A security researcher has published a thorough guide that shows how to perform spiteful code on Windows computers still susceptible to the serious BlueKeep flaw.
The researcher said that the move considerably drops the bar for writing exploits that cause the kinds of damaging attacks not seen since the WannaCry and NotPetya attacks of 2017.
Researchers from security firm BitSight said that three weeks ago, more than 800,000 computers revealed to the Internet were susceptible to the exploit.
One of the only bottlenecks in the real-world attacks is the knowhow required to write exploits that remotely perform code without crashing the computer first. While numerous highly skilled whitehat hackers have done so with varying levels of success, they have kept the methods that make this possible surreptitious. Much of that changed overnight, when a security researcher published this slide deck to Github.
“It basically gives a how-to guide for people to make their own RCE,” independent researcher Marcus Hutchins told Ars, using the abbreviation for remote code execution. “It’s a pretty big deal given that now there is almost no bar to stop people publishing exploit code.”
The explainer significantly lowers the bar even to developers who are “not very skilled at all,” Hutchins said. “Most of the bar comes from the need to reverse engineer the RDP protocol to find out how to heap spray,” Hutchins said. “The author explains all this, so all that’s really needed is to implement the RDP protocol and follow their lead. Only a basic understanding is enough. Most likely, what will happen now the bar is lowered [is] more people will be able to exploit the bug; thus, more chance of someone posting full exploit code publicly.”
The slides are written almost entirely in Chinese. They reference a 2019 Security Development Conference, and one of the slides shows the name of Chinese security firm Tencent KeenLab. Two of the slides also contain the word “demo.” This page gives an overview of the conference presentation and identifies Tencent security researcher Yang Jiewei as the speaker.
Jake Williams, a co-founder of Rendition Infosec and a former exploit writer for the National Security Agency, mostly agreed with Hutchins’ assessment of the Github post.
“It’s significant,” Williams said of the deck. “It’s the most detailed publicly available technical documentation we’ve seen so far. It seems to indicate that they showed a proof of concept, but they didn’t publish it.”