Security firm Check Point has found some 25 security vulnerabilities in three of the most popular remote desktop protocol (RDP) tools for Windows and Linux.
The company tasked its bug-hunters with a manual code audit on Microsoft
mstsc as well as the FreeRDP and Kali Linux remote desktop utilities, and what they turned up was a glut of potentially serious flaws and security workarounds.
Of the 25 CVE-listed vulnerabilities included in Check Point’s report, 15 would potentially allow for remote code execution attacks. Rather than assume a malicious client (the person connecting to the remote machine) would dupe a victim running an RDP server, Check Point focused its effort on flaws that would go from the server to the client.
The idea of the study, Check Point said, was to look at the ways someone trying to connect to a machine (such as an admin or tech support staff) could actually be compromised by the box they wanted to to remotely access.
“In a normal scenario, you use an RDP client, and connect to a remote RDP server that is installed on the remote computer. After a successful connection, you now have access to and control of the remote computer, according to the permissions of your user,” Check Point said.
“But if the scenario could be put in reverse? We wanted to investigate if the RDP server can attack and gain control over the computer of the connected RDP client.”
As it turns out, there are more than a few ways the RDP server could be used to attack the remote user. The researchers found that many of the channels used to exchange data between the two points do not properly check for the length of packets being sent, potentially allowing the server to throw malformed packets at the client to trigger out-of-bounds read errors and integer overflows that would potentially set up remote code execution attacks.
Another particularly vulnerable point of attack was the way both the client and server shared data through a common clipboard. Because, again, the data traffic over this channel is not properly sanitized, the shared clipboard would allow for data path traversal attacks or information disclosure caused by the server peeking into the activity of the client’s local clipboard.
A malicious RDP server can modify any clipboard content used by the client, worryingly, even if the client does not issue a “copy” operation inside the RDP window. “If you click ‘paste’ when an RDP connection is open, you are vulnerable to this kind of attack,” noted Check Point.
“For example, if you copy a file on your computer, the server can modify your (executable?) file / piggyback your copy to add additional files / path-traversal files using the previously shown PoC,” it added.
In total, the manual source code review led to the assignment of 19 CVE-listed vulnerabilities in rdesktop and six in FreeRDP.
The findings for Microsoft’s closed-source RDP client were a bit more murky. Though Check Point found Windows RDP to be vulnerable to the above-mentioned clipboard issues, the security house said Redmond did not see it as serious enough to merit a CVE or security patch assignment.
Stealing, scamming, bluffing: El Reg rides along with pen-testing ‘red team hackers’
Regardless, what Check Point ultimately concluded was that there is nonetheless real potential for RDP to be abused by an attacker posing as a remote user or employee who might then compromise an admin simply by requesting an RDP service. It also mused that it could be used by criminals to fight back against malware researchers who use RDP to connect to virtual machines for analysis.
On a lighter note, Check Point also suggested that the bugs could allow for a bit of mischief between security teams.
rdesktop is the built-in client in Kali Linux, a Linux distro used by red teams for penetration testing, we thought of a 3rd (though probably not practical) attack scenario,” the report stated.
“Blue teams can install organizational honeypots and attack red teams that try to connect to them through the RDP protocol.” ®