Script rdp-vuln-ms12-020

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse

Script Summary

Checks if a machine is vulnerable to MS12-020 RDP vulnerability.

The Microsoft bulletin MS12-020 patches two vulnerabilities: CVE-2012-0152 which addresses a denial of service vulnerability inside Terminal Server, and CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol. Both are part of Remote Desktop Services.

The script works by checking for the CVE-2012-0152 vulnerability. If this vulnerability is not patched, it is assumed that CVE-2012-0002 is not patched either. This script can do its check without crashing the target.

The way this works follows:

• Send one user request. The server replies with a user id (call it A) and a channel for that user.
• Send another user request. The server replies with another user id (call it B) and another channel.
• Send a channel join request with requesting user set to A and requesting channel set to B. If the server replies with a success message, we conclude that the server is vulnerable.
• In case the server is vulnerable, send a channel join request with the requesting user set to B and requesting channel set to B to prevent the chance of a crash.

References:

• http://technet.microsoft.com/en-us/security/bulletin/ms12-020
• http://support.microsoft.com/kb/2621440
• http://zerodayinitiative.com/advisories/ZDI-12-044/
• http://aluigi.org/adv/termdd_1-adv.txt

Original check by by Worawit Wang (sleepya).

Script Arguments

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

Script Output

PORT     STATE SERVICE        VERSION
3389/tcp open  ms-wbt-server?
| rdp-vuln-ms12-020:
|   VULNERABLE:
|   MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0152
|     Risk factor: Medium  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
|     Description:
|               Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
|   MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2012-0002
|     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|     Description:
|               Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
|     Disclosure date: 2012-03-13
|     References:
|       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002

Requires

• nmap
• shortport
• stdnse
• string
• vulns

---

Author:

• Aleksandar Nikolic

License: Same as Nmap--See https://nmap.org/book/man-legal.html