Bluekeep (RDP) Vulnerability

By Nick Lim


In May of 2017, the WannaCry ransomware attack hit companies around the world causing mass chaos and infecting over 300,000 computers. This attack came from a vulnerability in the SMB protocol that, when exploited, encrypted files, demanded bitcoin, and self propagated. Two years later, another vulnerability was found that many people are comparing to WannaCry due to the criticality of the vulnerability. On May 14th, 2019 Microsoft released patches for the Bluekeep Vulnerability (CVE-2019-0708). Patches were released for Windows 7, Windows Server 2008 R2, and end-of-life operating systems,Windows XP and Windows Server 2003.  This vulnerability was so serious that the National Security Agency (NSA) urged companies to patch their systems. This critical vulnerability lies in the Remote Desktop Protocol Services which, when exploited, allows full privileged access to a computer while bypassing authentication. A wormable remote code execution vulnerability is on the loose and has the potential to be the next WannaCry.

The Vulnerability

The vulnerability lies in the Remote Desktop Services which is used by millions of people, companies, and machines everyday. The Remote Desktop Services allows users to remotely access machines over TCP port 3389. Data is sent over virtual channels allowing machines to communicate with one another. The vulnerability lies in these virtual channels as well as the exploitation of a use after free. Virtual channels’ names are bound to channel numbers. Channels are referenced by name depending on what a user wants to accomplish. For example, CLIPRDR is the name used for the clipboard. RDP reserves channel MS_T120, but does not check for duplicate channels. So, if an attacker makes a channel with the same name but a different number, an attacker can craft data in the newly created channel. These virtual channels are handled by TermDD.sys which is a windows driver that allows your computer to talk to connected devices, having direct access to the operating system. When the TermDD.sys driver tries to close the channel, due to the data crafted by the attacker, a pointer remains causing a use after free exploit. This is where the payload is dropped and the remote code is executed. Here the attacker gains access to your computer with kernel level privileges. The attacker now has full control of the system. Depending on how an attacker crafts the data, an exploit has the ability to be wormable, spreading to other machines on the network. As you can see, this is a critical vulnerability that has the potential to be catastrophic once in the wild.

Using Metasploit (Educational purposes only)

Metasploit now offers an exploit for the bluekeep vulnerability. Here is a walkthrough on how to go about using it

First, launch Metasploit and search for “bluekeep.” Here you can see one module being the scanning tool. This can be used to scan for exploitable machines or to trigger denial of service. To use the exploit, type “use exploit/windows/rdp/cve_2019_0708_bluekeep_rce”

Here all the different possible options that can be set

Set the IP of the target host

Use show targets to show which OS versions can be exploited. Choose the version of the target.

Set the client IP, usually your own. This is the IP of who you want to be able to control the shell after exploiting.

Everything is set and ready to go. Enter “exploit” and watch the magic happen. The power is now in your hands. With great power comes great responsibility.

Reminder: For educational purposes only!

Possibilities in the Future

Due to the severity of the vulnerability, there is potential for another WannaCry. Since the patches were released somewhat recently, it would be no surprise to find millions of vulnerable machines in the wild. Exploits are starting to be posted online, making it extremely dangerous. In July, the first publicly available exploit was being sold by the US company Immunity Inc. as part as their pentesting tool, CANVAS 7.23. Although their version is not wormable, an exploit has the potential to be wormable, causing it to self propagate and spread to numerous machines. Attacks have just started to appear in the wild. If people do not patch their machines soon, the world will fall victim to another WannaCry.


The best solution to prevent this vulnerability from being exploited is to patch all vulnerable machines as soon as possible. For Windows 7 and up, patches can be found on Microsoft’s website through the KB. If for some reason patches are not possible, disable remote desktop protocol so no connection can be established, meaning the vulnerability cannot be exploited. Another option is to enable network level authentication (NLA). This blocks direct access to the remote desktop services and forces authentication before a session is established with the server. Keep in mind that NLA does not prevent the use of an exploit. If the attacker knows any credential combination, the system is still vulnerable. One final reminder, patch your systems!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s