Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug’s finder said today.
Luigi Auriemma, an Italian security researcher who discovered the vulnerability in Windows’ Remote Desktop Protocol (RDP) in May 2011, then submitted it to a Hewlett-Packard bug bounty program, spelled out the leak theory in a long post to his personal blog Friday.
On Tuesday, Microsoft updated all flavours of Windows to patch the critical RDP vulnerability, telling customers “[We] strongly encourage you to make a special priority of applying this particular update.”
That same day, several security researchers predicted attackers would quickly craft a working exploit , and would probably tuck it into a worm able to infect any unpatched PC or server that had RDP enabled.
Auriemma asserted that Microsoft gave hackers a head start.
The data packet used by the proof-of-concept (PoC) — which first appeared on a Chinese Web site, according to Trustwave’s SpiderLabs — was the same one he had submitted to HP TippingPoint’s Zero Day Initiative (ZDI) as part of the verification process to obtain his bug bounty.
But the executable code — which used Auriemma’s data packet to trigger the RDP vulnerability — showed signs of having been made by Microsoft months after ZDI passed on its findings to the Redmond, Wash. developer. “The executable PoC was compiled in November 2011 and contains some debugging strings like ‘MSRC11678’ which is a clear reference to the Microsoft Security Response Centre,” Auriemma said.
“In short it seems written by Microsoft for [its] internal tests and was leaked probably during its distribution to their ‘partners’ for the creation of antivirus signatures and so on,” Auriemma charged. “The other possible scenario is [that] a Microsoft employee was [the] direct or indirect source of the leak. [A] hacker intrusion looks the less probable scenario at the moment.”
The partners Auriemma referred to are the antivirus firms that participate in the Microsoft Active Protection Program (MAPP), where Microsoft shares vulnerability information with select security companies before a patch goes public. The goal of MAPP is to give antivirus vendors more time to craft exploit detection signatures.
If a MAPP partner was responsible for the leak, “It’s the epic fail of the whole system,” argued Auriemma.
Microsoft did not reply to a request for comment on Auriemma’s claims.
Other researchers have said that the RDP proof-of-concept was unreliable, and only crashed Windows. The existing code, however, would be a good starting point for a successful exploit, they noted.
Because he considered the cat out of the bag, Auriemma today also made public his own security advisory for the vulnerability, as well as a proof-of-concept exploit he created. Auriemma identified the flaw as a “use-after-free” memory management bug.
As researchers expected earlier this week, there has been interest in an exploit of the RDP bug from all corners.
The Gun.io Web site, which bills itself as a place to “Hire the best hackers,” has posted a reward for the maker of the first Metasploit module that exploits the RDP bug. As of early Friday, contributors had pledged $1,500 to the first person to come up with a module.
Metasploit is a popular open-source penetration testing toolkit that’s used by both legitimate researchers to probe networks for vulnerabilities and by criminals who sometimes use its code as the foundation for their exploits.
HD Moore, chief technology officer at Rapid7 and the creator of Metasploit, is among those who have put money into the Gun.io pot.
Moore did not reply to questions today about the status of a working Metasploit module
Trustwave called the activity a “race for a working exploit,” a common pattern in bug patching, where hackers reverse engineer a fix to quickly find clues about how to exploit a vulnerability, starting a race between criminals and customers deploying patches.
As evidence of the frenzy, Trustwave pointed out that a Thursday post to Pastebin claimed to be a working exploit for the RDP bug. It was nothing of the sort.
“If you looked closely at the top [of the Pastebin post] the email address was ‘[email protected],'” said an unnamed researcher with Trustwave SpiderLabs. “That makes things a little suspicious, but if you actually attempted to run what was posted you could have put yourself into a world of hurt, as it did not appear to be a working exploit of MS12-020, but instead had traces to an Apache exploit from 2008.”
The ‘sabu’ in the email address may refer to the nickname used by Hector Xavier Monsegur, a 28-year-old hacker and member of the notorious LulzSec and Anonymous crews who was flipped by the FBI last year and informed on other members of those groups.
Several alleged members of LulzSec and Anonymous were arrested in Ireland, the U.S. and the U.K. last week on evidence provided by Monsegur.
Auriemma promised more information as he was able to collect it. But he didn’t sound happy.
“Microsoft has spread the potential starting point for an unauthenticated kernel-level worm,” he charged. “Weren’t they here to protect the users?”
The Microsoft MS12-020 update that quashes the RDP bug can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg’s RSS feed . His email address is [email protected] .