Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users.

Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.

Microsoft's RDP allows users to access and control a Windows system from a remote client almost as if they were working on the system locally. Organizations use it for a variety of reasons, including enabling remote access to systems for IT help desk and support services, providing remote employees with access to an environment that mimics resources at their office, and enabling access to virtual machines in cloud environments.

In RDP, a single connection can be broken up into multiple virtual channels. Data in these channels are passed to other processes via a Windows service called "named pipes." "Named pipes are a mechanism for communication between two processes running on a Windows machine," says Gabriel Sztejnworcel, a software architect at CyberArk. Windows Remote Desktop Services uses named pipes to pass data — such as data in clipboards, and smart-card authentication data — between the client and remote system.

The vulnerability that CyberArk discovered is associated with the way named pipes are created in some situations. The security vendor found the flaw basically allows any user to create a named pipe server instance in such a manner that certain data traveling between the remote and client system essentially flows through their maliciously created pipes. They found an attacker could use the flaw to establish a man-in-the-middle presence to intercept data such as that in clipboards of the client devices connected to the remote system, or smart-card PINs that a user might enter for authenticating to the client device.

Sztejnworcel says CyberArk researchers discovered that any unprivileged user connected to a remote machine via RDS could exploit the vulnerability to intercept, view, and modify data from sessions of other users who might be connected to the same remote machine. "This could be leveraged for getting access to the file systems of other users' client machines and using other users' smart cards and PIN numbers to authenticate, effectively impersonating the victim's identity," he says. "Most importantly, this could lead to privilege escalation."

According to Sztejnworcel, the vulnerability that CyberArk discovered is not especially hard to exploit. CyberArk developed a simple exploit tool that creates its own pipe server instance and showed how an attacker could use it to access the file system of the victim, intercept whatever the victim copy-pastes from the remote system, and steal smart-card PINs for logging on to resources as an authorized user.

Sztejnworcel points to a couple of examples where a remote system might have multiple client devices connected to it. A jump box to which users connect to access an internal network, is one example, he says. Similarly, a session-based desktop environment where many users connect to the same machine and run applications would be another.

"It might also be possible, using simple social engineering techniques, to trick high-privilege users to log in to a machine the attacker is already connected to," he says. "It can be another server or even a personal workstation. The machine itself doesn’t have to be compromised since exploiting the vulnerability doesn’t require high privileges."

Favorite Attack Target
Attackers have long used Microsoft's RDP to try to gain an initial foothold on enterprise networks. In many cases, threat actors have had to do little more than search for devices with RDP services exposed to the Internet in order to break into a network. Initial access brokers have over the years curated a massive list of servers with exposed RDP services that they have been making available to ransomware operators and other threat groups for a fee. A study that Palo Alto Networks conducted last year showed that RDP accounted for some 30% of the total enterprise exposures on the Web. Attacks targeting the protocol escalated sharply in the spring of 2020 — and has mostly remained that way — with organizations switching to more remote and distributed work environments in the wake of the COVID-19 pandemic.

Over the years, RDP has had its share of vulnerabilities as well. One example is BlueKeep (CVE-2019-0708) a critical remote code execution in RDP that researchers discovered in 2019. The flaw affected RDP in multiple legacy versions of Windows including Windows XP, Windows 7, and Windows Server 2008. Another example is a so-called reverse RDP flaw (CVE-2019-0887), which Check Point disclosed at Black Hat USA 2019.