Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients

Researchers at Check Point Software Technologies have discovered more than two dozen vulnerabilities in the popular implementations of the remote desktop protocol (RDP).

Security experts at Check Point Software Technologies discovered a total of 25 security flaws in the popular implementations of the remote desktop protocol (RDP). 16 that have been rated as “major,” some of the vulnerabilities could be exploited by a malicious RDP server to hack a device running the client RDP software.

Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.

Researchers have focused their analysis on FreeRDP, rdesktop, and the Remote Desktop Connection implemented in Windows OS.

“Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers.” reads the analysis published by the experts.

“However, Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security research’s computer. Such an infection could then allow for an intrusion into the IT network as a whole. 16 major vulnerabilities and a total of 25 security vulnerabilities were found overall.”

The analysis of the open source rdesktop tool, an older open-source RDP client that comes by default in Kali-linux distros. revealed the presence of 19 vulnerabilities, most of them heap-based buffer overflows.

11 vulnerabilities were considered as “major” issues, some of the flaws can be exploited by a rogue RDP server under the control of the attacker to remotely execute code on an RDP client connecting to it.

The situation is better for FreeRDP, the most popular and mature open-source RDP client on Github. because the experts have only discovered six vulnerabilities, five of which having a major impact.

Experts discovered also, in this case, some flaws that could allow a rogue RDP server to execute arbitrary code on a client.

Micorsoft RDP is also affected by major vulnerabilities, experts discovered that an issue related to the fact that the client and the server share clipboard data by default.

This means that anything in the clipboard could be accessed by the attackers, for example copied files, passwords, cryptocurrency wallet keys and so on. For example, an attacker can drop a malicious file into the Windows “Startup” folder so that it would get executed every time the system is booted.

“If a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving us full control.” continues the experts.

“Note: In our exploit, we simply killed rdpclip.exe, and spawned our own process to perform the path traversal attack by adding additional malicious file to every “Copy & Paste” operation. The attack was performed with “user” permissions, and does not require the attacker to have “system” or any other elevated permission.”

Below a video PoC published by the experts:

The vulnerabilities discovered by the experts could be used in multiple attack scenarios, hackers can exploit them to compromise a target machine running a vulnerable RDP client and exfiltrate data.

Attackers can gain elevated network permissions by deploying such an attack, then attempting lateral movement inside the organization. Hackers can, for example, attack an IT member that connects to an infected work station inside the corporate network or a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. In the latter scenario, it is possible to allow the malicious code to escape the sandbox and compromise the corporate network.

Checkpoint reported its findings to the development team of the RDP tools in October 2018. FreeRDP developers addressed the flaws with a patch to the software in the GitHub repository in November, Rdesktop developers released a fix in mid-January.

Microsoft confirmed the findings of the study but replied with this eloquent and questionable answers:

“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”

This means that Microsoft users are exposed to attackers implementing the attacks described by Check Point.

“Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities. As we demonstrated in our PoCs for both Microsoft’s client and one of the open-sourced clients, a malicious RDP server can leverage the vulnerabilities in the RDP clients to achieve remote code execution over the client’s computer,” the security firm concluded.R

The FBI Internet Crime Complaint Center (IC3) and the DHS recently issued a joint alert to highlight the rise of RDP as an attack vector.

Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – RDP, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]