A research firm has disclosed multiple vulnerabilities in the Remote Desktop Protocol that, if left unpatched, could allow compromised or infected machines to attack the RDP clients that remotely connect to them.
In a blog post today, Check Point Software Technologies researcher Eyal Itkin refers to this scenario as a reverse RDP attack because the RDP servers installed on the compromised machines essentially reverse the normal direction of RDP communication in order to control and execute code on the client device.
Itkin says malicious actors could use this exploit to penetrate and infect organizations’ networks, ironically by targeting their IT or security professionals, who often use RDP client devices to temporarily take control of other users’ workstations, or to connect with sandboxed virtual machines.
Altogether, Check Point discovered 25 vulnerabilities split between two older open-source devices, rdesktop and FreeRDP. But the firm also found a single path traversal bug in Microsoft’s built-in RDP client mstsc.exe, for which it developed a proof-of-concept exploit.
Itkin says the developers of rdesktop and FreeRDP both developed patches late last year after being informed of the flaws. However, Microsoft reportedly has not fixed its issue.
“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing,” reads Microsoft’s official response to Check Point’s private vulnerability disclosure, according to the blog post.
Of the 26 vulnerabilities, 19 were discovered in rdesktop v1.8.3 –- 11 of them deemed major. Three of them can result in an information leak, six can cause a denial of service condition, and 10 can trigger memory corruption and possible remote code execution.
FreeRDP, version 2.0.0-rc3 was found to contain six coding errors – five of them major. These consisted of five memory corruption/possible RCE vulnerabilities and one denial of service bug.
The code observed in Mstsc.exe, build 18252.rs_prerelease.180928-1410, was “better by several orders of magnitude,” Itkin says. Nevertheless, the Check Point team ultimately discovered a way to execute a path traversal attack over Mstsc.exe’s shared RDP clipboard.
Itkin explained further: “If a client uses the ‘Copy & Paste’ feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s ‘Startup’ folder, and after a reboot they will be executed on his computer, giving us full control.”
Moreover, “Every time a clipboard is updated on either side of the RDP connection, a CLIPRDR_FORMAT_LIST message is sent to the other side, to notify it about the new clipboard formats that are now available. We can think of it as a complete sync between the clipboards of both parties,” Itkin continues. “This means that our malicious server is notified whenever the client copies something to his ‘local’ clipboard, and it can now query the values and read them. In addition, the server can notify the client about a clipboard ‘update’ without the need for a ‘copy’ operation inside the RDP window, thus completely controlling the client’s clipboard without being noticed.”