RDP Servers Can Hack Client Devices: Researchers

More than two dozen vulnerabilities have been discovered by security experts in popular implementations of the remote desktop protocol (RDP), including flaws that allow a malicious RDP server to hack a device running the client RDP software.

RDP allows users to remotely connect to other devices on the network. The protocol was originally developed by Microsoft for Windows, but there are also several open source implementations that can be used on Linux and Unix systems.

The FBI warned recently that attacks involving RDP have been on the rise in the past couple of years, fueled by RDP access sold on the dark web.

Researchers at Check Point Software Technologies have conducted a detailed analysis of FreeRDP, rdesktop, and the Remote Desktop Connection software shipped with Windows. They have identified a total of 25 security holes, including 16 that have been described as “major.”

A manual code audit of the open source rdesktop tool led to the discovery of 19 vulnerabilities (mostly heap-based buffer overflows), including 11 with a major impact. Some of these flaws can be exploited by an attacker controlling an RDP server to remotely execute code on an RDP client connecting to it.

FreeRDP was found to be more secure and researchers have only discovered six flaws, five of which have major impact. Similar to rdesktop, FreeRDP has vulnerabilities that allow a malicious RDP server to execute arbitrary code on a client.

In the case of Microsoft’s RDP software, Check Point experts say it’s much better built and far more secure. However, they did find a weakness related to the fact that the client and the server share clipboard data – this feature is enabled by default.

If a client connects to a malicious RDP server and the user copies any file, the attacker can paste their own files – in addition to the files copied by the user – to an arbitrary location on the client device. For example, an attacker can drop a malicious file into the Windows “Startup” folder so that it would get executed every time the system is booted.

The types of attacks demonstrated by Check Point can be highly useful to malicious actors. For instance, an attacker can escalate privileges and gain further access to the network if a member of the targeted organization’s IT team connects to an RDP server they control. Hackers could also leverage these methods against security researchers.

“[The method can be used for] attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network,” Check Point explained.

The company reported its findings to the developers of the impacted RDP tools in October 2018. FreeRDP developers pushed a patch to their GitHub repository less than a month after being notified. Rdesktop developers rolled out a fix in mid-January.

As for Microsoft, the tech giant confirmed the researchers’ findings, but decided not to release a patch or assign a CVE identifier, claiming that the issue “does not meet our bar for servicing.” Nevertheless, there is a way for users to protect themselves against the attacks described by Check Point: disable the clipboard sharing feature.

“Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities. As we demonstrated in our PoCs for both Microsoft’s client and one of the open-sourced clients, a malicious RDP server can leverage the vulnerabilities in the RDP clients to achieve remote code execution over the client’s computer,” the security firm concluded.

Check Point has published a blog post describing its findings, along with a video showing how the clipboard attack works:

Related: Ransomware Targets SMBs via RDP Attacks

Related: Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections

Related: RDP Increasingly Abused in Attacks