User Controls
Bluekeep Windows RDP RCE exploit scares security researchers
-
2019-07-27 at 10:33 PM UTCRDP = remote desktop protocol, what allows tech support to take over your desktop
RCE = remote code execution, basically allowing remote sites to do whatever they wish on your pc
https://en.wikipedia.org/wiki/BlueKeep
TLDR:
affects Windows XP and 7
very serious
affects remote desktop protocol(RDP), if you don't use you don't need to worry
MS even released an XP patch this year
Patches:
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d -
2019-07-28 at 1:11 AM UTCCertain persons had a working, wormable exploit for BlueKeep months ago.
-
2019-07-28 at 1:12 AM UTCDid you know China has one million machines running with RDP on and facing the internet. Shodan it. Do with this information what you will.
-
2019-07-28 at 1:40 AM UTCIt's very easy to block with a manual rule-based firewall with process monitoring capabilities. No services can be started unless preapproved, no ports can be opened unless preapproved, not even .dll or .ocx files can load without preapproval in the firewall. These types of attacks are completely useless against a rule-based firewall.
-
2019-07-28 at 1:56 AM UTC
Originally posted by -SpectraL It's very easy to block with a manual rule-based firewall with process monitoring capabilities. No services can be started unless preapproved, no ports can be opened unless preapproved, not even .dll or .ocx files can load without preapproval in the firewall. These types of attacks are completely useless against a rule-based firewall.
That's all well and good. But about 5 billion people don't even turn off the RDP service. They just keep Windows in default mode and it's these people that get constantly pwnd. -
2019-07-28 at 2:16 AM UTCAbout the only way to get in against a proper firewall is to launch obfuscated shellcode through the browser port (which is already approved) in order to disable or clone the firewall or perform some kind of override using the local system.
-
2019-07-28 at 2:23 AM UTC
Originally posted by -SpectraL About the only way to get in against a proper firewall is to launch obfuscated shellcode through the browser port (which is already approved) in order to disable or clone the firewall or perform some kind of override using the local system.
Do you use a browser? Yes? Then you can be owned even if you have a firewall. Brickerware doesn't even need C2 comms. -
2019-07-28 at 2:30 AM UTC
Originally posted by Sophie Do you use a browser? Yes? Then you can be owned even if you have a firewall. Brickerware doesn't even need C2 comms.
Not so fast. The firewall also has process/thread detection capacity. So even when you get through the browser port, you still have to get the memory space to run the malicious code/instructions. The firewall, when properly configured, would throw up an alert if any unknown process, or even sub-process, attempted to initiate. That's the way I have mine set up. The only way I could see around that is to trick the browser into running the hostile process within its own already-approved allocated memory space. Certainly possible, but unlikely anyone would have the know-how to pull it off. -
2019-07-28 at 5:08 PM UTC
Originally posted by -SpectraL Not so fast. The firewall also has process/thread detection capacity. So even when you get through the browser port, you still have to get the memory space to run the malicious code/instructions. The firewall, when properly configured, would throw up an alert if any unknown process, or even sub-process, attempted to initiate. That's the way I have mine set up. The only way I could see around that is to trick the browser into running the hostile process within its own already-approved allocated memory space. Certainly possible, but unlikely anyone would have the know-how to pull it off.
Literally not how firewalls work. -
2019-07-28 at 7:55 PM UTC
-
2019-07-28 at 7:59 PM UTCWe should all just quit the internet and there would be nothing to hack.