Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2019
03:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

RDP Bug Takes New Approach to Host Compromise

Researchers show how simply connecting to a rogue machine can silently compromise the host.

Most security professionals know they can use Microsoft's Remote Desktop Protocol (RDP) to connect to other machines but may not consider how merely using RDP could compromise one.

A recently discovered RDP vulnerability could silently compromise a host when it connects to a rogue machine, researchers report. CVE-2019-0887, discovered by Eyal Itkin, a vulnerability researcher with Check Point Software Technologies, was classified as Important and patched this month. Microsoft has not yet seen any evidence this flaw has been exploited in the wild.

The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection. A successful attacker could execute malicious code on a target system; install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, however, an attacker must first compromise Remote Desktop Services and wait for a victim system to connect.

Most RDP vulnerabilities allow an attacker to compromise the server, then approach new victim machines using RDP, says Dana Baril, security software engineer at Microsoft. An example is BlueKeep, the critical remote code execution vulnerability that prompted Microsoft to issue patches for out-of-support Windows systems when it fixed the bug in June. BlueKeep could let unauthenticated attackers break into a server and abuse a bug in the server itself.

"Most of the time people look for vulnerabilities in the server and try to expand from their computer to a new one on the network," Itkin explains. This flaw is different.

"In this case, the victim machine is the one that initiated the connection," Baril continues. "We have one compromised machine using lateral movement technique; this gets connections from victim machines and spreads the exploit."

Itkin was researching lateral movement attack vectors when he discovered the vulnerability. "If we take over a single machine and ambush a single user or IT admin, we directly get privilege without moving around a network too much," he explains. This specific bug exists in the clipboard, particularly in the way it synchronizes communication between the client and server.

By default, when a host connects to a machine, the clipboard connects the client and server. When a client copies a file from the server, the server tells the client where to store them. If attackers have control over a single device, they can slow it down, post pop-up messages, or cause other distractions so the corporate user opens a ticket and says the machine isn't working.

"Usually when you take over a machine you try to be stealth," says Itkin. But because an attacker wants the IT manager to remotely connect to their target using RDP, "we make a lot of noise, and we make IT users to connect to a machine and check it out." When the client connects, the attacker could use the clipboard function to download and store malicious files.

Clipboards were designed to be used locally and therefore trusted, Baril adds. This vulnerability exposes machines to a clipboard they can no longer trust. Baril and Itkin will discuss the details of the vulnerability, and approach the attack from both offensive and defensive perspectives, in their upcoming Black Hat USA briefing, "He Said, She Said — Poisoned RDP Offense and Defense."

Following his discovery, Itkin informed Microsoft and went through the coordinated vulnerability disclosure process. After Microsoft issued a patch, he continued to collaborate with the research team and later found the same bug was inherited by Hyper-V; the Hyper-V manager uses RPD under the hood to manage virtual machines. Both issues are now fixed.

While companies should install the patch to fully protect themselves, Baril notes this technique can be detected with internal Windows telemetry. "This attack technique was very hard to detect using existing telemetry," she says, adding that normal detection wouldn't work because this behavior doesn't appear unusual to users. To help users before they install the patch, Microsoft created behavioral detection using Windows Event Log. Researchers used the clipboard and RDP events to generate detection logic that could detect this tactic in action so businesses will know if they're targeted even if they haven't yet applied the update.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 5:30:27 PM
Authenticated user, hard to defend against that
The remote code execution bug is in Remote Desktop Services, formerly known as Terminal Services, when an authenticated attacker abuses clipboard redirection.

We have identified ways to address this issue.
# Identify Administrators users
$users = New-Object -TypeName System.Security.Principal.NTAccount ("Administrators")

# Security Principles for users accessing systems
$SIDofSecureUserGroup = $users.Translate([System.Security.Principal.SecurityIdentifier]).Value

# Secure User Groups found in the Administrators Group
$SecureMachineGroupSDDL = "D:(A;;CC;;; $SIDofSecureUserGroup)"

# Remote Desktop DisplayName for individual rules
$rule = (Get-NetFirewallRule -DisplayName "Remote Desktop*").DisplayName
    foreach ($i in $rule) {
        Set-NetFirewallRule -DisplayName $i -Profile "Private"
    }

# Set Remote Desktop, add Builtin\Administrators groups to the filter
$nfSecurityFilter = Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter

# Set NetFirewallSecurity Filter Settings for Authorized Users, login required for local users
Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -InputObject $nfSecurityFilter -Authentication Required -Encryption Required

#This cmdlet can be run using only the pipeline.
foreach ($i in $rule) {
    Get-NetFirewallRule -DisplayName $i | Get-NetFirewallSecurityFilter | Set-NetFirewallSecurityFilter -RemoteMachine $SecureMachineGroupSDDL -Authentication Required -Encryption Required
}

#Looks for Remote Desktop rule, then sends the results to a file on your desktop call fwrules.txt (append)

Get-NetFirewallRule -DisplayName "Remote Desktop*" | out-file $env:USERPROFILE\desktop\fwrules.txt -Append
Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallSecurityFilter | out-file $env:USERPROFILE\desktop\fwfilter.txt -Append

We have implemented this fix on our site, maybe someone from the various teams could utilize this code to ensure RDP is not compomised.

Todd
miha12
50%
50%
miha12,
User Rank: Apprentice
7/20/2019 | 7:36:40 AM
nice post
Amazing work
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/22/2019 | 11:59:46 PM
Re: nice post
Also, one thing about Hyper-V, if we apply the same rules to the Hyper-V environment, we can isolate Hyper-V's use to the localsubnet so no-one outside of the network could access those servers. It could be locked down even further using Encryption and Authentication.

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
CVE-2020-13840
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
CVE-2020-13841
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).