Security researchers have discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security researcher’s computer.
According to a blog post by researchers at Check Point Software, such an infection could then allow for an intrusion into the IT network as a whole.
The researchers found 16 major vulnerabilities and a total of 25 security vulnerabilities in the open source FreeRDP client and its fork rdesktop, as well as in Microsoft’s own RDP client implementation.
They added that among the likely scenarios in which an attacker can gain elevated network permissions are:
"attacking an IT member that connects to an infected workstation inside the corporate network, thus gaining higher permission levels and greater access to the network systems"
"attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network"
In rdesktop v1.8.3, researchers found 11 vulnerabilities with a major security impact, and 19 vulnerabilities overall in the library. They also showed that the xrdp open-source RDP server is based on the code of "rdesktop" and thus has similar flaws.
In FreeRDP 2.0.0-rc3, researchers found five vulnerabilities with major security impacts, and six vulnerabilities overall in the library.
Researchers then looked at Microsoft’s RDP client, Mstsc.exe Build 18252.rs_prerelease.180928-1410. When testing, researchers found the application to be more secure. Researchers tested some vulnerability proofs of concept designed for the open source client. This resulted in the RDP client closing "itself cleanly, without any crash". They said this was down to robust input and decompression checks that guarantee that no byte will be written past the destination buffer.
However, there was a flaw in the Mstsc client. If the client failed to properly canonicalise and sanitise the file paths it receives, it could be vulnerable to a path-traversal attack, allowing the server to drop arbitrary files in arbitrary paths on the client’s computer.
A hacker could get the client to "copy and paste" files.
"A malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s ‘Startup’ folder, and after a reboot they will be executed on his computer, giving us full control," researchers said.
Researchers disclosed the flaw to Microsoft and in an official statement it said that "we determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows."
As a result, this path traversal has no CVE-ID, and there is no patch to address it.
Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that organisations should only use RDP across a connection which has already been secured, such as communicating with a trusted internal host over a trusted LAN/WAN or doing this across the internet via a VPN connection.
"Wherever possible the RDP connection should also be encrypted and use mutual certificate-based authentication and/or token-based two-factor authentication. This should be enforced in Group Policy where applicable and alerting mechanisms should be in place to spot any deviations," he said.
He added: "It may be prudent to run RDP clients from within a protected virtual environment or at the very least to ensure they are running with the lowest privileges possible or as a separate, unprivileged user account."
David Atkinson, CEO of Senseon, told SC that if an organisation is using rDesktop or FreeRDP, they should upgrade to the latest version. "If an organisation is using Microsoft Remote Desktop users should only connect to trusted computers and disable bidirectional clipboard sharing," he said.