Major Security Flaws Identified in RDP Protocols making Machines Prone to Remote Code Execution and Reverse RDP Attacks.
Check Point researchers have identified that three remote desktop protocol (RDP) tools, which are probably the most popular ones for Windows, macOS, and Linux systems, are plagued with not one or two but twenty-five CVE-listed security flaws.
Sixteen out of the twenty-five identified flaws are categorized as major vulnerabilities while all the flaws identified by Check Point Research are security issues. The issues have been identified in the open source FreeRDP client as well as its fork rdesktop and Microsoft’s RDP client implementation. These vulnerabilities can let cybercriminals acquire full control of computers by creating a link with a malicious server utilizing techniques like remote code execution and memory corruption.
RDP protocol is developed to offer users an easy way to remotely connect to a computer (such as Windows machines) through a graphical interface. It is indeed a concerning discovery because usually users quickly connect to remote computers without giving it a second thought.
If the RDP protocol contains such massive number of vulnerabilities attackers can launch a “reverse RDP attack” by exploiting them. As soon as the attacker obtains control on the RDP client it becomes possible to expand the attack’s scope to the entire local network of the machine. Eyal Itkin from Check Point explained in their blog post.
“In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer. But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client.”
Researchers revealed that attackers can exploit these flaws using two different techniques and obtain elevated network permissions. Eleven of the identified flaws are present in rdesktop RDP client’s 1.8.3 version and nineteen flaws are present in the library.
Furthermore, Check Point researchers assessed that the open source xrdp RDP server is to some extent based on rdesktop, which is why it is highly likely that it will be affected by the vulnerabilities. Moreover, five major security vulnerabilities and six overall library vulnerabilities were discovered in FreeRDP 2.0.0-rc3.
Researchers also noted that the NeutrinoRDP RDP client “is a fork of an older version (1.0.1) of ‘FreeRDP’ and therefore probably suffers from the same vulnerabilities.”
RDP server can also be used to exploit the channels that exchange data between two points because the channels never check for the length of the packet that are being sent, which can help attackers in encouraging the server to throw distorted packets at the client. This will trigger integer overflows and out-of-bounds read errors and ultimately pave the way for remote code execution attacks.
Another way of attack is related to the way client and server share data via a common clipboard. Since the channel does not sanitize the data traffic, the shared clipboard can allow attackers to launch the data path traversal attacks or information can be disclosed as the server would peek into the client’s local clipboard activity.
A malicious RDP server can easily change clipboard content that the client uses even if a copy operation inside the RDP window isn’t issued by the client. So, when an RDP connection is enabled and the user clicks on Paste, the machine will be vulnerable to attack.
Microsoft, on the other hand, has acknowledged the issue but refused to address any further because the company claims that none of the issues are serious enough to be addressed.
“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”
It is worth mentioning that exploiting flaws in RDP and selling its access on the dark web has become a lucrative business for cybercriminals. Just last week, authorities busted the world’s largest marketplace for hacked servers called xDedic where one of the most sold product was RDP access of businesses and private users.