, endless forms most unpleasant and most awful have been, and are being, evolved…”

Yup.  I agree. In 1993 I was a founding member of an Internet Special Interest Group…(Anyone remember Mosaic? 2400 baud modems? Privacy? Unobtrusive banner ads?) I have Thoreau’s Walden on my shelf, and the urge to head for the back country and grow my own peas and learn how to play the flute is getting stronger every year. Until then, I thank the stars for this site.

I could be wrong.  I’m often wrong. Maybe in weeks to come it’ll blossom into a world-wide catastrophe, and Malwarebytes, Sophos, Bit Defender and 57 others will have egg on their face.

But I doubt it. Move over, Henry…

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

Cesar

Reply | Quote

Unconscionable things like the one here under consideration are made possible by easy access to the Internet by anyone at all, without any accompanying and enforceable obligation to behave and be a good “netizen.”
So I understand why someone might want to live in earlier times, before this present day of so much silly and dangerously casual disregard for the comfort, safety and usefulness of the other Net users.  Because now we have here something that begins to look more and more like a typical “tragedy of the commons”: since this belongs to everyone and, so, to no one in particular, everyone is free to do with this as they like. Even if that is not what is good, useful or harmless to the rest of us.

Thoreau was having his philosophical vacation at Walden Pond at a time when cell phones had not been invented yet and also before the Internet (and before electricity, while we are at it). At a time when this situation we are discussing was not even a glint in the eyes of the most forward looking, imaginative and pessimistic thinkers of that day.
Now imagine him, instead, in our own day, with a cell-phone in hand, texting and scrolling endlessly, illuminated throughout the night, not by candlelit or by a low fire burning in the small fireplace inside his hut, but by the ghostly bluish led light coming off the screen. What would he have pondered and written about then? A long stream of Twits on how most men live lives of quiet desperation? Or how so many live lives connected throughout the world to multitude of never-seen friends, and yet are lonelier than they ever were?
(The true answer to these questions, I fear, might include the words “cat videos.”) He would be doing that only until the bug unleashed on the world by certain cyber-security experts took over his phone and demanded a ransom to unlock the device. Then what?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Nibbled To Death By Ducks wrote:

“Or even a better question, in my opinion, could be this one: why do some (presumably) sane Internet security experts choose to divulge to the four corners of the Earth information that can help, in any way, cyber criminals, including operational demo malware, on potentially very serious security threats such as this one?”

Well, as someone famous once said, “Follow The Money”. 99.5% of the time in our society, there’s your reason.In this case it’s keeping people scared to death so they throw tons of money at AV and Anti-Malware vendors so they can sleep at night.

Don’t forget new operating systems and hardware. (“Windows 10, the most secure Windows ever”, anyone?)

César

Reply | Quote

So in the language of mortals,  people using Windows 7 with 64bits, should be the only ones concerned?

Just someone who don't want Windows to mess with its computer.

Reply | Quote

Zaphyrus, it looks that way. But, I believe, not just Windows 7 x64, but its close relative, Server 2008, have the sword suspended by a thin cord over their technological heads. And why does Metasploit seem intent in throwing darts at the cord? Could it be to see if it gets lucky and makes it snap?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

“Question: why shouldn’t the Metasploit developers be sent to jail?

Or even a better question, in my opinion, could be this one: why do some (presumably) sane Internet security experts choose to divulge to the four corners of the Earth information that can help, in any way, cybercriminals, including operational demo malware, on potentially very serious security threats such as this one?”

OscarCP

 

Because, as I think I’ve said once or twice before, it’s all one big game in which we’re always playing the parts of the suckers.

To me,  it looks like these security people are always trying to outdo each other in some sort of juvenile d*** measuring contest “Oooh, look what we’ve discovered before anyone  else – aren’t we good?” Plus, I’m sure they’re always being paid handsomely for their “efforts”.

And, of course, Microsoft just love all these security issues popping up every month as it enables them to keep a leash on customers’ computers with the never ending updates. I’m trying to imagine how peaceful computing life would be if you just installed Windows with your drivers and programs and didn’t have to worry about touching it again for several years.

I remember reading an article about 15 years ago which talked about the increasing number of people who were becoming disillusioned with the Internet and the virus and malware ‘minefield’ it had become even then and they were permanently disconnecting their PC’s from the Internet. Wonder how many did that and how many more are thinking of doing it now? (I’m actually one of them).

3 users thanked author for this post.

Nibbled To Death By Ducks, OscarCP, TaskForce141

Reply | Quote

Carl D: So faith in humanity has become so low that shocking things like what we are discussing here cannot bring it any lower?

I remember, back in the early to mid 90’s, when the promise of a sort of Internet-enabled utopia was often declared both inevitable and near at hand. Of a world where people were going to be truly free to proclame their ideas and have them heard (or, rather, read online) regardless of the disapproval of the Powers-That-Be.
Then, the first worm started to crawling around the Net…
And “From so simple a beginning, endless forms most unpleasant and most awful have been, and are being, evolved” (With apologies to Charles Darwin.)
And, if you are correct, the Metasploits of this world are doing their bit to help this evolution.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Carl D

Reply | Quote

I’ve always done the following, long before Bluekeep or its cousins were developed.

Disable the Remote Desktop Services and Remote Desktop Configuration services (also known as Terminal Service in earlier versions of Windows such as XP).

Do this, even if you unchecked the box to “Allow Remote Assistance connections” in Control Panel > System > Remote Settings.

Disabling those two services keeps the entire RDP infrastructure from working at all, no matter what what the morally-bankrupt criminals at Metasploit develop.

8 users thanked author for this post.

Moonbear, SueW, wavy, GoneToPlaid, Cesar, Carl D, Nibbled To Death By Ducks, OscarCP

Reply | Quote

There is a lot of patching going on with Bluekeep now having an example online.

As I understand it Bluekeep was patched on 14 May 2019.

Extra to this we now have reached a point where to use Windows Update you need to have updates installed that support SHA-2 encryption.

On top of that some patches seem to add SHA-2 or some other form of encryption to EFI boot files.

Some reports are coming in of instances where users loose “sight” of their boot partition after applying such patches. They may have lost their boot partition completely.

This could be because of a missing Bitlocker patch KB3133977. So far I have not been offered this patch via Windows Update. If I wanted to install this patch then I would have to do it manually.

My questions are these:

Do any of the current patches make changes to the Windows Boot files that then require an other patch the Bitlocker patch KB3133977 to be PREinstalled in order to read/access these changes?

If yes. Do these patches make a difference between UEFI or non UEFI motherboards? In other words do they only add changes to the boot files on UEFI systems?

When these changes to the boot files are made can you still use “old” tools like the repair functions of your Windows 7 DVD?

W10&11 x64 Pro&Home

Reply | Quote

See this post. This might be a possible answer.

2 users thanked author for this post.

woody, Sinclair

Reply | Quote