A New module BlueKeep RCE Exploit Added to Penetration Testing Tool

Network Penetration Testing Checklist

Immunity has included a fully-functioning BlueKeep exploit in their automated pentesting software CANVAS with release of version 7.23 on 23 July.

BlueKeep is a vulnerability to remote code execution (RCE) in the Windows Remote Desktop Protocol (RDP) service that allows remote unauthenticated attackers to run arbitrary code, start service denial attacks, and potentially control vulnerable systems.

Although BlueKeep’s news about a publicly available RCE exploit could provide some Windows WannaCry-style nightmares, it should be easy to understand that an Immunity CANVAS subscription with early updates begins at $32.480.

This is because you should remember cracked versions or sometimes threatened actors with enough funding to take advantage of the commercially available RCE exploit of BlueKeep, with potentially catastrophic results given the wormable nature of the vulnerability as Microsoft described it.

The BlueKeep BLACK exploits the pentest CANVAS automated exploitation system Immunity’s pentest module is the first to include a BlueKeep module to perform remote code, namely to open a shell on vulnerable Windows hosts as Immunity Inc, the company behind the pentest tool.

About new CANVAS BlueKeep exploit pentest module

The first CANVAS automated management system to include a BlueKeep module that can execute remote code, namely to open a shell to vulnerable Windows hosts, as Immunity Inc., the company behind the pentest tool.

“It’s important for organizations to understand their actual risk and determine if their defenses are effectively protecting them,” said Dave Aitel, Chief Security Technical Officer at Cyxtera and CEO of Immunity before it was acquired by Cyxtera.

“Our objective is to help customers solve their risk problems. It’s not just about BLUEKEEP – there will always be another vulnerability that comes along and puts you at risk.”

The company decided to use a fully functioning RCE test tool, not just a scanner that identifies vulnerable machines to “help customers solve risk issues. This is not just about BLUEKEEP–it will always be another vulnerability, which puts you on the line and jeopardizes you.”

“Many modern systems do anomaly detection on network traffic, or endpoint behavioral analysis to catch exploitation of flaws like BLUEKEEP. Testing these kinds of systems requires a working RCE exploit,” added Aitel.

“Likewise, simply doing a demo to upper management of “Here is us hacking our systems” is a common use for red teams as they gather support to replace or upgrade their systems,” said Aitel. “The end goal should be addressing the entirety of risk rather than focusing on any single exploit.”

The development of the CANVAS RDP library and its exploitation took around two months and is becoming more stable with each version, according to Chief Technical Officer, Cyxtera.

“We continue to work on this exploit and will release new versions as it evolves,” concluded Aitel.

In the video demo embedded below, you can see the CANVAS 7.23 BlueKeep module in action:

CANVAS 7.23 BLUEKEEP in action from Immunity Videos on Vimeo.

Know about BlueKeep PoC exploits and scanners

Microsoft patched the BlueKeep RDP bug that was found to affect older versions of Windows from Windows XP, Windows Vista, and Windows 7 to Windows Server 2003 and Windows Server 2008 as part of the May Patch Tuesday Company.

Several security vendors and researchers have created and demoted multiple proof-of-concept exploits for the vulnerability since Microsoft issued security updates to fix the BlueKeep flaw.

Some researchers also developed tools to scan unpatched Windows machines without the bad side effects[1, 2], as well as detection rules such as the BlueKeep signature created by the NCC Group for Suricata intrusion detection and prevention.

BlueKeep-vulnerable users urged to patch their devices

In July, Intezer researchers discovered a new version of Watchbog malware updated to include a BlueKeep scanner module. The threat actors behind the Watchbog declined to tell us that, what was the purpose of gathering information on all unpatched Windows systems that they could find.

However, the analysis of Intezer Labs says that a possible objective would be to attack them as part of a future campaign or to sell the list of exposed hosts for profit to third party vendors.

A list of BlueKeep mitigation measures was issued in June by the U.S.

Cybersecurity and Infrastructure Security Agency (CISA), while at the same time announcing that it achieved RCE after using an unpatched Windows 2000 computer.

CISA’s warning was the fourth to patch and/or upgrade users of vulnerable Windows devices after two others were released by Microsoft [1, 2] and one by the U.S. Agency for National Security.

CISA also urges Windows administrators and users to review CVE-2019-0708’s Microsoft Customer Guidance and Microsoft BlueKeep Security Advisory.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.