Nmap rdp-vuln-ms12-020 NSE Script
This page contains detailed information about how to use the rdp-vuln-ms12-020 NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/rdp-vuln-ms12-020.nse
Script categories: intrusive, vuln
Target service / protocol: ms-wbt-server
Target network port(s): 3389
List of CVEs: CVE-2012-0002, CVE-2012-0152
Script Description
The rdp-vuln-ms12-020.nse script checks if a machine is vulnerable to MS12-020 RDP vulnerability.
The Microsoft bulletin MS12-020 patches two vulnerabilities: CVE-2012-0152 which addresses a denial of service vulnerability inside Terminal Server, and CVE-2012-0002 which fixes a vulnerability in Remote Desktop Protocol. Both are part of Remote Desktop Services.
The script works by checking for the CVE-2012-0152 vulnerability. If this vulnerability is not patched, it is assumed that CVE-2012-0002 is not patched either. This script can do its check without crashing the target.
The way this works follows:
- Send one user request. The server replies with a user id (call it A) and a channel for that user.
- Send another user request. The server replies with another user id (call it B) and another channel.
- Send a channel join request with requesting user set to A and requesting channel set to B. If the server replies with a success message, we conclude that the server is vulnerable.
- In case the server is vulnerable, send a channel join request with the requesting user set to B and requesting channel set to B to prevent the chance of a crash.
References:
- http://technet.microsoft.com/en-us/security/bulletin/ms12-020
- http://support.microsoft.com/kb/2621440
- http://zerodayinitiative.com/advisories/ZDI-12-044/
- http://aluigi.org/adv/termdd_1-adv.txt
Original check by by Worawit Wang (sleepya).
Rdp-vuln-ms12-020 NSE Script Arguments
This is a full list of arguments supported by the rdp-vuln-ms12-020.nse script:
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=rdp-vuln-ms12-020 --script-args vulns.short=value,vulns.showall=value <target>Rdp-vuln-ms12-020 NSE Script Example Usage
Here's an example of how to use the rdp-vuln-ms12-020.nse script:
nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>
Rdp-vuln-ms12-020 NSE Script Example Output
Here's a sample output from the rdp-vuln-ms12-020.nse script:
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server?
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Description:
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
Rdp-vuln-ms12-020 NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Aleksandar Nikolic
References
- https://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html
- https://github.com/nmap/nmap/tree/master/scripts/rdp-vuln-ms12-020.nse
- http://technet.microsoft.com/en-us/security/bulletin/ms12-020
- http://support.microsoft.com/kb/2621440
- http://zerodayinitiative.com/advisories/ZDI-12-044/
- http://aluigi.org/adv/termdd_1-adv.txt
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
- http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
- http://msdn.microsoft.com/en-us/library/cc240835%28v=prot.10%29.aspx
- http://msdn.microsoft.com/en-us/library/cc240918%28v=prot.10%29.aspx
- http://msdn.microsoft.com/en-us/library/cc240911%28v=prot.10%29.aspx
See Also
Related NSE scripts to the rdp-vuln-ms12-020.nse script:
Visit Nmap NSE Library for more scripts.
Version
This page has been created based on Nmap version 7.92.
