The Remote Desktop Protocol (RDP) is a favoured tool for many systems administrators, as it allows a connection to be made to another computer on your network and see the screen and use the mouse and keyboard as if you were physically sat in front of it. This means that for many, if not most, of the support tasks system administrators and support staff need to carry out, they do not need to visit the computer in person in order to diagnose faults, install software or apply patches and updates.
A Remote Desktop connection requires an RDP client application and a separate RDP server application. The server application (which receives and allows the client connections) could be running on any kind of computer – a desktop in the call centre, a laptop in the CEO’s office or a large database server in your datacentre, or a virtual machine in the cloud. RDP is available for both Windows and Linux systems, with several open source implementations available.
Check Point Research has recently discovered 25 vulnerabilities (with 16 of these being major) in the RDP implementations from Microsoft and the two popular open source versions. All of these vulnerabilities rely on attacking the client connection using a compromised RDP server application. A real-world example of an attack scenario could consist of a desktop PC in a call centre becoming infected with malware using traditional phishing or social engineering to trick an employee into opening an attachment with a malicious payload. The malicious payload can be used to install the attacker’s RDP server software onto the target computer. Later, a systems administrator from the IT team connects to the infected computer using RDP and the RDP connection is used as the attack vector to install malware onto the sys admin’s own PC.
In this particular scenario, the attackers have been able to elevate their position from a relatively low value device in the call centre, onto the computer of a network system administrator. It is quite possible that the administrator may already be logged-in with administrative privileges, which may have access to high value network segments and systems.
The flaws discovered by Check Point include:
- A Path Traversal vulnerability in the shared clipboard in the Microsoft RDP implementation, which would allow the delivery of an arbitrary file to an arbitrary location on the client device – such as the Windows Start-up folder.
- Remote Code Execution (RCE) vulnerabilities in the RDesktop and FreeRDP open source applications.
Interestingly, Microsoft have so far acknowledged the Path Traversal vulnerability but declined to take action. Microsoft responded to Check Point Research with the following:
“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”
System Administrators should consider the following steps to mitigate the flaws discovered:
- Update to the latest version of RDesktop or FreeRDP where the vulnerabilities have been fixed.
- If you use Microsoft RDP, consider disabling the “Shared Bi-Directional Clipboard” function.
- Avoid using RDP to connect to (third party) computers outside of your control.
A full list of the flaws and CVEs are listed in the article by Check Point Research here:
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)