MS12-020 Vulnerability and Your MS-WBT-Server: Understanding the Risk

The rdp-vuln-ms12-020 Nmap script is an essential tool for network security professionals to identify systems vulnerable to the MS12-020 security bulletin. This bulletin addresses critical vulnerabilities within the Remote Desktop Protocol (RDP) service, often associated with Ms-wbt-server, potentially exposing systems to denial-of-service attacks and even remote code execution. This article delves into the specifics of the MS12-020 vulnerability, how the Nmap script operates, and the importance of securing your ms-wbt-server implementations.

Understanding the MS12-020 Vulnerability

Microsoft Security Bulletin MS12-020 resolves two significant vulnerabilities affecting Remote Desktop Services. These vulnerabilities are identified as CVE-2012-0152 and CVE-2012-0002.

• CVE-2012-0152: This vulnerability is a denial-of-service (DoS) flaw present within the Terminal Server component. A successful exploit could allow an attacker to crash the ms-wbt-server, disrupting remote access services.
• CVE-2012-0002: This is a more severe vulnerability, a remote code execution (RCE) flaw in the Remote Desktop Protocol itself. Exploiting this could allow a remote attacker to execute arbitrary code on a target system.

The rdp-vuln-ms12-020 Nmap script primarily focuses on detecting CVE-2012-0152. The logic behind this is that if a system is unpatched against the denial-of-service vulnerability (CVE-2012-0152), it is highly probable that it is also unpatched against the remote code execution vulnerability (CVE-2012-0002).

How the rdp-vuln-ms12-020 Script Works

This Nmap script employs a clever technique to check for the MS12-020 vulnerability without causing system crashes. It simulates a series of RDP client requests to analyze the server’s response. The script operates through the following steps:

1. User Request 1: The script sends an initial user request to the ms-wbt-server. The server responds by assigning a user ID (let’s call it A) and establishing a communication channel for this user.
2. User Request 2: A second user request is sent. The server, in turn, provides another distinct user ID (let’s call it B) and a separate communication channel.
3. Channel Join Request (Vulnerability Check): The script then sends a “channel join request”. This request is crafted to ask the server to join user A’s channel with user B’s channel. If the ms-wbt-server is vulnerable to MS12-020, it will incorrectly process this request and respond with a success message. This successful response indicates the presence of the vulnerability.
4. Channel Join Request (Mitigation): In the event that the server is identified as vulnerable, the script sends a final “channel join request”. This time, it requests the server to join user B’s channel with itself (user B’s channel). This step is a preventative measure to reduce the chance of triggering a denial-of-service condition on the vulnerable ms-wbt-server.

This method, originally devised by Worawit Wang (sleepya), allows for non-intrusive vulnerability detection, ensuring that the scanning process itself does not disrupt the target system’s ms-wbt-server operations.

Using the rdp-vuln-ms12-020 Nmap Script

To utilize the rdp-vuln-ms12-020 script, you need to have Nmap installed on your system. The script is typically included in recent Nmap versions. You can execute the script with the following command:

nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

• -sV: Enables version detection, which is recommended for accurate script execution.
• --script=rdp-vuln-ms12-020: Specifies the script to be run.
• -p 3389: Targets port 3389, the default port for RDP (ms-wbt-server).
• <target>: Replace this with the IP address or hostname of the system you want to test.

Script Arguments

The script also supports the vulns.short and vulns.showall arguments, which are part of the vulns Nmap library. These arguments control the verbosity of the vulnerability reporting. Refer to the Nmap documentation for the vulns library for detailed information on these options.

Interpreting the Script Output

The output of the rdp-vuln-ms12-020 script provides clear information about the vulnerability status of the target ms-wbt-server. A typical vulnerable output will resemble the following:

PORT     STATE SERVICE      VERSION
3389/tcp open  ms-wbt-server?
| rdp-vuln-ms12-020:
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|     Description:
|       Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|     Description:
|       Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002

The output clearly indicates VULNERABLE along with descriptions of both the Denial of Service and Remote Code Execution vulnerabilities associated with MS12-020. It also provides crucial details such as CVE identifiers, risk factors, disclosure dates, and links to official references from Microsoft and the CVE database.

Conclusion

The rdp-vuln-ms12-020 Nmap script is an invaluable asset for identifying systems running ms-wbt-server that are susceptible to the critical MS12-020 vulnerabilities. Regularly scanning your network with this script is a crucial step in maintaining a secure infrastructure. Upon identifying a vulnerable system, immediate patching according to Microsoft’s MS12-020 bulletin is strongly recommended to mitigate the risks of denial-of-service and potential remote code execution attacks targeting your ms-wbt-server.

References:

• Microsoft Security Bulletin MS12-020: http://technet.microsoft.com/en-us/security/bulletin/ms12-020
• CVE-2012-0152: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
• CVE-2012-0002: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
• Nmap Script rdp-vuln-ms12-020.nse: https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse