Hacker demonstrates Remote Code Execution exploit for Windows Remote Desktop Gateway

A self-described "reverser/pwner [and] Windows kernel hacker" has demoed a working exploit for two recently discovered vulnerabilities in Windows Remote Desktop Gateway (RD Gateway).

The exploit takes advantage of the CVE-2020-0609 and CVE-2020-0610 vulnerabilities which have already been shown to make a denial of service attack possible. Now Luca Marcelli has shown how the same vulnerabilities can be exploited in a Remote Code Execution attack.

See also:

• Microsoft's suggested workaround for Internet Explorer vulnerability breaks printing
• Microsoft says it will release black desktop bug fix to all Windows 7 users for free
• Your Windows 7 desktop has turned black? Microsoft has a fix on the way... and workarounds in the meantime [Updated]

There are patches for the vulnerabilities -- which affect Windows Server -- but Marcelli acknowledges that not everyone will be able to install these immediately, or indeed at all. As such information about the exploit is a little thin, although a video showing it in action is available.

Microsoft wrote about CVE-2020-0609 and CVE-2020-0610 recently, describing the vulnerabilities as Critical. Each has the same explanatory write-up:

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

Microsoft has advised users of Windows Server 2012, 2012 R2, 2016 and 2019 to install security updates, and Luca Marcelli posted video footage on Twitter showing how unpatched systems could be exploited:

If installing the update is not an option you should apply other measurements such as disabling UDP traffic. I'll wait a bit until people had enough time to patch before releasing this to the public :)

— Luca Marcelli (@layle_ctf) January 26, 2020

Marcelli says that a blog post will follow, so we should learn more about the exploit soon.

Image credit: spatuletail / Shutterstock