As part of the first “update Tuesday” this year, Microsoft specialists fixed two critical vulnerabilities that affect Windows Server 2012, 2016 and 2019: CVE-2020-0609 and CVE-2020-0610. However, information security specialists present more and more exploits for bugs in Windows RDG (Remote Desktop Gateway).
In the second half of 2019, users were terrified by possibility of exploiting vulnerabilities in RDP, and Microsoft patches, apparently, could not fix all the problems.According to the company, the Windows Remote Desktop Gateway (RD Gateway, formerly Terminal Services Gateway) component is vulnerable to remote code execution, and allows attackers to capture vulnerable Windows servers through RDP and specially crafted requests.
Information security specialist Marcus Hutchins (aka MalwareTech) first published technical analysis of these problems; he also released the scanner source code to check the servers for vulnerabilities.
Remote Desktop Gateway (RDG), previously known as Terminal Services Gateway, is a Windows Server component that provides routing for Remote Desktop (RDP). Rather then users connecting directly to an RDP Server, users instead connect and authenticate to the gateway. Upon successful authentication, the gateway will forward RDP traffic to an address specified by the user, essentially acting as a proxy”, — wrote Marcus Hutchins.
Other researchers have now introduced the first exploits for fresh vulnerabilities. Therefore, the first was a Danish specialist, known under the pseudonym Ollypwn. He discovered a pair of vulnerabilities with the common name BlueGate and last week unveiled PoC exploits for CVE-2020-0609 and CVE-2020-0610, which can provoke a denial of service (DoS).
Then, InfoGuard AG expert Luca Marcelli demonstrated his own exploit, already providing remote code execution.
Ladies and gentlemen, I present you a working Remote Code Execution (RCE) exploit for the Remote Desktop Gateway (CVE-2020-0609 & CVE-2020-0610). Accidentally followed a few rabbit holes but got it to work”, — presented Luca Marcelli his exploit.
So far, Marcelli’s exploit code has not yet been made publicly available, as the specialist is working on a full-fledged article for his blog and wants to give users more time to install patches. However, a demonstration of the exploit can be seen below.
Although the attackers have not yet begun to actively search for and try to attack vulnerable servers, according to Shodan, there are almost 20,000 such servers, so the attacks are unlikely to be long in coming.