Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2019
03:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

RDP Bug Takes New Approach to Host Compromise

Researchers show how simply connecting to a rogue machine can silently compromise the host.

Most security professionals know they can use Microsoft's Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.

A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report. CVE-2019-0887, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and patched this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.

The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.

Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is BlueKeep, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.

"Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network," Itkin explains. This flaw is different.

"In this case, the victim machine is the one that initiated the connection," Baril continues. "We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit."

Itkin was researching lateral movement attack vectors when he discovered the vulnerability. "If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much," he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.

By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isn't working.

"Usually when you take over a machine you try to be stealth," says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, "we make a lot of noise, and we make IT users to connect to a machine and check it out." When the client connects, the attacker could use the clipboard function to download and store malicious files.

Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing, "He Said, She Said — Poisoned RDP Offense and Defense."

Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.

While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. "This attack technique was very hard to detect using existing telemetry," she says, adding that normal detection wouldn't work because this behavior doesn't appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if they're targeted even if they haven't yet applied the update.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 11:59:46 PM
Re: nice post
Also, one thing about Hyper-V, if we apply the same rules to the Hyper-V environment, we can isolate Hyper-V's use to the localsubnet so no-one outside of the network could access those servers. It could be locked down even further using Encryption and Authentication.

Todd
miha12
50%
50%
miha12,
User Rank: Apprentice
7/20/2019 | 7:36:40 AM
nice post
Amazing work
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 5:30:27 PM
Authenticated user, hard to defend against that
The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection.

We have identified ways to address this issue.
# Identify Administrators users
$users = New-Object -TypeName System.Security.Principal.NTAccount ("Administrators")

# Security Principles for users accessing systems
$SIDofSecureUserGroup = $users.Translate([System.Security.Principal.SecurityIdentifier]).Value

# Secure User Groups found in the Administrators Group
$SecureMachineGroupSDDL = "D:(A;;CC;;; $SIDofSecureUserGroup)"

# Remote Desktop DisplayName for individual rules
$rule = (Get-NetFirewallRule -DisplayName "Remote Desktop*").DisplayName
    foreach ($i in $rule) {
        Set-NetFirewallRule -DisplayName $i -Profile "Private"
    }

# Set Remote Desktop, add Builtin\Administrators groups to the filter
$nfSecurityFilter = Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter

# Set NetFirewallSecurity Filter Settings for Authorized Users, login required for local users
Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -InputObject $nfSecurityFilter -Authentication Required -Encryption Required

#This cmdlet can be run using only the pipeline.
foreach ($i in $rule) {
    Get-NetFirewallRule -DisplayName $i | Get-NetFirewallSecurityFilter | Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -Authentication Required -Encryption Required
}

#Looks for Remote Desktop rule, then sends the results to a file on your desktop call fwrules.txt (append)

Get-NetFirewallRule -DisplayName "Remote Desktop*" | out-file $env:USERPROFILE\desktop\fwrules.txt -Append
Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter | out-file $env:USERPROFILE\desktop\fwfilter.txt -Append

We have implemented this fix on our site, maybe someone from the various teams could utilize this code to ensure RDP is not compomised.

Todd
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
CVE-2019-19598
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to t...
CVE-2019-19596
PUBLISHED: 2019-12-05
GitBook through 2.6.9 allows XSS via a local .md file.
CVE-2019-19590
PUBLISHED: 2019-12-05
In radare2 through 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote at...