Source :- Check Point
Overview
RDP – Remote Desktop Protocol is initially developed by Microsoft for its Windows based Operating System, mstsc.exe is a Microsoft’s own RDP Client later on this protocol also implemented by some Open-Source application to take remote access of Windows based machine. There are two separate machine one acts as a RDP Server & one act as a RDP Client, RDP Client able to access RDP Server via IP Address or Hostname with authentication credential such username, password.
FreeRDP & rdesktop is very popular RDP clients in Linux based OS to take remote access of another machine.
Popularity of this protocol attracted Security Research Team of Check Point Software Technologies Ltd.
- mstsc.exe – Microsoft’s built-in RDP client.
- FreeRDP – The most popular open-source RDP client on Github.
- rdesktop – Older open-source RDP client, comes by default in Kali-Linux distros.
After analyzing of these popular RDP clients, surprisingly security researchers have discovered more than 25 security flaws in this three RDP clients.
#1 - rdesktop - Tested version: v1.8.3
At the first time team started analysing open source rdesktop rdp client & they have found 11 vulnerabilities with a major security impact such as Remote Code Execution and 19 vulnerabilities overall in the library which helps in DoS Attack & information leakage, etc.
At the first time team started analysing open source rdesktop rdp client & they have found 11 vulnerabilities with a major security impact such as Remote Code Execution and 19 vulnerabilities overall in the library which helps in DoS Attack & information leakage, etc.
CVEs found in rdesktop :-
CVE 2018-8791 , CVE 2018-8792 , CVE 2018-8793 , CVE 2018-8794 , CVE 2018-8795 , CVE 2018-8796 , CVE 2018-8797 , CVE 2018-8798 , CVE 2018-8799 , CVE 2018-8800 , CVE 2018-20174 , CVE 2018-20175 , CVE 2018-20176 , CVE 2018-20177 , CVE 2018-20178 , CVE 2018-20179 , CVE 2018-20180 , CVE 2018-20181 , CVE 2018-20182
#2 - FreeRDP - Tested version: 2.0.0-rc3
After discovering several flaws in rdesktop researcher analysed another popular open source RDP client FreeRDP. In this client as well team have discovered 5 vulnerabilities with major security impact, and 6 vulnerabilities overall in the library such as Remote Code Execution & Denial Of Service.
PoC published by Check Point Security Team :-
CVEs found in FreeRDP :-
CVE 2018-8784 , CVE 2018-8785 , CVE 2018-8786 , CVE 2018-8787 , CVE 2018-8788 , CVE 2018-8789
After discovering several flaws in rdesktop researcher analysed another popular open source RDP client FreeRDP. In this client as well team have discovered 5 vulnerabilities with major security impact, and 6 vulnerabilities overall in the library such as Remote Code Execution & Denial Of Service.
PoC published by Check Point Security Team :-
CVEs found in FreeRDP :-
CVE 2018-8784 , CVE 2018-8785 , CVE 2018-8786 , CVE 2018-8787 , CVE 2018-8788 , CVE 2018-8789
#3 - mstsc.exe – Microsoft’s RDP client - Tested version: Build 18252.rs_prerelease.180928-1410
Microsoft RDP client mstsc.exe is quite secure as compare to other open source RDP client hence researcher face some challenge but still they have discovered few interesting flaws in copy paste function of MSTSC.EXE rdp client . This flaw helps to path traversal attack & also used for information leakage.
Check Point Team given some simple scenarios where this flaw can cause seriously in infrastructure.
Scenario #1:
A malicious RDP server can eavesdrop on the client’s clipboard – this is a feature, not a bug. For example, the client locally copies an admin password, and now the server has it too.
Scenario #2:
A malicious RDP server can modify any clipboard content used by the client, even if the client does not issue a “copy” operation inside the RDP window. If you click “paste” when an RDP connection is open, you are vulnerable to this kind of attack. For example, if you copy a file on your computer, the server can modify your (executable?) file / piggy-back your copy to add additional files / path-traversal files using the previously shown PoC.
Check Point Team successfully tested this attack scenario using NCC’s .NET deserialization & also given PoC:
Microsoft RDP client mstsc.exe is quite secure as compare to other open source RDP client hence researcher face some challenge but still they have discovered few interesting flaws in copy paste function of MSTSC.EXE rdp client . This flaw helps to path traversal attack & also used for information leakage.
Check Point Team given some simple scenarios where this flaw can cause seriously in infrastructure.
Scenario #1:
A malicious RDP server can eavesdrop on the client’s clipboard – this is a feature, not a bug. For example, the client locally copies an admin password, and now the server has it too.
Scenario #2:
A malicious RDP server can modify any clipboard content used by the client, even if the client does not issue a “copy” operation inside the RDP window. If you click “paste” when an RDP connection is open, you are vulnerable to this kind of attack. For example, if you copy a file on your computer, the server can modify your (executable?) file / piggy-back your copy to add additional files / path-traversal files using the previously shown PoC.
Check Point Team successfully tested this attack scenario using NCC’s .NET deserialization & also given PoC:
It seems like Microsoft not taking this flaw seriously because when Check Point reported this flaw to Microsoft, they responded:
“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”
As per security researchers at Check Point , “this path traversal has no CVE-ID, and there is no patch to address it”. Because of this, team has issued some Recommendation for Protection for user which are mentioned below.
Recommendation for Protection
Check Point recommends the following steps in order to protect against this attack:
Conclusion
Check Point also given some more scenarios where this bug can be exploited.
To simply put, if you can imagine this RDP flaws can be use in serval scenarios by attacker and on the successful attack hacker can able to elevated network permissions by deploying such an attack, thus advancing his lateral movement inside an organization:
Share this post & Comment below your suggestion
www.arizonainfotech.com
- Check Point Research worked closely with FreeRDP, rdesktop and Microsoft to mitigate these vulnerabilities. If you are using rdesktop or FreeRDP, update to the latest version which includes the relevant patches.
- When using Microsoft RDP client (MSTSC), Check Point strongly recommend disabling bi-directional clipboard sharing over RDP.
- Apply security measures to both the clients and the servers involved in the RDP communication.Check Point provides various security layers that may be used for protection such as IPS, SandBlast Agent, Threat Emulation and ANTEX.
- Users should avoid using RDP to connect to remote servers that have not implemented sufficient security measures.
- Check Point’s IPS blade provides protections against these threats:
- “FreeRDP Remote Code Execution (CVE-2018-8786)”
Check Point also given some more scenarios where this bug can be exploited.
To simply put, if you can imagine this RDP flaws can be use in serval scenarios by attacker and on the successful attack hacker can able to elevated network permissions by deploying such an attack, thus advancing his lateral movement inside an organization:
- Attacking an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network systems.
- Attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network.
- Fun fact: As “rdesktop” is the built-in client in Kali-linux, a Linux distro used by red teams for penetration testing, Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol.
Share this post & Comment below your suggestion
www.arizonainfotech.com
No comments:
Post a Comment