Metasploit developers publish exploit for BlueKeep vulnerability

Metasploit developers published an exploit for the BlueKeep vulnerability. It allows code execution and it is easy to use.

Recalling, the critical vulnerability CVE-2019-0708 (aka BlueKeep) associated with the operation of Remote Desktop Services (RDS) and RDP was fixed by Microsoft back in May of this year.

“Using this bug, attackers can execute arbitrary code without authorization and spread their malware like a worm, as, for example, with the well-known malware WannaCry and NotPetya”, — warn experts at Metasploit.

The issue is dangerous for Windows Server 2008, Windows 7, Windows 2003, and Windows XP, for which security updates have been released due to the severity of the problem.

Microsoft experts warned about the danger of BlueKeep twice, and along with them, many other institutions drew attention to the problem, namely the US Department of Homeland Security, the Australian Cybersecurity Center and the UK National Cybersecurity Center.

Read also: On GitHub published a detailed analysis of BlueKeep vulnerability that simplifies creation of exploits

Specialists of several information security companies, including Zerodium, McAfee and Check Point, as well as independent researchers, have developed their own proof of concept exploits for the vulnerability. The code for these exploits was not published in the public domain due to high risk. In addition, for the vulnerability, the MetaSploit module was created back in the summer (it was also not made publicly available for the above reasons), as well as a commercial RCE exploit written by Immunity Inc, but inaccessible to the general public.

Now experts at Rapid7, the Metasploit company, have published an exploit for BlueKeep in the format of the Metasploit module, available to everyone. Unlike other PoC exploits that have long been available on the network, this solution really allows executing arbitrary code and is a “combat” tool.

However, the developers still left a kind of fuse in the code: at present, the exploit works only in manual control mode, that is, it still needs to interact with a person.

“The Metasploit operator will have to manually specify all the information about the target system, that is, automate attacks and use BlueKeep massively, as a self-propagating worm, will not work. However, this does not cancel out the possibilities of targeted attacks”, – say researchers at Metasploit.

It should also be noted that the BlueKeep Metasploit module only works with 64-bit versions of Windows 7 and Windows 2008 R2, but is useless against other vulnerable versions of the OS.

Although companies and users had enough time to install the patches, according to BinaryEdge, the network still can detect about 700,000 vulnerable to BlueKeep systems. So in the nearest future we will definitely hear more than once about the exploitation of the vulnerability by attackers.