RDP Bug Takes New Approach to Host Compromise

Researchers show how simply connecting to a rogue machine can silently compromise the host.

Most security professionals know they can use Microsoft's Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.

A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report. CVE-2019-0887, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and patched this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.

The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.

Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is BlueKeep, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.

"Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network," Itkin explains. This flaw is different.

"In this case, the victim machine is the one that initiated the connection," Baril continues. "We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit."

Itkin was researching lateral movement attack vectors when he discovered the vulnerability. "If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much," he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.

By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isn't working.

"Usually when you take over a machine you try to be stealth," says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, "we make a lot of noise, and we make IT users to connect to a machine and check it out." When the client connects, the attacker could use the clipboard function to download and store malicious files.

Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing, "He Said, She Said — Poisoned RDP Offense and Defense."

Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.

While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. "This attack technique was very hard to detect using existing telemetry," she says, adding that normal detection wouldn't work because this behavior doesn't appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if they're targeted even if they haven't yet applied the update.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Recommended Reading: