Connect with us

Hi, what are you looking for?



RDP Servers Can Hack Client Devices: Researchers

More than two dozen vulnerabilities have been discovered by security experts in popular implementations of the remote desktop protocol (RDP), including flaws that allow a malicious RDP server to hack a device running the client RDP software.

More than two dozen vulnerabilities have been discovered by security experts in popular implementations of the remote desktop protocol (RDP), including flaws that allow a malicious RDP server to hack a device running the client RDP software.

RDP allows users to remotely connect to other devices on the network. The protocol was originally developed by Microsoft for Windows, but there are also several open source implementations that can be used on Linux and Unix systems.

The FBI warned recently that attacks involving RDP have been on the rise in the past couple of years, fueled by RDP access sold on the dark web.

Researchers at Check Point Software Technologies have conducted a detailed analysis of FreeRDP, rdesktop, and the Remote Desktop Connection software shipped with Windows. They have identified a total of 25 security holes, including 16 that have been described as “major.”

A manual code audit of the open source rdesktop tool led to the discovery of 19 vulnerabilities (mostly heap-based buffer overflows), including 11 with a major impact. Some of these flaws can be exploited by an attacker controlling an RDP server to remotely execute code on an RDP client connecting to it.

FreeRDP was found to be more secure and researchers have only discovered six flaws, five of which have major impact. Similar to rdesktop, FreeRDP has vulnerabilities that allow a malicious RDP server to execute arbitrary code on a client.

In the case of Microsoft’s RDP software, Check Point experts say it’s much better built and far more secure. However, they did find a weakness related to the fact that the client and the server share clipboard data – this feature is enabled by default.

Advertisement. Scroll to continue reading.

If a client connects to a malicious RDP server and the user copies any file, the attacker can paste their own files – in addition to the files copied by the user – to an arbitrary location on the client device. For example, an attacker can drop a malicious file into the Windows “Startup” folder so that it would get executed every time the system is booted.

The types of attacks demonstrated by Check Point can be highly useful to malicious actors. For instance, an attacker can escalate privileges and gain further access to the network if a member of the targeted organization’s IT team connects to an RDP server they control. Hackers could also leverage these methods against security researchers.

“[The method can be used for] attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network,” Check Point explained.

The company reported its findings to the developers of the impacted RDP tools in October 2018. FreeRDP developers pushed a patch to their GitHub repository less than a month after being notified. Rdesktop developers rolled out a fix in mid-January.

As for Microsoft, the tech giant confirmed the researchers’ findings, but decided not to release a patch or assign a CVE identifier, claiming that the issue “does not meet our bar for servicing.” Nevertheless, there is a way for users to protect themselves against the attacks described by Check Point: disable the clipboard sharing feature.

“Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities. As we demonstrated in our PoCs for both Microsoft’s client and one of the open-sourced clients, a malicious RDP server can leverage the vulnerabilities in the RDP clients to achieve remote code execution over the client’s computer,” the security firm concluded.

Check Point has published a blog post describing its findings, along with a video showing how the clipboard attack works:

Related: Ransomware Targets SMBs via RDP Attacks

Related: Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections

Related: RDP Increasingly Abused in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.