Windows: Reverse RDP attacks in third-party software possible

[German]A poorly patched vulnerability CVE-2019-0887 in Windows makes the systems vulnerable to attacks via third-party RDP applications. It could also allow a client used to establish the RDP connection to be attacked by malware on the remote machine.


RDP vulnerability CVE-2019-0887 in Windows

As of July 2019 patchday, Microsoft has closed the Remote Desktop Services Remote Code Execution vulnerability with security updates. Microsoft had published information about the vulnerability in this document.

A remote code execution vulnerability exists in Remote Desktop Services, formerly known as Terminal Services, if an authenticated attacker exploits clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim's system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.

To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to the Remote Desktop Services.

Microsoft had released an update to fix this vulnerability. However, the patch did not sufficiently close the vulnerability. I had published the blog post RDP vulnerability puts Hyper-V at risk in August 2019. It was about a vulnerability in Microsoft's Remote Desktop Protocol (RDP) that could be exploited to break out from guest VMs running on Hyper-V in Windows 10/Azure.

New problem with third-party RDP solutions

The Hacker News already pointed out a few days ago that in July 2019, incompletely patched vulnerability CVE-2019-088 posed a risk. It turned out that security researchers could bypass the patch by simply replacing the backward slashes in the paths with forward slashes.

Microsoft acknowledged the improper fix and re-patched the bug in its February 2020 security update at the beginning of the year. The vulnerability is now reported as CVE-2020-0655.

Check-Point security researchers have now discovered that Microsoft has resolved the above issue by adding a separate workaround in Windows. However, they left the root cause in the API function "PathCchCanonicalize", unchanged.


Apparently Microsoft's solution for the RDP client integrated in Windows works quite well. But the patch is not foolproof enough to protect other third-party RDP clients from the same attack. Once they use the API feature, the system is vulnerable.

Microsoft Patch can be bypassed

"We have found that an attacker can not only bypass Microsoft's patch, but can also bypass any check of the canonization that was performed according to Microsoft's best practices," said checkpoint researcher Eyal Itkin in a report he provided to The Hacker News.

A 'path traversal' attack is possible if a third-party RDP program accepts a file as input and does not verify it. This allows an attacker to store the file anywhere on the target system and thus expose the contents of files outside the application's root directory. "A remote computer infected with malware could take over any client that attempts to connect to it. For example, if an IT worker tries to connect to a remote corporate computer infected with malware, the malware could also attack the IT worker's computer," write the security researchers.

Security researchers found the bug when they tried to investigate Microsoft's remote desktop client for Mac. This RDP client was omitted in the first analysis in 2019. Interestingly, the macOS RDP client itself is not vulnerable to CVE-2019-0887 and since the main vulnerability is still not fixed, Check Point warned that this could pose a serious risk to many other RDP software products.

"Microsoft has failed to fix the vulnerability in its official API, so all programs written according to Microsoft's best practices are still vulnerable to a path traversal attack," said Omri Herscovici of Check Point. "We want developers to be aware of this threat so they can go through their programs and manually apply a patch against it".

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *