Hacker demonstrates Remote Code Execution exploit for Windows Remote Desktop Gateway

Angled Microsoft logo

A self-described "reverser/pwner [and] Windows kernel hacker" has demoed a working exploit for two recently discovered vulnerabilities in Windows Remote Desktop Gateway (RD Gateway).

The exploit takes advantage of the CVE-2020-0609 and CVE-2020-0610 vulnerabilities which have already been shown to make a denial of service attack possible. Now Luca Marcelli has shown how the same vulnerabilities can be exploited in a Remote Code Execution attack.

See also:

There are patches for the vulnerabilities -- which affect Windows Server -- but Marcelli acknowledges that not everyone will be able to install these immediately, or indeed at all. As such information about the exploit is a little thin, although a video showing it in action is available.

Microsoft wrote about CVE-2020-0609 and CVE-2020-0610 recently, describing the vulnerabilities as Critical. Each has the same explanatory write-up:

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

The update addresses the vulnerability by correcting how RD Gateway handles connection requests.

Microsoft has advised users of Windows Server 2012, 2012 R2, 2016 and 2019 to install security updates, and Luca Marcelli posted video footage on Twitter showing how unpatched systems could be exploited:

Marcelli says that a blog post will follow, so we should learn more about the exploit soon.

Image credit: spatuletail / Shutterstock

Comments are closed.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.