CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability.

CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability.

Remote Desktop Protocol (RDP) is a feature of Windows that allows users to connect to another computer from their own computer (called Remote Desktop). This is commonly used to access remote data from a computer that does not have the ability to connect to the Internet or a remote server. RDP uses encryption, so if an attacker can exploit a vulnerability in RDP, then they can use RDP to access the data on any device on the Internet. Vulnerabilities in RDP can be exploited to access sensitive information from any other device connected to the Internet.

It is important to note that RDP is not the only protocol that can be used to connect to a remote server. If an attacker can compromise the RDP server, they can compromise the server using any other protocol.
In June 2018, Cisco researchers discovered an RDP vulnerability in Microsoft Windows that could be exploited by attackers to remotely execute code on vulnerable Windows devices. Cisco researchers have named this vulnerability “Dark Compiler”.
This vulnerability is also known as CVE-2018-1040. Cisco researchers have published a Proof of Concept (PoC) code that can be used to exploit this vulnerability.

CVE-2018-1040 - Remote Desktop Protocol vulnerability

Vulnerability description
In June 2018, Cisco researchers discovered an RDP vulnerability in Microsoft Windows that could be exploited by attackers to remotely execute code on vulnerable Windows devices. This can be exploited through the use of a maliciously crafted RDP packet. This vulnerability is also known as CVE-2018-1040. Cisco researchers have published a Proof of Concept (PoC) code that can be used to exploit this vulnerability.

How to Check if You are vulnerable to the “Dark Compiler” Remote Desktop

Protocol Vulnerability
If you use Windows and have an RDP server on your network, then you are vulnerable to the “Dark Compiler” vulnerability. An attacker can exploit this vulnerability to create a malicious program and then execute it on the Windows device that is currently connected to the RDP server.
To check if your Windows device is vulnerable, open Control Panel > Programs > Turn Windows Features on or off. To see if any features are missing, check under Remote Desktop Services (RDP) in the list of features that are listed. If RDP Server is not enabled, then click Enable in this section.

How Cisco researchers discovered the vulnerability?

Cisco researchers discovered the vulnerability by analyzing "Dark Compiler" code that was released to the public in a PoC on GitHub. Cisco researchers analyzed this PoC and found that it had vulnerabilities. They also noticed that the source code for this PoC was not obfuscated, which made it easier for them to analyze.
This vulnerability is a result of an attacker using RDP to access an affected device. The way this exploit works is by first sending a request to the vulnerable device with a malicious payload, which allows attackers to execute arbitrary remote code on the vulnerable device.

How Does “Dark Compiler” Work?

The vulnerability works by exploiting a memory corruption issue in Windows’ RDP stack. The bug allows access to the information of all processes running on the local machine and also any process running on remote computers.

This vulnerability was fixed in October 2018 by Microsoft.

How to exploit the “Dark Compiler” vulnerability?

In order to exploit the “Dark Compiler” vulnerability, an attacker needs to find a vulnerable device. Once the attacker has found a vulnerable device, they need to make sure that they have administrative rights on that device. If they do not have administrative rights, they will not be able to exploit this vulnerability.
Once the attacker has found a vulnerable device, they need to start the PoC code in administrator mode and wait until an RDP session is established. The PoC code will then send a malicious payload through the initial RDP connection that will cause it to be executed on the remote Windows client machine running Microsoft Windows 10/8/7/Vista/2008 and give control of it back on the attacker's machine.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe