Slide deck brings BlueKeep exploit closer to the wild

A Chinese researcher presented details regarding how to achieve a remote code execution BlueKeep exploit and experts now say attacks in the wild are closer than ever.

BlueKeep, a vulnerability affecting the remote desktop protocol (RDP) in older Windows OSes such as Windows 7, Windows XP and Windows Server 2008, was first patched by Microsoft on May 14.

The detailed slide deck of the BlueKeep exploit was first presented by Yang Jiewei, an engineer for the Chinese cybersecurity vendor Tencent Keen Security Lab, at the 2019 Security Development Conference in Beijing on July 20 as part of a talk called "RDP: From patch to remote code execution." The slide deck was then published to GitHub by an anonymous user.

It's unclear why Yang presented a detailed description of the BlueKeep exploit at a public event. Several other vendors and researchers developed proof of concept exploits but stopped short of releasing the details or code in order to delay BlueKeep becoming weaponized.

Although the description for creating an RCE BlueKeep exploit is written in Chinese, experts have been able to glean some details.

Marcus Hutchins, an independent security researcher known as "MalwareTech," said on Twitter that the slide deck shows how to go from proof of concept code to RCE.

"I can't read Chinese, but my understanding is they're using the shellcode pool spray method (which is unstable and will often result in a system crash), but RCE is RCE, so be aware," Hutchins tweeted. "I expect we'll likely see widespread exploitation soon."

Kevin Beaumont, the UK-based security researcher who originally named BlueKeep, agreed that the method would produce an unreliable RCE.

"The bar for (unreliable) public exploitation POC is lowering significantly," Beaumont wrote on Twitter. Beaumont added in a comment on his BlueKeep exploit tracker that he still thinks "it will be a little while before there's a public RCE exploit as the information in last few days would need piecing together."

Since BlueKeep was patched, Microsoft has twice urged users to patch, and warnings have also been posted by the National Security Agency and Department of Homeland Security. Last week, more than 800,000 systems around the world were still unpatched, according to a research report.

Adding to the evidence that a BlueKeep exploit is getting closer, a security researcher for cybersecurity startup Intezer who goes by the Twitter handle "polarply" noted that a BlueKeep scanner has been integrated into the Watchbog botnet, which has been infecting Linux systems.