In an attacker’s ideal world, he or she would infect a desktop, steal the user’s RDP password and move smoothly across the network to the RDP server and immediately gain access.
In real life however, things can get a little more complicated.
Zoltan Balazs, chief technology officer at MRG Effitas, recalled a penetration test his team performed once while he was working at a previous company. The client had a secure, hardened environment – restrictive firewalls, two-factor authentication to access Remote Desktop servers, application whitelisting on the server, and so on.
“The hacking of this environment was out of scope of the project, but we were talking about whether it is possible or not,” he told SecurityWeek.
He thought it was, but had not had the opportunity to prove it. At the recent DEF CON conference in Las Vegas, Balazs walked through how to do just that, and get by the hardware firewall, authentication and whitelisting protections implemented in that type of secure environment. The key is to break the challenge into small chunks and deal with them one bite at a time.
Step one, he said, is to infect a client workstation desktop. The next step is to infect the RDP server by simulating keyboard events.
“The basic idea is that Applocker allows the running of Microsoft Office, and from Microsoft Office, one can run Visual Basic macro code,” he noted. “And this macro code can load DLL files directly, which are not restricted by AppLocker by default.”
To permanently bypass the firewall, Balazs developed a kernel driver that listens on the same TCP port as the legitimate RDP service and redirects traffic to another TCP port on the server if the TCP source port is the preconfigured port.
“On this TCP port on the server, the attacker can setup any backdoor server…and the communication can be established through the legitimate, trusted TCP port,” he said.
Administrator-level privileges are needed in order to install the kernel driver, he explained, noting that in his scenario the user connecting to the server only had user-level privileges.
“Because two-factor authentication is used to access the RDP server, knowing the user’s password is not enough,” he said.
That challenge can be addressed using a privilege escalation vulnerability.
After the firewall has been bypassed, the attacker can drop and start a bind shell. The end result is a successful attack for the hacker.
Companies that have this many layers of protection are not that common, but they do exist and are likely guarding some “very expensive secrets,” Balazs said.
There are multiple actions an organization could take to thwart this kind of attack, starting with using next generation firewall technology to enforce RDP traffic on the RDP port, he said. Another is monitoring the use of new, unknown kernel drivers. In addition, organizations should also find and eliminate any local privilege escalation issues on the RDP server.
“Defense in depth and raising the costs for the attackers is important,” he said. “Yet, one should not believe that something is impossible to hack.”