Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Vulnerabilities Make RDP Risks Far from Remote

More than two dozen vulnerabilities raise the risk of using RDP clients to remotely manage and configure systems.

Researchers have announced a flurry of vulnerabilities in three separate implementations of RDP, the remote desktop protocol that is widely used in remote technical support and configuration operations at large enterprises and service providers.

In a presentation at their company's annual conference, Check Point security researchers detailed 25 "reverse RDP" vulnerabilities in three separate RDP clients: FreeRDP, rdesktop, and mstc.exe. Two of the clients are native to operating systems; rdesktop is the client included in distros of Kali Linux, while mstc.exe is Microsoft's RDP client included with Windows.

In all of these reverse RDP vulnerabilities, it's the remote system — not the system being connected to — that's vulnerable. As Yaniv Balmas, head of technical research at Check Point, says, "Once we have a direct channel back to your to your machine, we can practically do anything we want on that machine. We can do everything we want. The machine is ours."

While many IT professionals believe that only display and user interface data is exchanged in an RDP session, Balmas says RDP clients have more capabilities, and it's those additional capabilities that provide the source of the vulnerabilities.

In both of the open source RDP clients, Check Point found that malware on the "host" system could use a buffer overflow technique to force remote code execution on the client machine. There are actually a variety of ways to do this; so far, 19 vulnerabilities have been identified and given CVE designations in rdesktop, while six have been identified in FreeRDP.

All of these vulnerabilities were submitted to the open source community prior to public disclosure, and all have been patched. "So the remediation for the two free versions is essentially to make sure you're using the latest patched version," Balmas says.

The situation with mstc.exe is different. The researchers found that the code Microsoft uses is much stronger than that used by the open source versions. There's one feature, though, that creates an opportunity for malicious behavior: Through the RDP client, the host and remote systems share a clipboard.

As the researcher wrote in their blog post on the vulnerabilities, "If the client fails to properly canonicalize and sanitize the file paths it receives, it could be vulnerable to a path-traversal attack, allowing the server to drop arbitrary files in arbitrary paths on the client’s computer, a very strong attack primitive."

What this means in practical terms also is detailed in the post: "If a client uses the 'Copy & Paste' feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s 'Startup' folder, and after a reboot they will be executed on his computer, giving us full control."

The researchers were able to build code that pushed code onto the clipboard without the user's permission or awareness, Balmas says. Then, if the remote user pastes anything from the clipboard, the malicious code is also pasted to an arbitrary location.

Because the exploit involves user interaction, Microsoft does not classify this as a code vulnerability and has not been given a CVE designation. Despite that, "We consider this to be critical, or at least important for users to know, because we think that this kind of — I would call it the bug — goes unnoticed and can definitely be used by malicious actors," Balmas says.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kscherler
100%
0%
kscherler,
User Rank: Apprentice
2/18/2019 | 5:31:33 PM
MSTC? Isn't it MSTSC?
As a guy who has to type mstsc about 100 times a day I would ask that you please fix your spelling of the microsoft terminal services client when referencing it. You used mstc several times in your article instead of mstsc.
Engr.Zaheer
50%
50%
Engr.Zaheer,
User Rank: Apprentice
2/6/2019 | 10:20:20 AM
New Vulnerabilities Make RDP Risks Far From Remote
Will this be the issue if your are using RDP within a LAN/private environment. Its risk will be restricted to only that environment ?
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...