RDP Attack: Allows Attackers To Reverse The Communication

Multiple major vulnerabilities were discovered in the Remote Desktop Protocol (RDP) which can allow bad actors to take control of computers connecting to a malicious server using remote code execution and memory corruption.

Security researchers from Check Point discovered 16 major vulnerabilities and in total 25 security vulnerabilities detected overall. By exploiting the remote code execution and memory corruption vulnerabilities an attacker could connect back to the client computer from the server, researchers called it a reverse RDP Attack. RDP client developed by Microsoft have also been developed for other platforms such as Linux and Mac to allow their users to work on Windows computers remotely.

According to the Check Point researchers, attackers can use at least two types of scenarios to "gain elevated network permissions"

1. Attacking an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network.

2. Attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network.

Researchers started testing with the Open source RDP clients FreeRDP, rdesktop(Both Open Source RDP) and mstsc.exe (Microsoft’s built-in). These vulnerabilities allow an attacker to gain system access in the corporate network and use the access to advance further movement inside an organization.

Remote Desktop Connection was unfazed when facing vulnerability PoCs designed for the open source client, the only result being that Microsoft's RDP client "closed itself cleanly, without any crash."According to Check Point Research, this happened because Remote Desktop Connection features robust input and decompression checks which make sure that none of the bytes sent over the RDP connection end up beyond the destination buffer.

In layman's terms, when using the "copy & paste" feature while connected to a malicious RDP server, the server can use the shared RDP clipboard to send files to the client's computer.

The research team also described that, a potential attacker could use this vulnerability in the Remote Desktop Connection to drop arbitrary malicious scripts or programs to a user's Startup folder, which would be automatically executed during the next reboot of the client computer.

While Microsoft received all the details regarding the path traversal issue affecting RDC, their response was that "We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).” Therefore, the Remote Desktop client path traversal security issue did not receive a CVE-ID and Microsoft did not issue a patch to address it.

Seeing that RDP clients are a common tool used by remote workers to connect to company systems on an everyday basis, RDP clients should always be kept up to date to avoid having their computers exploited using one of the dozens of vulnerabilities already found in the protocol. Check Point also advises users to disable the shared RDP clipboard feature in their clients until Microsoft decides to patch the security issue impacting it.