Leak outs Microsoft RDP vulnerability exploit

Microsoft’s estimate that it would take ne’er-do-wells 30 days to exploit the recently discovered RDP vulnerability appears to be wide of the mark, following the apparent leaking of working proof-of-concept code.
The flaw, patched by the MS12-020 Security Update released by Microsoft last Tuesday, allows remote attackers to execute code under the ‘system’ privilege level. As the attack requires no authentication, it represents a serious threat to any system running Remote Desktop Protocol (RDP) and connected to the internet – some five million machines, according to security researcher Dan Kaminsky.
In mitigation, Microsoft claimed that the complexity of the flaw meant that it was ‘not trivial‘ to produce a working exploit for the flaw, saying that ‘we would be surprised to see one developed in the next few days.‘ Instead, the company predicted that it would take around 30 days for the vulnerability to be actively exploited, giving affected customers time to review and install the patch or implement a workaround.
Sadly, it looks like Microsoft has been caught by surprise after all: a working proof-of-concept has appeared on the internet, giving attackers the code required to readily and easily exploit the security vulnerability.
The code doesn’t appear to have been developed independently, either. Security researcher Luigi Auriemma, who spotted the flaw and provided a proof-of-concept to Microsoft via TippingPoint’s Zero Day Initiative (ZDI) cash-for-bugs security programme, claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys.
Microsoft, naturally, denies doing any such thing. Instead, the company claims that the leak may have come from one of its Microsoft Active Protections Programme (MAPP) partners, of which ZDI is a member. ‘The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Programme partners,‘ the company’s director of trustworthy computing Yunsun Wee admits. ‘Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin.
Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and programme requirements,‘ Wee adds.
Those who have installed the MS12-020 patch, either manually or via Windows Update, are protected against exploitation of the flaw.


This is re-blogged from, http://www.bit-tech.net/news/bits/2012/03/19/leak-outs-rdp-exploit/1

Security configurations for MVC application & IIS 7

After Sony had been hacked earlier this year, they start taking security really serious now.

And recently I have been involved in a few Sony promotion projects that makes me learn a lot about how to make a website more securer from both web server configurations and application itself.

Go through a 50 pages configuration benchmark book is a pain, but there are some really simple steps people easily forget. Here are some highlights:

  1. Make sure web content is on non-system partition.
  2. Remove or rename well-known urls.
  3. Require a host headers on all sites. Don’t bind http:/*:80 to any site.
  4. Disable directory browsing
  5. Set default application pool identity to least privilege principal.
  6. Ensure application pools run under unique identities, and unique application pools for different sites.
  7. Config anonymous user identity to use application pool identity, this will greatly reduce the number of accounts needed for websites.
    open applicationHost.config and make sure you set the userName attribute of the anonymousAuthentication tag is set to a blank string.

    <system.webServer><security><authentication><anonymousAuthentication userName = ""/></authentication></security></system.webServer>
  8. Configure authentications,

    a. Ensure sensitive site features is restricted to authenticated principals only.

    <system.webServer><security><authorization><remove users="*" roles="" verbs="" /><add accessType="Allow" roles="administrators" />

    b. Require SSL in forms authentications and configure forms authentication to use cookies.

    <pre><system.web><authentication><forms cookieless="UseCookies" requireSSL="true" /></authentication></system.web></pre>

    c. Configure cookie protection mode for forms authentication.

    <pre><system.web><authentication><forms cookieless="UseCookies" protection="All" /></authentication></system.web></pre>

    d. Never save password in clear format!!

  9. Asp.net configurations.

    a. Set deployment method to retail, modify machine.config

    <system.web>  <deployment retail="true" /></system.web>

    b. Turn debug off.

    <system.web><compilation debug="false" /></system.web></configuration>

    c. Ensure custom error messages are not off.

    <customErrors mode="RemoteOnly"/> or <customErrors mode = "On"/>

    d. Ensure failed request tracing is not enabled.

    – Open IIS.

    – Go to Connections pane, select server connection, site, application or directory.

    – In actions pane, click failed request tracing… make sure the checkbox is not checked.

    e. Configure to use cookies mode for session state in web.config

    <system.web><sessionState cookieless="UseCookies" /></system.web>

    f. Ensure cookies are set with HttpOnly attribute in web.config. This will stop client side script access to cookies.

    <configuration><system.web><httpCookies httpOnlyCookies="true" /></system.web></configuration>

    g. Set global .NET trust level. Open IIS, in the features view, double click .NET Trust Levels.

  10. Request filtering & restrictions in web.config, set maxAllowedContentLength, maxUrl, maxQueryStringallowHighBitCharacters (setting to dis-allow non-ASCII characters) & allowDoubleEscaping.
    <system.webServer><security><requestFiltering allowHighBitCharacters="false" allowDoubleEscaping = "false"><requestLimits maxAllowedContentLength="30000000" maxUrl="4096" maxQueryString="1024" /></requestFiltering></security></system.webServer></configuration>
  11. Disallow unlisted file extensions in web.config.
    <system.webServer><security><requestFiltering><fileExtensions allowUnlisted="false" ><add fileExtension=".asp" allowed="true"/>
    <add fileExtension=".aspx" allowed="true"/><add fileExtension=".html" allowed="true"/></fileExtensions></requestFiltering></security></system.webServer></configuration>