RDP Attack – Multiple Critical Vulnerabilities that Allows Attackers To Reverse the Communication

by chebbi abir

Share

RDP clients exposed to multiple vulnerabilities which allows an attacker to reverse the usual direction of the communication and to connect back to the client from the server.

Security researchers from Check Point discovered 16 major vulnerabilities and in total 25 security vulnerabilities detected overall. By exploiting the remote code execution and memory corruption vulnerabilities an attacker could connect back to the client computer from the server, researchers called it a reverse RDP Attack.

Attack scenario

RDP client developed by Microsoft and is widely used by users number users and IT professionals. Also, there are some open source tools for connection Mac and Linux machines.

RDP Attack – Clients Targeted

Researchers started testing with the Open source RDP clients

  • FreeRDP – (Open Source RDP) Memory corruption and Remote code executions
  • rdesktop – (Open Source RDP) Memory corruption and Remote code executions
  • mstsc.exe – (Microsoft’s built-in) RDP client Path Traversal

These vulnerabilities allow an attacker to gain system access in the corporate network and use the access to advance further movement inside an organization. Following is the common scenarios described by researchers.

  • Attacking an IT member that connects to an infected work station inside the corporate network, thus gaining higher permission levels and greater access to the network systems.
  • Attacking a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. This allows the malware to escape the sandbox and infiltrate the corporate network.

RDP Clients

While analyzing rdesktop v1.8.3, checkpoint researchers find 19 vulnerabilities in total and 11 of them are critical. By combining multiple vulnerabilities in different logical channels result in remote code execution vulnerability.

Researchers further analyzed another opensource RDP client FreeRDP v2.0.0-rc3 and found 6 vulnerabilities, out of the 5 are critical vulnerabilities. The Free RDP also shares the similar vulnerabilities of rdesktop.

“An additional recon showed that the RDP client NeutrinoRDP is a fork of an older version (1.0.1) of “FreeRDP” and therefore probably suffers from the same vulnerabilities.”

The next RDP client analyzed by researchers is Mstsc.exe Microsoft’s RDP client Build 18252.rs, researchers tested all the PoC of open source client with Microsoft’s RDP client and there is no crash with, it closes safely.

“we realized that Microsoft’s implementation is much better than the implementations we tested previously. It seems like Microsoft’s code is better by several orders of magnitude.”

But the Microsoft RDP client found vulnerable to path-traversal attack, which can be manipulated by attackers while using the clipboard functions.

Path Traversal Vulnerability

When the client had an RDP connection with a malicious server and if they use the Copy & Paste, then the malicious server can drop arbitrary files to arbitrary file locations on the client’s computer.

Here is the video PoC published by Checkpoint, “we simply killed rdpclip.exe, and spawned our own process to perform the path traversal attack by adding an additional malicious file to every “Copy & Paste” operation. The attack was performed with “user” permissions, and does not require the attacker to have “system” or any other elevated permission.”

All these vulnerabilities have been reported by Checkpoint to the vendors and the patches have been committed by the vendors.

“During our research, we found numerous critical vulnerabilities in the tested RDP clients. Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities,” researchers concluded.

Appendix A – CVEs found in rdesktop:

  • CVE 2018-8791: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function rdpdr_process() that results in an information leak.
  • CVE 2018-8792: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function cssp_read_tsrequest() that results in a Denial of Service (segfault).
  • CVE 2018-8793: rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function cssp_read_tsrequest() that results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8794: rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to an Out-Of-Bounds Write in function process_bitmap_updates() and results in a memory corruption and possibly even a remote code execution.
  • CVE 2018-8795: rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to a Heap-Based Buffer Overflow in function process_bitmap_updates() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8796: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function process_bitmap_updates() that results in a Denial of Service (segfault).
  • CVE 2018-8797: rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function process_plane() that results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8798: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function rdpsnd_process_ping() that results in an information leak.
  • CVE 2018-8799: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function process_secondary_order() that results in a Denial of Service (segfault).
  • CVE 2018-8800: rdesktop versions up to and including v1.8.3 contain a Heap-Based Buffer Overflow in function ui_clip_handle_data() that results in a memory corruption and probably even a remote code execution.
  • CVE 2018-20174: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function ui_clip_handle_data() that results in an information leak.
  • CVE 2018-20175: rdesktop versions up to and including v1.8.3 contains several Integer Signedness errors that leads to Out-Of-Bounds Reads in file mcs.c and result in a Denial of Service (segfault).
  • CVE 2018-20176: rdesktop versions up to and including v1.8.3 contains several Out-Of-Bounds Reads in file secure.c that result in a Denial of Service (segfault).
  • CVE 2018-20177: rdesktop versions up to and including v1.8.3 contain an Integer Overflow that leads to a Heap-Based Buffer Overflow in function rdp_in_unistr() and results in a memory corruption and possibly even a remote code execution.
  • CVE 2018-20178: rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in function process_demand_active() that results in a Denial of Service (segfault).
  • CVE 2018-20179: rdesktop versions up to and including v1.8.3 contain an Integer Underflow that leads to a Heap-Based Buffer Overflow in function lspci_process() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-20180: rdesktop versions up to and including v1.8.3 contain an Integer Underflow that leads to a Heap-Based Buffer Overflow in function rdpsnddbg_process() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-20181: rdesktop versions up to and including v1.8.3 contain an Integer Underflow that leads to a Heap-Based Buffer Overflow in function seamless_process() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-20182: rdesktop versions up to and including v1.8.3 contain a Buffer Overflow over the global variables in function seamless_process_line() that results in a memory corruption and probably even a remote code execution.

Appendix B – CVEs found in FreeRDP:

  • CVE 2018-8784: FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress_segment() that results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8785: FreeRDP prior to version 2.0.0-rc4 contains a Heap-Based Buffer Overflow in function zgfx_decompress() that results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8786: FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8787: FreeRDP prior to version 2.0.0-rc4 contains an Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memory corruption and probably even a remote code execution.
  • CVE 2018-8788: FreeRDP prior to version 2.0.0-rc4 contains an Out-Of-Bounds Write of up to 4 bytes in function nsc_rle_decode() that results in a memory corruption and possibly even a remote code execution.
  • CVE 2018-8789: FreeRDP prior to version 2.0.0-rc4 contains several Out-Of-Bounds Reads in the NTLM Authentication module that results in a Denial of Service (segfault).

To read the original article

Top

Interdit de copier  ce contenu