Snort Signature for RDP TargetParams Exploit

With the release of Exploit PoC code for CVE-2012-0002 by the finder himself has definitely increased the chances of exploitation of this vulnerability. Microsoft has released the patch to address the vulnerability. However, considering the patch deployment life cycle and exploit attempts, we need to be proactive in detection and blocking all the attempts of exploitation.

EmergingThreats provides professional services by developing Snort detections for latest vulnerabilities and exploits. This time, they decided to hold back their professional feed and make the Snort detection publically available for this specific vulnerability considering the severity and impact of the issue.

Kudos to the team ET :)

Below is the Snort rule from Emerging Threat. SID: 2014383

 alert tcp any any -> $HOME_NET 3389 (msg:”ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt”; flow:to_server,established; content:”|03 00|”; depth:2; content:”|7f 65 82 01 94|”; distance:24; within:5; content:”|30 19|”; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2;)


Please apply the patch provided by Microsoft and also deploy above NIDS signature in your network.

Stay Safe!


Rating 4.00 out of 5

One Response to “Snort Signature for RDP TargetParams Exploit”

  1.» Blog Archive » NIDS signature for MS12-020 RDP DoS Says:

    [...] specified in the previous entry was for detecting the RCE/DoS attempt within TargetParams structure of RDP protocol. However, a DoS [...]

Leave a Reply

This entry was posted on Saturday, March 17th, 2012 at 1:20 am and is filed under Exploitation, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wordpress themes