With the release of Exploit PoC code for CVE-2012-0002 by the finder himself has definitely increased the chances of exploitation of this vulnerability. Microsoft has released the patch to address the vulnerability. However, considering the patch deployment life cycle and exploit attempts, we need to be proactive in detection and blocking all the attempts of exploitation.
EmergingThreats provides professional services by developing Snort detections for latest vulnerabilities and exploits. This time, they decided to hold back their professional feed and make the Snort detection publically available for this specific vulnerability considering the severity and impact of the issue.
Kudos to the team ET
Below is the Snort rule from Emerging Threat. SID: 2014383
alert tcp any any -> $HOME_NET 3389 (msg:”ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt”; flow:to_server,established; content:”|03 00|”; depth:2; content:”|7f 65 82 01 94|”; distance:24; within:5; content:”|30 19|”; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2;)
Please apply the patch provided by Microsoft and also deploy above NIDS signature in your network.